Evernote hack yet another warning of cloud danger for Australian SMEs
Australian Evernote users received a shock this weekend when the company sent notifications indicating it had suffered a hacking attempt, and warned affected users should change their passwords straight away.
The announcement is only the latest in a long string of attacks targeting major online companies, but represents yet another key lesson for small businesses to leave confidential information out of the cloud whenever possible and change passwords regularly.
The debate has moved beyond whether using cloud software is relevant or not, with advocates pointing out most software has at least some sort of cloud element. Instead, the question facing businesses is what type of content they should store offsite.
"This is just another example of the caution that needs to be taken with storing data in the cloud," AVG security advisor Michael McKinnon told SmartCompany this morning.
"The ability to keep our data secret is only as good as our cloud provider."
Evernote confirmed in a statement this weekend it had suffered a hack which affected as many as 50 million separate accounts. Passwords were compromised, although the company said no actual data held in the cloud was accessed.
In the company's blog post, it said user information including email addresses and usernames were accessed.
"As recent events with other large services have demonstrated, this type of activity is becoming more common," it said.
"We take our responsibility to keep your data safe very seriously, and we're constantly enhancing the security of our service infrastructure to protect Evernote and your content.
SmartCompany contacted Evernote for comment, but none was available prior to publication.
These types of attacks are becoming more frequent and, experts argue, should be anticipated by users from time to time. A more recent attack hit digital media group Yahoo!, with email passwords accessed. Twitter even suffered a hack of its own recently.
McKinnon says given the likelihood of a password attack occurring against cloud services used by businesses, SMEs should be carefully considering what type of information they place in storage services such as Evernote.
"The kinds of data you wouldn't want to put in there are lists of card numbers, or any type of confidential financial document, or banking passwords."
"Any information that would lead people to compromise other parts of your operation."
The Evernote blog post emphasises passwords should never be used across multiple sites or services. McKinnon adds that if businesses are regularly changing their passwords – as they should be – then the Evernote request should be nothing to worry about.
And there is hope, he says, the hack will result in something positive.
"All of these smaller breaches occurring against companies, it could be a lesson for them and it may became a way of securing themselves in the future."
"That's one of the takeaways here that could be a positive."