'Evernote is Dead to me' - 50 Million Contacted Due to Cloud Communications Compromise
Recently, an alarming e-mail jumped out among the many corporate communications that cross my e-mail inbox. Evernote (News - Alert) had been hacked, and it somewhat casually asked me to change my password.
This was not a minor breach, either. Evernote apparently had been compromised enough that the company felt it necessary to e-mail all of its 50 million users and ask that they each change their password to the site. The e-mail further explained that it didn’t think user data had been compromised, but that e-mail and passwords had been stolen.
"Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption," the statement read. "(In technical terms, they are hashed and salted.)"
Evernote is a cloud-based notetaking program. Now thank goodness I rely Microsoft (News - Alert) OneNote for the majority of my notes, because otherwise I would be feeling pretty uncomfortable right now.
After the news, one blogger tweeted that Evernote should change its name to “Ever Notice Your Grocery List Got Hacked?” but the security breach is no laughing matter for those of us who actually use digital notebooks.
For productivity hackers such as myself, my digital notebooks have everything; my bank information, usernames, hopes, dreams—my private journal even. I literally add pages to my digital notebooks every single day. A breach, even one that supposedly does not access my private data, is unacceptable.
I’ve flirted with Evernote over the years, waiting for it to be the right service for me, which is why I got the e-mail from the company. But with the security breach, Evernote is dead to me—like a spouse who has cheated, it will take years before it earns back my trust, if ever. With important cloud services, I just can’t chance that they are using lax or even average security practices to protect my data.
Because, as industry expert Brian Krebs noted on his security blog, “hashing and salting [can be] far from solid protection. ...the industry standard is a fairly weak approach in which a majority of passwords can be cracked in the blink of an eye.”
The cloud relies on trust far more than most of us realize. When the cloud works, we don’t think about the fact that we are relying on IT infrastructure that we don’t control or even really know that much about. But when security fails, as it evidently did for Evernote, we quickly become aware that we’re putting a lot of trust in our Web services.
This can open up a whole new can of worms in asking ourselves an important question – should we be so trusting? It really is just like a relationship; you don’t want to open yourself up so quickly and with such a reliant attitude in case you get let down or suffer the consequences of doing so.
For some charitable users, trust can survive a data breach or two. But for most of us, having sensitive information compromised or possibly compromised is the end. It is over. We can talk all we want about whether Skype (News - Alert) will let governments listen in on our communication, but if we discover that someone actually has eavesdropped on us... I am willing to wager that few of us would use Skype after learning about the breach in our privacy.
Now this is an opportunity for cloud providers, too. Strong security practices is a definite selling point, and security in general is a key differentiator in what can sometimes look like a commodity business.
But whether used as a selling point or not, security is a crucial issue when it comes to all but the most inane cloud communications. Cloud providers should take note of this Evernote breach and make sure they avoid a similar fate – or else they could become dead to the world, too.
and MSPs GFI's solutions for OEMs & Cloud Providers