Hackers not able to use stolen data
"Hacker attack on Evernote: millions of encrypted passwords stolen," announced a Spiegel Online headline on the weekend. Evernote, a popular web-based service for storing and organising personal data and notes, had posted on the its blog that the company had fallen prey to a coordinated hacker attack and that user names, emails and encrypted passwords had been stolen. The provider immediately reset all the user passwords.
We asked Frank Türling, cloud expert and consultant, what the attack was all about and what he thinks about data security in the cloud.
Mr. Türling, what is Evernote?
Evernote is like a virtual notebook. It is a web-based application that enables users to save reminders, pictures, videos, notes and internet pages in the cloud and then access them from any computer. Approximately 50 million people use the service worldwide.
The service has been attacked by hackers. What does this mean?
I can only go on the information provided by Evernote. The company announced that the servers had been attacked and unknown user names, emails and encrypted passwords were stolen.
How critical is this kind of theft?
Theft is always inherently negative. In this case, however, it's worth taking a closer look: apparently only encrypted data was stolen. This means that the hackers would not be able to use the stolen data. Evernote also responded very quickly and reset all the user passwords immediately. In light of this, although the attack was indeed extremely unpleasant for the company, it was not harmful to the users.
However it must be said that web-based applications are often associated with security breaches. The fact that this incident involved one of the major providers confirmed the suspicions of many sceptics.
It may seem like that at first glance. However, if you look at how extensive the provider's safety precautions were, you would have to say that the data was much better protected in the cloud, than if had been saved locally within the company.
Despite this attack?
This statement may sound contradictory after a successful hacker attack, but the immediate detection as well as Evernote's subsequent reaction (Evernote immediately reset all passwords, editor's note) shows that the company was prepared for this type of attack. Our experience shows that it would have taken much longer for the vast majority of SMEs to register such an attack – if at all.
So do you believe that web-based applications can generally be trusted?
Definitely. The data centres of professional providers are like fortresses. In addition, professional providers not only protect the data against hacker attacks from the outside, but also against all other possible failure scenarios such as destruction of the servers, fire or flood. Despite the attack on Evernote, I believe it's clear that specialised providers are absolutely trustworthy and safe and that SMEs should feel comfortable using web-based solutions.