Evernote Hacked And Is Requiring All Users To Reset Their Passwords; Incident Offers Advisors A Poignant Lesson About Security And Encryption
- Created: Sunday, 03 March 2013 17:18
"We have found no evidence that any of the content you store in Evernote was accessed, changed or lost," the company says in a blog post. "We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed. The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords."
Evernote says it encrypts passwords. So even though its system was breached, hackers should not be able to see the passwords associated with a particular user.
However, based on Evernote's blog today post and others in the past, content stored by Evernote is not encrypted. So the hackers would indeed have been able to see the content associated with a user's accounts.
This is the same issue, by the way, that led to my criticism of a popular tech writer's assessment several years ago of a file sharing service. I took the writer to task for saying that a free file sharing service had "very impressive" security, when the app was, in fact, not encrypting content stored on its servers. (For the record, the writer, Joel Bruckenstein, is very knowledgeable about advisor technology, and despite reports to the contrary, we like and respect each other. I just could not let that mistake pass because security is way too important an issue.)
Hopefully advisors are not posting personally identifiable information about clients on Evernote. If you are storing PII about clients on Evernote, you likely are legally obliged to disclose to clients that their data may have been breached.