"Suspicious activity" detected on Evernote accounts

[gbarry 2,658]

We detected suspicious activity on some users' accounts and have recently emailed them.This is related to reports of users receiving failed email notifications that they never sent, indicating that someone has learned the password to their account. The Evernote service wasn’t compromised, but we believe someone other than the account owner has learned the password to these accounts. Just to be safe, we’ve reset these user’s passwords. If you have not received this email notification from us and you have not seen any failed email notifications that you did not send, then you are likely not impacted. 

 

If you would like to take proactive action to further secure your Evernote account, take these steps below: 

Please visit https://www.evernote.com/ForgotPassword.action to set a new one. We recommend that you choose a strong password that you use only for Evernote.

We also suggest that you change your password on any other websites where you may have used the same password. You can find more tips for keeping your account secure on our Customer Security page: https://evernote.com/security/tips/.

To learn how to identify if an email that has been sent from Evernote is authentic, please visit this Help and Learning page: https://help.evernote.com/hc/articles/115004380587.

[ClaudiaCCC 1]

Thanks,I've just received several of those emails from you and changed my password. I took a look in my account and under devices I had an iPhone as a 3rd device although my account only allows 2 max. And I never had an iPhone!  I've already revoked it.

[Zelda55 1]

This morning I woke up to 10 of these 'failed to send' messages!  I have changed my password.  How did this happen?  Is ALL my data vulnerable now?

[knitbunnie 1]

I got a series of notifications of failed emails today in my email inbox, but I had not been notified by Evernote of any need to change my password.  I did change it, and then I found this note in the forum.  

[MarkusSweden 1]

I started getting these "failed to deliver" emails about 2 hours ago.

I have reset my password, unlinked all connected devices, set up 2-step verification.

Still I keep getting notifications of emailes failed to deliver, even after trying to disconnect and deactivate all forms of login - so it seems I have not been able to stop them from using my account. From what it seems they are still using my account as I am writing this.

I live in Sweden, but in my access history I see logins from Vietnam, Bahrain, Jamaica, China and another Vietnam.

What's up Evernote? Does this seem like the kind of account activity that a user might want to be notified about? Does it seem reasonable that a user should be able to stop unauthorized users from their own account as they are happening?

Is there any way of knowing what has been sent from my account?

Is there any way that I can see what else these people have been doing while they were logged in to my account?

 

Not impressed with your level of security, especially since you seems to have known about this for weeks!

[Sean99 1]

Thank you for that information. I just learned this morning that my account was hacked. I received around 10 emails from Evernote that I had attempted emails that were not delivered. I have those emails if you need them. I then went to my activity log to find out that there someone accessed my account from the web on 3/20/17, followed by the ones this morning 3/25/17. I changed my password and logged out of all of my accounts. My question is, though, how do I know if they stole any of my information?

[BB2 1]

I have had the same problem for the past couple of days... emails returned that I did not send. I can see about 10 or so, mostly originating from Vietnam, Thailand, Belarus, etc., all being sent to unknown by me people in the UK. I have deleted all devices and changed password twice, and right after my first password change another bogus email was sent. This is pretty ridiculous. Is Evernote doing anything about this? I hadn't even used Evernote for months! 

[Rich Tener 86]

Hi, I lead Evernote's security team and can help answer some of your questions.

21 hours ago, Zelda55 said:

This morning I woke up to 10 of these 'failed to send' messages!  I have changed my password.  How did this happen?  Is ALL my data vulnerable now?

Someone could have learned the password to your account in a variety of ways. The most common situation is when you use your Evernote password on another web site and that other web site gets hacked. Another possibility is that you entered your Evernote password on a computer that was infected with malware and the malware sent it to someone who collects and then uses or sells those collected usernames and passwords. To keep your data safe, change your password to a strong one that you only use on Evernote and setup two-step verification. That will make it very difficult for someone to break into your account.

[Rich Tener 86]

10 hours ago, MarkusSweden said:

Still I keep getting notifications of emailes failed to deliver, even after trying to disconnect and deactivate all forms of login - so it seems I have not been able to stop them from using my account. From what it seems they are still using my account as I am writing this.

Our email system may continue to retry sending an email, even after you change your password and revoke any connected devices and sessions. The notifications are just delayed and not an indication that someone is still using your account to email notes.

10 hours ago, MarkusSweden said:

I live in Sweden, but in my access history I see logins from Vietnam, Bahrain, Jamaica, China and another Vietnam.

