If you know me or have read any incarnation of this blog, you will know that I am a huge fan of Evernote, going way back to the beta days. If you are an Evernote user, you are probably aware of the security breach they experienced. I knew it was big when it appeared on my BBC RSS feed over the weekend. Although no passwords were compromised, they quickly instituted a plan to communicate the breach and rollout application updates to mitigate any issues.
Although the response was timely, there was a minor fail that I identified: All of the links in the email were to a site that were not evernote.com, but rather a sub-domain of another site.
Example (link abbreviated):
What in the heck is mkt5371.com? In the email, Evernote instructs us to “Never click on ‘reset password’ requests in emails – instead go directly to the service”, while simultaneously offering links to a different site. There are two problems with this:
- Sending mixed messages, especially to a neophyte user: go straight to our website, but we have a bunch of links in this email you can click
- Sending an email with links to a site other than evernote.com: that just looks phishy
I can think of a dozen reasons why Evernote linked to a different site, which ended up being legitimate in the end (I did not click that link, but did an end-around). This email could have easily been crafted by the hackers responsible for the breach to direct users to a malicious site for a drive-by exploit or to capture passwords. I could set up the subdomain (e.g. evernote.matricellc.com) and the site myself in less than an hour, if I were so inclined.
A better way to handle this is to use something I learned yesterday from a marketing guru: MWR, or Most Wanted Result. What result do you want from this email? Do you want the user to change their password? Then all of your links should be to your password reset page on your domain, and the message in the email should be clear as to what you want the reader to do.
With the exception of the confusing email, I believe that Evernote handled this situation very well and in a timely manner. Kudos to Phil Libin and his team for their response. Next time, they should take an extra minute to consider the content of the communication they are sending, regardless of how crazy the situation is.
I notified Evernote support of the confusing email, though the response I received did not quite address the issue. I’ll let them slide on that, as I’m sure they had thousands of support tickets for this issue.
Also, this security incident reinforces my belief that sensitive date should not be stored in ‘the cloud’, at least for now. I do not and use private (offline) notebooks for anything that is considered sensitive. I recommend you carefully consider those items you store in the cloud, in particular personally identifiable data, intellectual property, and even screenshots and other images.