The security world has been hot the past few weeks, with attacks on Apple and Microsoft leading the headlines. Then yesterday, the popular site Evernote was attacked and salted user passwords were stolen. Although the compromises are bad, we have to give the companies credit for coming forward to the media and reporting these breaches to the public.
Evernote went a step further and forced all of their users to reset their passwords. Although they claim that the passwords are very secure and would be difficult for the attackers to decrypt, it’s still a good idea to change it. The Evernote email stated to “read below for details and instructions” on how to do that, and those instructions included:
While our password encryption measures are robust, we are taking steps to ensure your personal data remains secure. This means that in an abundance of caution, we are requiring all users to reset their Evernote account passwords. Please create a new password by signing into your account on evernote.com.
To be helpful, the company provided a hyperlink for evernote.com. However, upon careful inspection, you’ll notice that the link does not take you directly to the website, but instead to http://links.evernote.mkt5371.com. What is mkt5371? It’s a domain owned by Mark Monitor, which is in turn owned by Thomson Reuters, with Silverpop also somehow factoring into the equation. The company provides an email service to companies that want to send messages out to their customers since sending 50,000,000 messages at once is not an easy task. The service probably also records “opens and clicks” so that Evernote can tell how many people opened the email and clicked on the links it contains.
Evernote’s email goes on to include some useful security tidbits for everyone, not just their site.
There are also several important steps that you can take to ensure that your data on any site, including Evernote, is secure:
- Avoid using simple passwords based on dictionary words
- Never use the same password on multiple sites or services
- Never click on 'reset password' requests in emails - instead go directly to the service
Do you see the last recommendation? It’s great advice, especially since email spoofing is really easy. Unfortunately, Evernote apparently doesn’t practice what they preach given the link to mkt5371.com that redirects to evernote.com. Although in this case the link is harmless, it’s continuing to train users that clicking links is ok and is one of the biggest security concerns on the Internet today.
We have a feeling this may be a case of the marketing and security teams not seeing eye to eye.