One of the popular online services Evernote has been hacked this week. Unknown attacker gained access to a database for email addresses and passwords. The sensitive information is not yet published but it is always possible that attacker publish the data on internet.
Evernote is a cloud based service that helps users to store all personal documents, notes or information online with the synchronization which allows accessing the data at any time from any online device. After detecting the breach an email message was sent to all users with instruction to reset their password account and to create a new one.
Detecting such an incident and urging users to change their passwords is a good but incomplete step for preventing a future attack as with today’s security measure a multifactor authentication is very important to protect user’s sensitive information.
Also users needs to verify the type of encryption used by the company and for Evernote they still use a weak encryption RC2 (64-bit) to protect user’s documents. Also Evernote web site do not support HSTS that is the basic protection against man in the middle attacks.