Yesterday, Evernote, the popular note taking and scrapbook app, was hacked and an unknown number of user credentials were stolen. Evernote carried out a precautionary password reset for all of their users, which, it has been remarked on elsewhere, looked a lot like a phishing scam in its own right.
Thankfully, since the last time this happened with twitter, I have had unique passwords for every service I use, so all I had to do was reset the one password (and re-link all my devices – damn I wish they’d use token based auth for their devices, but never mind). For all the faff of having to remember (or have written down) hundreds of different passwords, it is now far less faff than having to change each and every one of them when yet another web service gets breached.
As someone who builds web platforms and applications for a living, I do feel a certain sense of “there but for the grace of god”, so perhaps we shouldn’t be too hard on Evernote. They acted promptly once the security breach was discovered, and for me at least, the disruption was minimal.
However, once again, we have a service where many store important personal information (Evernote even encourage you to store tax information using their service) that doesn’t provide extra security. This is despite the fact that they have promised two factor authentication some time ago.
I really hope that this breach will prompt cloud services like Evernote, that store sensitive information on behalf of their users (or act as an authentication mechanism in their own right, as with twitter), to implement extra security (such as the aforementioned 2 factor auth) in their services.