Jump to content

Welcome! You're currently a Guest.

If you'd like to join in the Discussion, or access additional features in our forums, please sign in with your Evernote Account here. Have an Evernote Account but forgot your password? Reset it! Don't have an account yet? Create One! You'll need to set your Display Name before your first post.

Photo

Password Reset Discussion Thread

security issue hacked windows mac ios android

  • Please log in to reply
201 replies to this topic

#1 gazumped

gazumped

  • Title: Operative
  • Group: Evernote Evangelist
  • 5,691 posts

Posted 02 March 2013 - 04:04 PM

Thanks for the headsup.  Changing now.


I use Evernote constantly but don't speak for them.  Opinions here are my own based (more or less) on age,  experience,  and common business sense.  

Evernote read what's posted here,  and take it into consideration setting priorities;  they don't normally comment on individual cases,  or offer any forecasts or promises on whether or when a new feature might be released.  

 

Premium Windows & Android user in Wales, UK

EN Mobile 5.8 Beta 2 | Galaxy S3 Android 4.1.2 | Chrome - EN Desktop 5.2.0.2503 (270503) Prerelease | Dell Inspiron W8.0 | Chrome + Clipper & Clearly | MS Office 2013 (also Vista and W7)
Support and information: Mac | Windows | iOS | AndroidGetting Started | Support Page | Knowledge Base | Status Page | The App CenterSupport Requests & Feedback 

(Support only work weekdays,  US Pacific Time)  |  If you need to change your account name,  email address or check usage,  do it here 

Use your spare processor capacity for science research - find out more about BOINC here.  


#2 Extropy

Extropy

  • PipPipPip
  • Title: Bushwhacker
  • Group: Members
  • 103 posts

Posted 02 March 2013 - 04:17 PM

Beware - I had to resync all my off-line content on iPad and iPhone because of this. Support ticket #16051-248323.



#3 hramos

hramos

  • Pip
  • Title: Member
  • Group: Members
  • 1 posts

Posted 02 March 2013 - 04:18 PM

Glad i found this post.

 

Tried to login (desktop app) today and was getting error, went on web sign in and asked me for a pass reset.

 

Cheers



#4 Bartman001

Bartman001

  • PipPip
  • Title: Alliance Lackey
  • Group: Members
  • 71 posts

Posted 02 March 2013 - 04:24 PM

I certainly hope they send and email to everyone's email of record. I was lucky and tried to sign in on the web client and discovered I had to do a password reset to log in. 



#5 spg SCOTT

spg SCOTT

  • Title: "There is no magic, only lost physics"
  • Group: Evernote Evangelist
  • 1,843 posts

Posted 02 March 2013 - 04:34 PM

I certainly hope they send and email to everyone's email of record. I
was lucky and tried to sign in on the web client and discovered I had
to do a password reset to log in.

 

From the blog post:

 

The following blog post is also being sent to all Evernote users as an email communication.

 

I assume that may take a little time though...



#6 Pascal

Pascal

  • Pip
  • Title: Member
  • Group: Members
  • 5 posts

Posted 02 March 2013 - 04:36 PM

Two-step verification would be nice to avoid this type of problems



#7 Leopold

Leopold

  • Pip
  • Title: Member
  • Group: Members
  • 10 posts

Posted 02 March 2013 - 04:45 PM

Beware - I had to resync all my off-line content on iPad and iPhone because of this. Support ticket #16051-248323.

Me too... 5GB worth - not at all happy about that - also not sure I haven't lost space on the iPad with the re-download... I'd appreciate some word on this from Evernote



#8 jbenson2

jbenson2

  • PipPipPipPipPip
  • Title: User # 142,683
  • Group: Members
  • 5,602 posts

Posted 02 March 2013 - 05:02 PM

Well, Evernote can't say they weren't repeatedly warned.

There have been tons of previous comments about Evernote security requesting 2-factor authentication, full note encryption and many other security suggestions.

I'm sure most users are glad to hear that even though this type of activity is becoming more common with large services, Evernote is doing something to improve its security (by asking you to create a new password).
 

Hope it's not too difficult for everyone with multiple mobile devices and fat fingers to complete the process of getting back online by entering a new lengthy complex password several times.

According to the blog post mentioned above, there has been:

  • no evidence that your Evernote content was accessed
  • no evidence that any payment information was accessed
  • but the hackers did gain access to user information, usernames, email addresses and encrypted passwords.

However no worries man - your password was hashed and salted.

Make sure you have multiple Evernote backups as well.

 


 



#9 Drdul

Drdul

  • Pip
  • Title: Member
  • Group: Members
  • 4 posts

Posted 02 March 2013 - 05:03 PM

I hope our email addresses were also stored on Evernote's servers in encrypted format, as I'm not looking forward to a deluge of spam.



#10 Jusvery

Jusvery

  • Pip
  • Title: Member
  • Group: Members
  • 8 posts

Posted 02 March 2013 - 05:17 PM

why not using 2 step auth providing by google?



#11 MP99

MP99

  • Pip
  • Title: Member
  • Group: Members
  • 17 posts

Posted 02 March 2013 - 05:25 PM

I guess it's understandable, if rather annoying. But...

