An unknown individual or group hacked into Evernote's database and made off with user information, resulting in a servicewide password reset that affected 50 million end users.
Evernote and its 50 million-user population are having a bad week. The productivity software-as-a-service issued a systemwide password reset for all of its users on Saturday after a hacker or group of hackers broke into its user database and swiped various bits of user information, including usernames, emails and passwords.
It's another weapon in the arsenal of cloud skeptics, who tend to point at breaches like this as proof the cloud is not secure. Of course, that's ridiculous, as these breaches are less common than attacks or theft within the four walls of a business. Still, Evernote is coming under fire—and rightfully so—for allowing this breach to happen.
According to the company's blog, its operations and security team discovered and blocked "suspicious activity" on its network. The blog post, written by Dave Engberg, called it a "coordinated attempt to access secure areas" of Evernote's service.
Although Evernote found no evidence user content was accessed, changed or lost, the company did admit that the nogoodniks responsible gained access to user information. That led Evernote to issue the servicewide password reset. So if you're an Evernote user and you haven't yet reset your password, now would be a good time to do so. For paid subscribers, there was no evidence that payment information had been accessed, so at least credit card information appears to be safe.
The cloud service provider also provided password tips to its users. Nothing out of the ordinary, of course; just the typical recommendations of not using simple passwords, not using the same password on several sites (something most of us are guilty of) and never clicking on "reset password" requests in emails.
With any luck, Evernote will take further precautions in the future to ensure this doesn't happen again. And maybe other cloud SaaS providers should take note and think about whether they're doing all they can to keep their users' data secure.