Evernote recently became the latest service to acknowledge what appears to be a widespread security breach. While the company reports that no user content or payment information appears to have been accessed, changed or lost, the breach once again highlights the importance of two-factor authentication for passwords for all systems, whether cloud-based or not. The breach also highlights the importance of cutting-edge university programs that prepare cybersecurity professionals to protect sensitive computer systems.
Understanding the Evernote Breach
“Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote service,” said the company in a blog post.
While the post points out that no user content or payment information seems compromised, it does acknowledge that the attackers were able to access information, including usernames, email addresses associated with accounts and encrypted passwords.
The company points out that the accessed passwords are protected by one-way encryption. Despite this, the service required a system-wide password reset for all users.
What the Breach Tells Us About Security
The system-wide password reset requirement is relatively rare for services as large as Evernote, which has about 50 million users. While it is advised that users reset passwords any time there is indication of a security breach, it is not often a requirement (for example, after a LinkedIn breach last year, the company advised users to reset their passwords, but did not require them to do so unless their passwords were known to be compromised).
The company said in a statement to InformationWeek that it already planned on introducing a two-factor authentication system later this year for added security, and that those plans have now been accelerated. This will put the service in the company of others that have added the extra security measure, including Google, Facebook, Yahoo Mail and Dropbox.
What is Two-Factor Authentication?
Two-factor authentication provides an additional security measure to protect passwords from attackers, typically achieved as a one-time authentication code provided through a text message, mobile app or hardware fob.
While the two-factor system likely wouldn’t have stopped the attack, it would stop the attackers from accessing sensitive user information, including passwords. Though the system is becoming the norm, there is at least one notable holdout: Twitter, which suffered a breach in January, still does not use a two-factor system.
As severe security breaches become rampant, universities are seeking to better train IT professionals in specific areas. For example, The George Washington University’s Master of Professional Studies in Security and Safety Leadership program is designed with homeland security issues in mind. The program offers areas of focus such as Fundamentals of Strategic Security, Strategic Cybersecurity Enforcement and Justice and Public Safety Information Management.