From The Expert Feature Article
March 05, 2013

Evernote Security Breach an Epic Fail and an Opportunity for Managed Service Providers

The e-mail arrived rather casually with all the other bulk messages I get each day from cloud services. But as I read and mentally processed the subject line, I stopped in my tracks. Evernote (News - Alert) (News - Alert) had been hacked.

Not a minor breach, Evernote apparently had been compromised enough that the company felt it necessary to e-mail all of its 50 million users and ask that they each change their password to the site. The e-mail said that it didn’t think user data had been compromised, but e-mail and passwords had been stolen.

"Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption," the statement read. "(In technical terms, they are hashed and salted.)"

Evernote is a cloud-based note taking program. Now thank goodness I mostly use Microsoft (News - Alert) (News - Alert) OneNote for the majority of my notes, because otherwise I would be feeling pretty uncomfortable right now.

After the news, one blogger tweeted that Evernote should change its name to “Ever Notice Your Grocery List Got Hacked?” but the security breach is no laughing matter for those of us who actually use digital notebooks.

For productivity hackers such as myself, my digital notebooks have everything: bank information, usernames, hopes, dreams—my private journal even. I literally add pages to my digital notebooks every single day. A breach, even one that supposedly does not access my private data, is unacceptable.

I’ve flirted with Evernote over the years, waiting for it to be the right service for me, which is why I got the e-mail from the company. But with the security breach, Evernote is dead to me—like a spouse who has cheated; it will take years before it earns back my trust, if ever. With important cloud services, I just can’t chance that they are using lax or even average security practices to protect my data.

Because, as Brian Krebs noted on his security blog, “hashing and salting [can be] far from solid protection. ...the industry standard is a fairly weak approach in which a majority of passwords can be cracked in the blink of an eye.”

This is why security is such a major issue for managed service providers. Managed service provider relationships and cloud services in general, rely on trust. When the cloud works, we don’t think about the fact that we’re pushing our data to data centers we usually don’t control. But when security fails, as they evidently did for Evernote, we quickly become aware that we’re putting a lot of trust in our Web services and our managed service providers.

For some charitable users, trust can survive a data breach or two. But for most of us, having sensitive information compromised or possibly compromised is the end. It is over.

Now this is an opportunity for managed service providers, too. Strong security practices is a definite selling point, and security in general is a key reason that companies should consider choosing a managed solution.

But whether used as a selling point or not, security is a crucial issue when it comes to all but the most inane cloud services. Managed service providers and their clients should take note of this Evernote breach and make sure they avoid a similar fate.

Edited by Brooke Neuman