Following a security breach on the weekend, the developer of popular note-taking and organisation software Evernote has announced plans to speed up the introduction of two-factor authentication (2FA) for its services.
Earlier, the company chose to reset passwords for 50 million accounts, after an attacker was able to gain access to account information stored on the platform, such as user names, emails and encrypted passwords. This situation could have been prevented if 2FA was available.
On Saturday, Evernote initiated a “service-wide password reset”, after the security team discovered a “coordinated attempt to access secure areas of the Evernote Service”.
According to spokeswoman Ronda Scott, Evernote was always planning to introduce optional security measures to its services. However, following the attack, the company will be “accelerating those plans”.
Two-factor authentication is an authentication method which requires the presentation of at least two out of three factors: a knowledge factor (such as a password or PIN), a possession factor (such as a keycard or a smartphone) or an inherent factor (like a fingerprint or eye iris pattern).
It is unlikely the attackers would be able to use the stolen data, since Evernote, abiding by good security practices, ‘hashed’ and ‘salted’ its passwords. “If this was performed correctly, then users should not be concerned about their passwords being compromised. Evernote took the right steps to reset everyone’s password too,” commented Mark Bower, VP for Product Management at Voltage Security.
“Very likely there was a Java or zero day exploit leading to system penetration. Maybe an insider opened a malicious email from spear phishing. We may never know, but once again it shows that what was once considered the impenetrable barrier, the enterprise perimeter, is now just a semi permeable membrane only as good as the weakest link,” he added.
Earlier this month, Twitter posted a job listing, looking for a software engineer in product security, with experience in areas such as “multifactor authentication and fraudulent login detection”. This prompted rumours that the microblogging platform could be looking to join the ranks of Dropbox, Facebook, Google, PayPal and other companies which have already implemented 2FA.
How well do you know Internet security? Try our quiz and find out!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
Which situations could have been prevented using SFA?
Obviously we are not talking about illegal access to the Evernote systems.
2FA makes authentication phase more secure because there is need for a physical token for the access.
Instead, what was compromised last time, was the information system of Evernote, which means emails, userID's, passwords (probably well coded), as the company said.
But they didn't mentioned the notes set by users in the system; and these were been accessed or not?
Anyway, for me (a premium account) Evernote is a really good services/product.
If I may ask, I would like to know better about their ISMS, expecially regarding the security measures for "customers-notes".
Last about 2FA; well, it's a nice-to-have gadget; most important to me is the immediacy of a reaction after a system break, the promptly of information sending to the customers (like the last time)
Personally I put sensitive informations in Evernote, only after a codification, generally using a tool like PGP/GPG
Yes, I know that Evernote client has embedded a cryptography tools, but I wasn't able to find tech information about them (the algorithms used); however, the fact that "nobody (including Evernote staff) can recover this text if the passphrase is lost or forgotten", gives me hope that there is a good architecture behind curtains.