Several people have asked me if I am aware of the attempted hack of Evernote today. Yes, I am. I found out about the attempt the way most people found out: through their blog post, Twitter announcement and direct email. A few people have asked what I take to be a very natural question given my role as Evernote’s ambassador for paperless living (to say nothing as a proponent of both Evernote and going paperless):
Do you still feel your data is secure with Evernote?
My answer is: yes. Indeed, I don’t plan on changing any of my practices as far as the data I keep in Evernote or the way I access my data. The attempted attack did not actually access user data. Instead, it accessed user names, email addresses and encrypted passwords. Evernote forced a password reset for all of its user accounts, which is a good practice in an event like this.
I’ve discussed using good online security practices in the past. I’ve also talked about how I make a monthly backup of my Evernote data, as part of a more general data protection plan for all of my data. As it turns out, my online security practices (using strong passwords, SSL, and using a different password for each service) served me well today. Even if my password was compromised (which it wasn’t, since it was encrypted), it would only be valid for Evernote, and they forced me to reset my password. There was never a time when I didn’t have access to my data. (When this happened and the service was temporarily offline this morning, I was in the middle of preparing my taxes using Evernote. I could access all my notes locally and it wasn’t until afterward that I learned of the problem.)
I would like to see Evernote make a 2-factor authentication as an option for users. This simply adds an extra layer of protection. 2-factor authentication is slightly more cumbersome for the end-user to setup (I use it wherever it’s available: Google, Facebook, etc.), but the added security gives me an added piece of mind. I imagine Evernote will draw lessons from this event and continue to make improvement to their security model. (Indeed, they’ve released some updated iOS products today that directly address this issue.)