The Washington Post

Evernote hacked; millions must change passwords

Millions of Evernote users were told to reset their passwords following ahck on Saturday. This photo illustration shows hands typing on a computer keyboard on Wednesday Feb. 27,2013. (Damian Dovarganes/AP)

Evernote, the productivity service that allows people to take notes, clip articles and view them on a range of devices, told users that it had been hacked Saturday. As a result of the hack, which the company said leaked user e-mails and encrypted passwords, the company decided to reset the passwords of its entire userbase — estimated to be around 50 million.

In a company blog post, Evernote said that it had no evidence that the attackers accessed any of the payment information it stores for its paid business and premium services, or that any of the content on its service was “accessed, changed or lost.”

Users of Penultimate, a notebook app that was purchased by Evernote last year, were also asked to reset their passwords.

Evernote didn’t say in its unsigned company blog post whether it had any leads on who had hacked the service, but did note that these high-profile hacks are becoming “more common,” referring to attacks on services such as Facebook, Twitter and Tumblr.

The company had some basic recommendations for those who are resetting their passwords, offering a few common tips that folks are probably all-too familiar with after dealing with other data breaches.

Users should try to come up with complex passwords that aren’t based on dictionary words — or simple strings of numbers such as “12345” — and should also try to use different passwords for each of their online services. This can be difficult, and if you have trouble remembering that volume of passwords, you may want to consider using password management software such as 1Password, LastPass or KeePass to keep it all straight for you.

Evernote also recommended that users be on the lookout for e-mails posing as its customer support service, suggesting “never click on ‘reset password’ requests in e-mails. Instead, the service recommends that people go straight to the service’s site itself to deal with password changes in case users get redirected to a mocked-up page from the e-mail and are tricked into giving up personal information.

Related stories:

Ideas@Innovations: Is this the year everybody gets hacked?

Tumblr, Pinterest and Twitter affected by third-party hack

WorldViews: The gaping hole in Obama’s plan to stop Chinese hacking

Sign up today to receive #thecircuit, a daily roundup of the latest tech policy news from Washington and how it is shaping business, entertainment and science.

Hayley Tsukayama covers consumer technology for The Washington Post.



Success! Check your inbox for details. You might also like:

Please enter a valid email address

See all newsletters

Show Comments
Most Read



Success! Check your inbox for details.

See all newsletters

Your Three. Videos curated for you.
Play Videos
How to make Sean Brock's 'Heritage' cornbread
New limbs for Pakistani soldiers
The signature dish of Charleston, S.C.
Play Videos
Why seasonal allergies make you miserable
John Lewis, 'Marv the Barb' and the politics of barber shops
What you need to know about filming the police
Play Videos
The Post taste tests Pizza Hut's new hot dog pizza
5 tips for using your thermostat
Michael Bolton's cinematic serenade to Detroit
Play Videos
Full disclosure: 3 bedrooms, 2 baths, 1 ghoul
Pandas, from birth to milk to mom
The signature drink of New Orleans

To keep reading, please enter your email address.

You’ll also receive from The Washington Post:
  • A free 6-week digital subscription
  • Our daily newsletter in your inbox

Please enter a valid email address

I have read and agree to the Terms of Service and Privacy Policy.

Please indicate agreement.

Thank you.

Check your inbox. We’ve sent an email explaining how to set up an account and activate your free digital subscription.