What's up Evernote? Does this seem like the kind of account activity that a user might want to be notified about? Does it seem reasonable that a user should be able to stop unauthorized users from their own account as they are happening?

When we received reports about the bounced emails, I reviewed the activity patterns and saw similar behavior across most of our affected users. Not always though. In many cases, it wasn't clear whether the account login was suspicious until the account started sending emails.

I agree that this type of activity is something that our users want to be notified about. We are working on adding a feature to our service that will notify you whenever someone logs into your account from a new device or network location.

10 hours ago, MarkusSweden said:

Is there any way of knowing what has been sent from my account?

Is there any way that I can see what else these people have been doing while they were logged in to my account?

For the users that received bounce notification emails from our service, we haven't found any evidence that the person that accessed your account read any of your notes. They only seem to be using Evernote accounts to deliver spam by creating a new note, emailing that note, and then deleting that note.

[Grace? 0]

I was also affected.  I see in my Access History illicit access from Ecuador, Vietnam and Sweeden.  Isn't there an option like Just Paste Text And Don't Email Anything?  I don't really need an email option.

[addmoo 0]

My account was also compromised after I received 5 failed email notifications Saturday afternoon. After learning that my account may have been hacked, I immediately changed my password and revoked a suspicious second device which was created hours before I received the emails. Sunday morning, I received an email from Evernote informing me that my password was reset. I then  changed my password for the second time, assuming that the issue is resolved but come Monday evening, I got another failed email notification again. 

Is this most recent email a delayed notification or is there still somebody else using my Evernote email? Is there a way to disable this email service? Thank you. 

 

 

[Rich Tener 86]

@addmoo The notification emails you received after you changed your password are just delayed. Our email systems queue the outbound emails and may try to deliver for a couple of days before they give up and let you know. If you don't see any unexpected access in your Access History, you successfully kicked out whoever was using your account to send the emails.

[Evernoters 0]

A few hours ago I received the failed emailed content twice. I checked the device and found unknown Iphone has access to my account. I revoked it. Then, I checked the access log and found several web access from unknown IP from date 26/3 and 8/4, 2017.

So, I decided to deactivate my account. But, after reading this thread, I decided to reactivate my account and post my experience to let anyone knows. 

Hope my data is safe but who knows, even evernote cannot do anything about it as we never receive any notification of this issue or any suspicious activity.

Please add the notification feature asap so we can prevent any unwanted things happen to our account. 

[Anders_D 0]

How do I check from which countries, if any, there has been attempts to access my account? How can I identify that information in my activity log?

[jbenson2 2,147]

25 minutes ago, Anders_D said:

How do I check from which countries, if any, there has been attempts to access my account? How can I identify that information in my activity log?

 

 

 

From Evernote Web

* Account
* Setting
* Security - Access History

Review IP Address (Estimated Location)

[DKST 0]

I have also been receiving the failed email messages. I attempted to set up the double identity security twice today but never received the email with the code.

[Mal_De_Terre 1]

I did not get a notification from Evernote, but I did have an additional device added to my account 18 hours ago, and I did have logins from Vietnam and Brazil this morning. Seems like this is not an isolated breach. 

I've already changed my password and de-activated the additional device, but given how many people are reporting the same thing, I really doubt that it's due to my account being targeted. 

 

[murrain 0]

I have been getting constant messages about emails sent out to others.... when I received your email letting me know that I should change my password... I never got the email from you.  I want to cancel my premium subscription and a refund for my recent renewal.  I am not happy with the lack of tech support... no phone number for tech help only for billing problems.   It's ridiculous.... someone needs to email me a way to talk to someone.  Maureen Curran  

[Rich Tener 86]

Hi @murrain, we've been having trouble getting password reset emails delivered to some email providers. While we work on fixing that, we do have a way to help you. We don't offer phone support yet, but one of our customer support representatives can help if you create a customer support ticket here: https://help.evernote.com/hc/en-us/requests/new

[RobertaJS1 0]

I received a note that simply said "it's sooo dark in here" and it had a flashlight icon and a puzzled face icon and it was posted on 7-15-17 the actual day I started trying Evernote.. How could that be? I was going to pay for the business version but since you no longer support Blackberry, I doubt I will. In the meantime I'd like to know how someone else could add a note!!

[Ethan_Savernake 0]

I have received a similar email as stated by gbarry, but I was concerned as to click on the links on that email of just update my security through my account. The reason is because I received the email from the following email: 

Looking at the domain I was not sure if this was a real deal. I believe users should be made aware of this. 

For the records usual emails from Evernote as shown below:

Hope this information is helpful.

