Today’s report that Evernote have been hacked raises an interesting point. Evernote deny that any content has been breached, which is fine as far as it goes. I use Evernote but since it has no encryption at rest I wouldn’t put anything in there that I wouldn’t want on the front page of the Times. So why do I care?
Well, for starters because my email address has been compromised, again. So that’s more spam I’ll be getting to add to the inrushing torrent. Valid email addresses are PII (personally identifiable information) and should be protected more effectively than they seem to be by most providers. I can understand that they need to get back to the cleartext address for various reasons, but that’s no reason to store it in clear.
Email addresses aren’t just a target for spam, either – they’re a way of tying accounts together. Even I can’t be bothered – despite running my own mail server – to create a new account for each service I use. So the more you hack, the more you can piece together about my online behaviour – including linking accounts (like this one) where I use my real name with forums where I don’t. And everybody wants you to register and give them your email address these days.
The hackers also appear to have downloaded the hashed version of my password (assuming I was one of the people compromised in the Evernote attack). Now, I use a different password for every site I go to, but the desperate security illiteracy of most web services means I often can’t use a proper passphrase – too many sites limit your password length and insist it includes numbers, varied case or symbols. So I salt it – I use the same (unusual) word at the beginning, followed by a simple substitution cryptogram derived from the name of the site. This gives me a reasonable chance of remembering my password without having to record it, and makes it harder to crack because dictionary-based attacks will fail.
However, eventually someone with a rainbow-table approach will decrypt the hashed password. Maybe that’ll mean they can penetrate my Evernote account. Meh; I’ve changed the password already. On the other hand, if they crack it often enough, and link it using the email address, they’ll have my salt. That would be dull. Will anyone target me explicitly? I doubt it (although this post won’t help, just ask Jeremy Clarkson). But if you think Amazon, Google and Tesco are the only people capable of using big data, you’re wrong.
Mark my words, the first hackers to get serious with Hadoop will take identity theft to whole new heights, and email addresses are the perfect link field.