Evernote forces password reset after "suspicious activity"

The drumbeat of corporate security issues pounds on, with hybrid cloud/local notekeeping service Evernote reporting this weekend that its internal security team "discovered and blocked suspicious activity" aimed at sensitive areas of Evernote's service. Although neither billing information nor actual client notes were exposed in this breach, Evernote does acknowledge that some user account information -- usernames, email addresses and encrypted passwords -- was accessed.

While none of the user passwords were stored in the clear, the fact that they may be in the hands of hackers (along with the corresponding user credentials) led Evernote to force a password reset for all its millions of users. If you've gotten a password reset notice from Evernote, it's almost certainly legitimate, but in the interest of proper procedure you should not click the login link in the email. Open a trusted browser (these days, that means one with Java applets disabled) and type in "www.evernote.com" directly to reset your login credentials. If you need help generating and storing a strong password, our guide to password creation is here for you.

As more and more cloud services are subject to attacks that target user login details, it's become overwhelmingly clear that just having a strong password isn't enough; if you reused your Evernote password on any other service (especially your email account), you have a potentially serious problem. Managing unique passwords for scores or hundreds of accounts is no picnic, but utilities like 1Password or LastPass can make it easier to find and change your re-used passwords.