[voicnick 0]

I tried to post here too, but I still can;t see my post. I got a warning saying "Your content will need to be approved by a moderator" - How long does that take?

 

Thanks!

[Shane D. 1,823]

Quote

We detected suspicious activity on some users' accounts and have recently emailed them.This is related to reports of users receiving failed email notifications that they never sent, indicating that someone has learned the password to their account. The Evernote service wasn’t compromised, but we believe someone other than the account owner has learned the password to these accounts. Just to be safe, we’ve reset these user’s passwords. If you have not received this email notification from us and you have not seen any failed email notifications that you did not send, then you are likely not impacted. 

 

If you would like to take proactive action to further secure your Evernote account, take these steps below: 

Please visit https://www.evernote.com/ForgotPassword.action to set a new one. We recommend that you choose a strong password that you use only for Evernote.

We also suggest that you change your password on any other websites where you may have used the same password. You can find more tips for keeping your account secure on our Customer Security page: https://evernote.com/security/tips/.

To learn how to identify if an email that has been sent from Evernote is authentic, please visit this Help and Learning page:https://help.evernote.com/hc/articles/115004380587.

 

[BrightHomesRE 31]

Thanks for the repost, @Shane D.

We can never be too careful.

[Gamer0987 1]

Hi. It's 2019. This problem has been ongoing since 2017. Actually, why hasn't your security to safeguard your users improved yet?

This happened to me twice in a week. Your first warning email to me was on the 28th of Feb 2019. When I checked my list of devices, I saw a foreign "iPhone" which was logged in "3 MONTHS AGO". 3 months is a very long time. But nevermind, I revoked it and changed to a new strong password (yes symbols used, numbers, alphabets, long - like it was before as well). But today, 3 March, I received the same "Reset your password" email again. This is the 2nd time in the week. Obviously whatever site your hacker is getting our information from, clearly still has access to our login information; refreshed for him daily. So OK, honestly, I want this to stop (compromising the security of my device and other accounts) and I'd like some help and answers.

 

Can you tell us what was compromised? Is it only the notes in EverNote? Or was/is it possible for the hacker to access other information on our devices through EverNote?

Will asking the EverNote Team to delete my username and password stop "giving" access to my device to said hacker?

Will uninstalling EverNote (after requesting for deletion of Username and Password) actually stop compromising my device's safety further?

Hope to hear from you guys soon. Thanks!

@Rich Tener @gbarry

[Rich Tener 86]

Hi @Gamer0987. You are correct that we’ve seen an increase in this type of issue since 2017. And while we are always keeping an eye out for suspicious activity patterns, I appreciate your feedback that we didn’t act as quickly as you expected us to. We are primarily focused on detecting breaches of our service, which this was not.

Regarding the second email, we accidentally sent a second email to some of you. It was a mistake on our part and not because we detected suspicious activity on your account a second time. If you have already changed your password or setup 2FA, please ignore the second email we sent you.

What was compromised: The unauthorized user searched your account for passwords and cryptocurrency terms and downloaded the notes that we returned in the search results. They didn’t have access to your device; only your Evernote account, and only because they learned your password from somewhere other than us.

If you changed your password to one that you don’t use on another site, your account should be secure.
 

[Gamer0987 1]

On 3/5/2019 at 3:25 AM, Rich Tener said:

Hi @Gamer0987. You are correct that we’ve seen an increase in this type of issue since 2017. And while we are always keeping an eye out for suspicious activity patterns, I appreciate your feedback that we didn’t act as quickly as you expected us to. We are primarily focused on detecting breaches of our service, which this was not.

Regarding the second email, we accidentally sent a second email to some of you. It was a mistake on our part and not because we detected suspicious activity on your account a second time. If you have already changed your password or setup 2FA, please ignore the second email we sent you.

What was compromised: The unauthorized user searched your account for passwords and cryptocurrency terms and downloaded the notes that we returned in the search results. They didn’t have access to your device; only your Evernote account, and only because they learned your password from somewhere other than us.

If you changed your password to one that you don’t use on another site, your account should be secure.
 

Thanks, @Rich Tener for your reply and assurance.

I know you and your team have been avoiding answering my biggest question as above but I hope that with some honesty and probably security improvements in the near future you guys will gain the trust of more users but:

Will asking for a deletion of my account remove my data from your databases and servers (will it be removed completely?)? - hence preventing existing user data from getting stolen by whatever 3rd party site?

 

Thank you.