 

No e-mail, yet.

 

Why no announcement on the Evernote Status RSS feed?

 

Why no announcement on the Evernote Tech Blog RSS feed?

 

Martin


Currently Firefox 16.02 [with NoScript].

#12 MP99

MP99

  • Pip
  • Title: Member
  • Group: Members
  • 17 posts

Posted 02 March 2013 - 05:26 PM

I hope our email addresses were also stored on Evernote's servers in encrypted format, as I'm not looking forward to a deluge of spam.

 

Seconded.

 

Martin


Currently Firefox 16.02 [with NoScript].

#13 Metrodon

Metrodon

  • PipPipPipPipPip
  • Title: Bankrobber
  • Group: Members
  • 4,789 posts

Posted 02 March 2013 - 05:33 PM

I'm glad they are forcing the password change, but as others have said they way it is being handled seems a bit amateurish. 



#14 spg SCOTT

spg SCOTT

  • Title: "There is no magic, only lost physics"
  • Group: Evernote Evangelist
  • 1,843 posts

Posted 02 March 2013 - 05:35 PM

Why no announcement on the Evernote Status RSS feed?

Why no announcement on the Evernote Tech Blog RSS feed?

So the status is more for technical messages (outages/maintenance/etc.), but I guess a message could have gone there.

The Tech blog would (possibly) be slightly redundant and the normal blog, which is where the announcement is, would be better as there are more likely more followers to that than the tech blog.

At least, that is my take on it.

Scott

#15 BlueOak

BlueOak

  • PipPip
  • Title: Alliance Lackey
  • Group: Members
  • 66 posts

Posted 02 March 2013 - 05:41 PM

"Evernote’s Operations & Security team has discovered and blocked
suspicious activity on the Evernote network that appears to have been a
coordinated attempt to access secure areas of the Evernote Service.

As a precaution to protect your data, we have decided to implement a
password reset. Please click link below for details and instructions."

 

Every company gets hit with problems - how they handle those problems is what sets them apart.

 

Easy misses (EN did *not* do) by Evernote once they discovered the problem:

 

1) Immediate email broadcast to all users with the simple text above.

 

2) For those users who had not seen the email and were wondering why they were being forced to reset PW, insert the same simple text in the password reset screen rather then leaving them wondering "I did not click 'reset password' - why is Evernote stuck in this reset loop?"

 

Edit: I had to learn what happened via a Tech Crunch tweet:

http://techcrunch.co...ayment-details/


iPad2-iOS5 / iPhone5-iOS6 / Windows

#16 yabatopia

yabatopia

  • Pip
  • Title: Member
  • Group: Members
  • 1 posts

Posted 02 March 2013 - 05:42 PM

I'm a premium user and I didn't get an email. Not happy about it, but the security breach is even more worrisome. 



#17 shimra

shimra

  • PipPipPipPipPip
  • Title: Browncoat
  • Group: Members
  • 221 posts

Posted 02 March 2013 - 05:44 PM

I really wish they explained on the password reset screen WHY Evernote is forcing you to reset a password.  I originally thought it was either a bug (since I didn't ask for a reset) or that I was experiencing some sort of man in the middle attack. 



#18 Metrodon

Metrodon

  • PipPipPipPipPip
  • Title: Bankrobber
  • Group: Members
  • 4,789 posts

Posted 02 March 2013 - 05:51 PM

This is the first time that I can remember that they've had any sort of breach, although I'm not overwhelmed with joy at how I found out about it, I think you have to give them a chance and let them learn a little as they go along. Hopefully there won't ever be another breach (of course there will be), but if there is then our expectation of how they handle notifications will be justifiably higher.



#19 richiemap

richiemap

  • Pip
  • Title: Member
  • Group: Members
  • 7 posts

Posted 02 March 2013 - 05:55 PM

Like everyone else, it was only from reading one of the other discussions, I learned why Evernote needed to have everyone reset their passwords (security breach) - and that's completely understandable, and of course, the necessary response. However, there was no mention of the reason, no email or anything to indicate why this was taking place. Granted, it only took a few minutes to find out, but there are clearly still some issues - nearly constant crashing of the app, inability to sync, etc. - and no doubt the folks at Evernote are in a frenzy to get things under control, but some simple, clear communication would be most welcome. I also think it's essential to maintaining Evernote's well-deserved stellar reputation that their ability to communicate is on a par with the excellence of their product(s). We'll certainly give it some time to get sorted out, but please Evernote, take this to heart - it will serve the company well to keep the relationship strong with your users.

#20 Martin Packer

Martin Packer

  • PipPipPipPipPip
  • Title: Browncoat
  • Group: Members
  • 562 posts

Posted 02 March 2013 - 05:56 PM

Not being surprised or annoyed I'll just note this sort of thing is precisely why MY company won't let me keep sensitive data in public cloud services. Before we get anywhere near Evernote Enterprise - and they tell us this isn't something they're terribly interested in - this would have to get fixed to enterprises' satisfaction.

 

BTW what happens if an Evernote  Business customer grows to become an Enterprise one? :-)







Also tagged with one or more of these keywords: security, issue, hacked, windows, mac, ios, android

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Clip to Evernote