Evernote, the popular note taking service, announced today that they were breached by an adversary. I read through their announcement and found myself with a few questions.
From Evernote Blog:
The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords.
OK, understood. My question to that point is, how did they manage to gain access? Will we there be more information forthcoming? No doubt law enforcement has been pulled into the mix which will make for interesting disclosure issues. What was the point of origin? Was it an internal or external threat? I did notice in the breach notification email that I received there was this passage,
As recent events with other large services have demonstrated, this type of activity is becoming more common. We take our responsibility to keep your data safe very seriously, and we’re constantly enhancing the security of our service infrastructure to protect Evernote and your content.
Is the implication here that this was due to the Java 0-day problem that is making the rounds? Lots of head scratching the more I think about this.
I’m suspecting that we may see an email phishing campaign shortly based on the assumption that only the passwords were protected. The part of the announcement that leads me to think that this may have been the attack vector is this passage,
Never click on ‘reset password’ requests in emails — instead go directly to the service
Did an unfortunate soul on staff at Evernote get phished? Inquiring minds want to know.
Another oddity is that Evernote wants people to upgrade iOS apps that “addresses a security issue that requires you to reset your password”.
Wait, what?
Also, the other curiousity comes in the Verge’s article that notes that the attack was detected on Feb 28. The password reset was issued on Mar 2. I’m going to go out on a limb with the thought that this was due to the Evernote team trying to get to the root of the issue. Either way, kudos to the Evernote team for a quick response.
If the attacker could gain access to the aforementioned information what is the level of confidence that nothing else was accessed?
In for a penny in for a pound?
Note: Email sent to Evernote for further comment on the aforementioned.
