The Redwood City, California-based company said in a post published late Saturday that an attacker had been able to access sensitive customer information and that every user would have their account reset "in an abundance of caution."
Evernote says the attacker was able to access an unspecified number of customers' encrypted passwords. Decoding such passwords can be difficult but is far from impossible.
The company says it has seen no evidence that any customer data had been tampered with or that any payment information had been compromised.
A phone message left with Evernote on Sunday was not immediately returned.