Evernote Breaks Own Security Rule in Data-Breach Email
CREDIT: Evernote Corporation
An elephant never forgets, unless it's the one in Evernote's logo.
Evernote, the cloud-based note-taking and archiving service based in Redwood City, Calif., this weekend became the latest company to suffer a data breach resulting in the loss of customer information — including user names, email addresses and encrypted passwords.
The company handled the breach well at first. Evernote sent an email to its estimated 50 million registered users explaining the situation, notifying users it had reset their passwords and informing them that it had been using fairly strong password encryption.
Wisely, it also reminded customers to "Never click on 'reset password' requests in emails — instead go directly to the service."
Not so wisely, Evernote then blew it. It included a password-reset link inside that very same alert email.
Even worse, the link didn't point to the Evernote website, but to an entirely different domain at "links.evernote.mkt5371.com".
In other words, there's no way a user could have been able to tell whether the message was a real breach-notification email from Evernote, or instead part of a phishing scam designed to capture passwords.
"Are people getting fake Evernote password reset emails?" asked Veracode security specialist Chris Eng on Twitter.
A tech-savvy but suspicious user would immediately check the email headers, information that's usually hidden but reveals an email message's origin.
In this reporter's case, the sender's return path was "firstname.lastname@example.org." That's not very reassuring.
Thankfully, that dodgy-looking email address and link are indeed genuine.
Graham Cluley of the British security firm Sophos explained that both are owned by Silverpop, an Atlanta digital-marketing firm that Evernote appears to have hired to handle its mass emails.
"That's a technique commonly used in a normal marketing email communications," Cluley said, "but looks very out of place in an email about a security breach which tries to hammer home the point" about never clicking on links in unsolicited emails.
The link in the notification email takes you straight to the Evernote front page, where there's a banner that reads: "If you received a password reset notification, please click here to set your new password."
Confusingly, the following page simply asks for your old password as if no data breach had happened.
The old password doesn't work, of course, forcing you to request a second email message which will allow you to actually reset your password.
When it arrives in your mailbox, the second message contains a link of its own — a big green button reading "Reset Password" that points to "https://www.evernote.com/ResetPassword.action" followed by a string of unique user data.
Its headers reveal the email message did indeed come from "evernote.com," and, naturally, you knew it was coming — three signs that this message is A-OK.
Once you click the big green button, you're taken to a password-reset page on the Evernote site and all is well.
Another Mac shop falls
Evernote hasn’t said how it was hacked, but circumstantial evidence indicates it may have been hit by the same browser-based Java exploit in January that hit Twitter, Facebook, Apple, Microsoft and an estimated 40 other companies, most still unnamed.
Sharp-eyed blog watchers noted that in a Business Insider slideshow of Evernote's offices posted last year, Macs are everywhere and there's scarcely a Windows PC to be seen.
There have been several hints that the Java exploit targeted Macs instead of PCs, especially Macs used by programmers developing apps for iPhones and iPads. Even at Microsoft, it was Macs that got hit.
(Sean Sullivan of Finnish security firm F-Secure has made a pretty convincing case for the Mac-targeting theory on his company's blog.)
As for Evernote's handling of the breach, it's not clear why Evernote could have just sent the notification email from its own servers, without a link to any site, and instead asked users to simply go to the Evernote site. That would have allayed any suspicions.
Despite the notification boo-boo, the advice still stands: Don't click on any links in emails you're not expecting. Type in the website address instead.
As is the case with every data breach, change your password on each and every account for which you used the compromised password.
Try never to use the same password twice, especially for important accounts such as Facebook, Twitter, iTunes/Apple, Google, Yahoo, Amazon, online financial services and any site that stores your credit-card information.
And, please, disable Java in your Web browser.