The very popular productivity app, Evernote, was hacked this past Saturday. In response to the security attack, the company has decided to reset the passwords of its entire user base. This means an estimated 50 million users will need to reset their account info. According to Ingrid Lunden at TechCrunch:
“Evernote is requiring its nearly 50 million users to reset their passwords after the popular personal note-taking app became the latest high-profile victim of wide-scale hacking attempts. The breach follows malicious activity at Twitter, Facebook and others in recent weeks.
Phil Libin, Evernote’s CEO and founder, told TechCrunch in an email everything is running, although if you try to access the site things may not work as normal at the moment: ‘We just pushed out a password reset, so the servers are going to be saturated for a bit,’ he wrote. ‘Everything is up, although response is choppy. There’s no threat to user data that we’re aware of.’”
A pattern of these security attacks seems to be emerging. It’s important for app makers to note that the effects of an attack like this can be detrimental. Trust is everything for an app’s users, and once their privacy is breached it’s extremely difficult to regain. Luckily, Lunden says in Evernote’s case no bank information was stolen:
“In a blog post, the company said that ‘individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords,’ but that no payment details were accessed. ‘We don’t store any user payment info, so no payment info can be compromised,‘ Libin told TechCrunch.”
Since most apps do store payment information, Evernote’s latest incident prompts a massive app-wide need for security testing. As the Evernote team can likely attest, it’s impossible to predict and test for these attacks inside the lab. Utilizing white-hat security experts under real world conditions is the only way to identify and patch these vulnerabilities.
For more information on In-The-Wild Security Testing, click here.