[DTLow 5,738]

On 3/3/2019 at 6:56 AM, Gamer0987 said:

stop "giving" access to my device to said hacker?

Hackers have access to your device?  Is this Evernote related?

>>Will asking for a deletion of my account remove my data from your databases and servers

Until you get an answer, you can initiate the data deletion yourself; delete your notes, empty the trash - this  will address the front-end servers.

Securing your password should prevent access to  your account.  
You can also deactivate your account in account settings

 

[Gamer0987 1]

1 minute ago, DTLow said:

Hackers have access to your device?  Is this Evernote related?

Late for a quip. /Yawn/. It's not even addressed to you. So take your wannabe-smart trolling elsewhere.

[eric99 1,024]

1 hour ago, Gamer0987 said:

Thanks, @Rich Tener for your reply and assurance.

 but I hope that with some honesty and probably security improvements in the near future you guys will gain the trust of more users but:

In this case, there is no need for security improvements by evernote, but by yourself: you can't blame evernote that you used a single password for several accounts.

[Gamer0987 1]

1 minute ago, eric99 said:

In this case, there is no need for security improvements by evernote, but by yourself: you can't blame evernote that you used a single password for several accounts.

You assumed that (according to your accusation: I used 1 pwd for several accounts) - I didn't so it means, not my fault. Yeah, ok. EverNote doesn't need security improvements, sure. 😂 Seesh. So high on the defensive. Like some EverNote fan crazy forum.

[eric99 1,024]

1 minute ago, Gamer0987 said:

You assumed that (according to your accusation: I used 1 pwd for several accounts) - I didn't so it means, not my fault. Yeah, ok. EverNote doesn't need security improvements, sure. 😂 Seesh. So high on the defensive. Like some EverNote fan crazy forum.

And did you use two factor authentication?

[CalS 5,292]

On 3/3/2019 at 7:56 AM, Gamer0987 said:

Will asking the EverNote Team to delete my username and password stop "giving" access to my device to said hacker?

If you don't want to use EN anymore, export your notes to HTML format, delete them all in EN, sync, then use settings on the web to delete the account.

If you want to continue to use EN, export your notes to ENML format by notebook, delete your account using the settings menu on the web,.create a new account, import the notes you exported.  Change your password on some period that feels comfortable to you after that.  If you gave access to EN to any secondary sites they will not work anymore.  

[Gamer0987 1]

12 minutes ago, CalS said:

If you don't want to use EN anymore, export your notes to HTML format, delete them all in EN, sync, then use settings on the web to delete the account.

If you want to continue to use EN, export your notes to ENML format by notebook, delete your account using the settings menu on the web,.create a new account, import the notes you exported.  Change your password on some period that feels comfortable to you after that.  If you gave access to EN to any secondary sites they will not work anymore.  

Hi @CalS

Thank you for your reply.

The 2nd part of your post is very informative - about the possibility of getting back on EverNote.

I was actually just waiting for confirmation from @Rich Tener about the deletion of Username and Pwd data from EN's database since I read about it as a given option. But someone from the CS Team has just given me the answer I needed for that too. Which, to whoever (to save yourself some accusations and trolling) else needs to know, is an affirmative one. 

Thank you both.

(tagged you both as an update so that no further replies needed)

[Tidal1234 0]

It's pretty clear that there has been a breach / Hack at Evernote and they are not being transparent or forthcoming with their user's data.

Why do so many users claim to have iPhones from Vietnam logging into their accounts (myself included)?

The responsible thing would be a press release so users can secure their data--delete their accounts or adding additional security. 2-factor authentication is not required on sign-up, why?

[Dave-in-Decatur 3,987]

18 hours ago, Tidal1234 said:

It's pretty clear that there has been a breach / Hack at Evernote and they are not being transparent or forthcoming with their user's data.

Why do so many users claim to have iPhones from Vietnam logging into their accounts (myself included)?

The responsible thing would be a press release so users can secure their data--delete their accounts or adding additional security. 2-factor authentication is not required on sign-up, why?

The issues some users are currently experiencing, as I understand it, are different from the one at the start of this thread, though they may have a related cause. Evernote's head of security has explained the situation, in this post from a few months ago and elsewhere:

Are you saying that you think this is untrue?

 

[DTLow 5,738]

18 hours ago, Tidal1234 said:

It's pretty clear that there has been a breach / Hack at Evernote

Actually it's not clear at all.

The bad guys have obtained userid/passwords elsewhere and are attempting access to Evernote accounts.

Protect your Evernote password.  Only use it for Evernote access.