Evernote, the productivity service that allows people to take notes, clip articles and view them on a range of devices, told users that it had been hacked Saturday. As a result of the hack, which the company said leaked user e-mails and encrypted passwords, the company decided to reset the passwords of its entire userbase — estimated to be around 50 million.
In a company blog post, Evernote said that it had no evidence that the attackers accessed any of the payment information it stores for its paid business and premium services, or that any of the content on its service was “accessed, changed or lost.”
Users of Penultimate, a notebook app that was purchased by Evernote last year, were also asked to reset their passwords.
Evernote didn’t say in its unsigned company blog post whether it had any leads on who had hacked the service, but did note that these high-profile hacks are becoming “more common,” referring to attacks on services such as Facebook, Twitter and Tumblr.
The company had some basic recommendations for those who are resetting their passwords, offering a few common tips that folks are probably all-too familiar with after dealing with other data breaches.
Users should try to come up with complex passwords that aren’t based on dictionary words — or simple strings of numbers such as “12345” — and should also try to use different passwords for each of their online services. This can be difficult, and if you have trouble remembering that volume of passwords, you may want to consider using password management software such as 1Password, LastPass or KeePass to keep it all straight for you.
Evernote also recommended that users be on the lookout for e-mails posing as its customer support service, suggesting “never click on ‘reset password’ requests in e-mails. Instead, the service recommends that people go straight to the service’s site itself to deal with password changes in case users get redirected to a mocked-up page from the e-mail and are tricked into giving up personal information.