Evernote hacked, how respond to yet another data breach?

Another noisy attack has alerted IT community, online note service Evernote is the latest firm to get hacked. The company provides the popular service to around 50 million users,  the attackers accessed data of some users such as usernames, passwords and email addresses. Actually there is no evidence that contents in Everynote have been accessed or modified, neither that any payment information for Premium and Business accounts has been disclosed. As a precaution measures the company decided to implement a password reset and has release a security advisory in which explained that its security team detected a coordinated attack to Violate its services.

“Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service. As a precaution to protect your data, we have decided to implement a password reset. Please read below for details and instructions. In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed. The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption.”

  How to manage data breach like this ? We must distinguish two aspects, company incident response procedure and client countermeasures.  Hacked businesses have to immediately start investigation, adopting any countermeasures if the attack is still ongoing. Law enforcement and business partners must be immediately informed and it must be decided time and mode to public disclose the news without interfering with investigation and preserving users security. This is a critical phase, user’s information security is highest priority but in many case it collides with company need to preserve its reputation. Recent incident to Apple, Microsoft and Facebook are in my opinion good example of incident management despite probably users will never  know the entity of the attacks and its amplitude in term of data stolen. From client point of view the suggestions provided by Evernote company are very precious to ensure that its data on any site, including Evernote, is secure:

• Avoid using simple passwords based on dictionary words
• Never use the same password on multiple sites or services
• Never click on ‘reset password’ requests in emails instead go directly to the service

The incidents occurred raised a speculation that Chinese cyber units are conducting an aggressive cyber espionage campaign against governments, IT firms and industry to steal secrets and intellectual properties. It’s seems that the attacks against Evernote has many similarities with other recent hacks, Evernote representative reported to CNet editorial staff that the breach of the company’s systems “follows a similar pattern of the many high profile attacks on other Internet-based companies that have taken place over the last several weeks.” The statement suggests that also in this case the attackers have exploited a zero-day vulnerability in popular software such as Oracle Java framework, the frequency of these type of hacks is becoming very concerning, security experts suggest to disable any plug-in from popular browser if not necessary needed. Let’s wait which company from the ones hacked will provide further information on possible origin of cyber attacks revealing if all recent incidents are correlated and if they are opera of a single state sponsored strategy.

Pierluigi Paganini

(Security Affairs – Hacking)