Evernote is requiring each of its 50 million users to reset their login credentials after the site's security team detected a security breach that exposed password data and other personal information.
In a security notice published Saturday, Evernote said the precautionary password reset came after an investigation found no evidence of any stored content being accessed, changed, or lost. The advisory also stated that payment information wasn't accessed. However, Evernote warned that user information—including usernames, cryptographically protected passwords, and e-mail addresses—were accessed. "Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption," the statement noted. "(In technical terms, they are hashed and salted.)"
Evernote's decision to cryptographically hash and salt this information is important in the wake of this digital break-in, because the technique makes the information slightly more time-consuming to crack. That can buy a security team time in the hours or days following the discovery of a breach. (For a more detailed explanation of the techniques, see Ars Security Editor Dan Goodin's feature "Why passwords have never been weaker—and crackers never been stronger.") Despite the precaution, Evernote's decision to reset all the passwords remains a necessary precaution.