Password Safety Reminder

Posted by Dave Engberg on 10 Oct 2012

Posted by Dave Engberg on 10 Oct 2012

Last week, our systems detected a sequence of login attempts to Evernote from a single web browser at IP addresses that appeared to originate from Italy. Each attempt sent a unique username and password combination. Some of these usernames were the same as Evernote usernames, and less than one percent of the attempts sent a username and password combination that matched that of an existing Evernote account. From our logs, we were able to identify which Evernote accounts had an exact username and password match. We sent each of the affected account holders an email warning them to change their password on Evernote, as well as on any other service(s) where they used the same combination of username and password.

We believe that this activity came from someone who has a list of usernames and passwords that were obtained without authorization from people who use another web service. Based on a few identifying factors, we believe that the list contains a disproportionately high percentage of Italian residents. It’s possible that this list was obtained without authorization from a popular Italian-focused service. But because the attackers have plaintext passwords for each account, we think it’s more likely that the list was assembled from an Italian-focused phishing attack.

We’ve found a few recent examples of such attacks via Google News, but we don’t have a good way to know whether these are describing the actual origin for our incident.

Once we detected that someone was laundering what we suspected was a stolen account database against Evernote accounts, we added some temporary blocks to stop the immediate problem. We also deployed additional permanent heuristics to provide even faster warnings of this type of issue in the future.

We’re providing these details as a Public Service Announcement to remind everyone that they shouldn’t reuse the same password for any important services. Utilize a good system for remembering distinct passwords, or install a strong password manager like 1Password. If you get an email/call/fax that appears to be from your bank/government/social-network/etc., and it says you need to tell them your password … don’t click on any links they provide. Go directly to the web site yourself without clicking on the links.

Obviously, most of the people reading this post already know all of that. So take this opportunity to remind a less technical friend.

View more stories in 'Uncategorized'

12 Comments RSS

    • Dave Engberg

      We have a few different limits in place, particularly for multiple attempts against the same account. Blocking/throttling separate attempts against separate accounts is a bit more tricky since a single IP address may represent multiple different humans. One misbehaving client application on your wifi network could throttle everyone else in your building.

      So we have a set of heuristic throttling in place, but have also tightened some of the thresholds for alerts so that we’re notified of problems sooner (i.e. pagers).

  • Vladimir Campos

    Please consider implementing an optional second step of security with Google Authenticator. I’m using it on my Gmail an Dropbox accounts for a while. It is a nice, simple and save solution. Let it as an option for those that whant it.

    • Dave Engberg

      Thanks, this is on our list. But we want to make sure that we have a solution that won’t cause people to accidentally lose access to years of memories. That’s a bit of a tough balance, so we’re going slowly.

    • Sterling Zumbrunn

      Thanks for the PSA Dave! And thanks Vladimir, I just came to this page to make exactly the same comment! I completely agree, 2-step authentication is not only highly desirable, it’s becoming a must-have for critical services with important data like Evernote. Glad to hear it’s on the list! I think the way Dropbox handled it, leveraging the existing Google Authenticator is quite elegant. I like having all of my tokens in one app.

      • Dave Engberg

        I agree. It’s great that Google implemented Authenticator using RFC standards and then published the code. That’s a great way to improve overall Internet security.

  • Bob McDowell

    I hope that EverNote is NOT storing our passwords as plain text.
    They should be only saved as a salted hash!

  • hi….
    1)i need the evernote software which has also reminder which will remind a particular data in the stored data which we selected by giving alarming.

    2) the data should be accessible fastly even the storage is more.

    please reply quickly………

  • why not use Google authentificator as security reinfocement for evernote? I think is the most secure way, user + password + GA code every 30 days

    • Dave Engberg

      See the prior reply to Vladimir.
      An optional second factor authentication scheme would be good for the relatively small percentage of users who will be willing to set it up.