201 replies to this topic

[gazumped]

Thanks for the headsup.  Changing now.

[Extropy]

Beware - I had to resync all my off-line content on iPad and iPhone because of this. Support ticket #16051-248323.

[hramos]

Glad i found this post.

 

Tried to login (desktop app) today and was getting error, went on web sign in and asked me for a pass reset.

 

Cheers

[Bartman001]

I certainly hope they send and email to everyone's email of record. I was lucky and tried to sign in on the web client and discovered I had to do a password reset to log in. 

[spg SCOTT]

I certainly hope they send and email to everyone's email of record. I
was lucky and tried to sign in on the web client and discovered I had
to do a password reset to log in.

 

From the blog post:

 

The following blog post is also being sent to all Evernote users as an email communication.

 

I assume that may take a little time though...

[Pascal]

Two-step verification would be nice to avoid this type of problems

[Leopold]

Beware - I had to resync all my off-line content on iPad and iPhone because of this. Support ticket #16051-248323.

Me too... 5GB worth - not at all happy about that - also not sure I haven't lost space on the iPad with the re-download... I'd appreciate some word on this from Evernote

[jbenson2]

Well, Evernote can't say they weren't repeatedly warned.

There have been tons of previous comments about Evernote security requesting 2-factor authentication, full note encryption and many other security suggestions.

I'm sure most users are glad to hear that even though this type of activity is becoming more common with large services, Evernote is doing something to improve its security (by asking you to create a new password).
 

Hope it's not too difficult for everyone with multiple mobile devices and fat fingers to complete the process of getting back online by entering a new lengthy complex password several times.

According to the blog post mentioned above, there has been:

• no evidence that your Evernote content was accessed
• no evidence that any payment information was accessed
• but the hackers did gain access to user information, usernames, email addresses and encrypted passwords.

However no worries man - your password was hashed and salted.

Make sure you have multiple Evernote backups as well.

 

 

[Drdul]

I hope our email addresses were also stored on Evernote's servers in encrypted format, as I'm not looking forward to a deluge of spam.

[Jusvery]

why not using 2 step auth providing by google?

[MP99]

I guess it's understandable, if rather annoying. But...

 

No e-mail, yet.

 

Why no announcement on the Evernote Status RSS feed?

 

Why no announcement on the Evernote Tech Blog RSS feed?

 

Martin

[MP99]

I hope our email addresses were also stored on Evernote's servers in encrypted format, as I'm not looking forward to a deluge of spam.

 

Seconded.

 

Martin

[Metrodon]

I'm glad they are forcing the password change, but as others have said they way it is being handled seems a bit amateurish. 

[spg SCOTT]

Why no announcement on the Evernote Status RSS feed?

Why no announcement on the Evernote Tech Blog RSS feed?

So the status is more for technical messages (outages/maintenance/etc.), but I guess a message could have gone there.

The Tech blog would (possibly) be slightly redundant and the normal blog, which is where the announcement is, would be better as there are more likely more followers to that than the tech blog.

At least, that is my take on it.

Scott

[BlueOak]

"Evernote’s Operations & Security team has discovered and blocked
suspicious activity on the Evernote network that appears to have been a
coordinated attempt to access secure areas of the Evernote Service.

As a precaution to protect your data, we have decided to implement a
password reset. Please click link below for details and instructions."

 

Every company gets hit with problems - how they handle those problems is what sets them apart.

 

Easy misses (EN did *not* do) by Evernote once they discovered the problem:

 

1) Immediate email broadcast to all users with the simple text above.

 

2) For those users who had not seen the email and were wondering why they were being forced to reset PW, insert the same simple text in the password reset screen rather then leaving them wondering "I did not click 'reset password' - why is Evernote stuck in this reset loop?"

 

Edit: I had to learn what happened via a Tech Crunch tweet:

http://techcrunch.co...ayment-details/

[yabatopia]

I'm a premium user and I didn't get an email. Not happy about it, but the security breach is even more worrisome. 

[shimra]

I really wish they explained on the password reset screen WHY Evernote is forcing you to reset a password.  I originally thought it was either a bug (since I didn't ask for a reset) or that I was experiencing some sort of man in the middle attack. 

[Metrodon]

This is the first time that I can remember that they've had any sort of breach, although I'm not overwhelmed with joy at how I found out about it, I think you have to give them a chance and let them learn a little as they go along. Hopefully there won't ever be another breach (of course there will be), but if there is then our expectation of how they handle notifications will be justifiably higher.

[richiemap]

Like everyone else, it was only from reading one of the other discussions, I learned why Evernote needed to have everyone reset their passwords (security breach) - and that's completely understandable, and of course, the necessary response. However, there was no mention of the reason, no email or anything to indicate why this was taking place. Granted, it only took a few minutes to find out, but there are clearly still some issues - nearly constant crashing of the app, inability to sync, etc. - and no doubt the folks at Evernote are in a frenzy to get things under control, but some simple, clear communication would be most welcome. I also think it's essential to maintaining Evernote's well-deserved stellar reputation that their ability to communicate is on a par with the excellence of their product(s). We'll certainly give it some time to get sorted out, but please Evernote, take this to heart - it will serve the company well to keep the relationship strong with your users.

[Martin Packer]

Not being surprised or annoyed I'll just note this sort of thing is precisely why MY company won't let me keep sensitive data in public cloud services. Before we get anywhere near Evernote Enterprise - and they tell us this isn't something they're terribly interested in - this would have to get fixed to enterprises' satisfaction.

 

BTW what happens if an Evernote  Business customer grows to become an Enterprise one? :-)