Security and unauthorized access to my account!

[Rogueblue 1]

I am seriously concerned about the security of your app and my notes!

This is the 2nd time within less than 2 weeks that I have noticed a device that is not mine attached to my account.

Please see attached!

I do not own an iphone. I have Never owned an iPhone!!

And I already removed this device a week ago, how is it that it again has access to my account??

This is not acceptable and a violation and security issue for all users over your service and app!

[KazimZaidi 0]

This is 100% happenning with same.

Exactly same issue.

I never owned an iPhone. Nobody in my family does.

If it is a security breach, then it is so dangerous.

If it is evernote's attempt to make me pay, that's too cheap.

Evernote, please take note, this is worth a public tweet I believe.

[Rich Tener 86]

Hi @Rogueblue and @KazimZaidi,

I lead the security team at Evernote. The Evernote service and our apps are still secure. I believe that an unauthorized person has learned your password, possibly because you used the same password on a different site, and that site experienced a security breach. This unauthorized person is using an iPhone app to connect to your account. If you revoked the device, but didn’t change your password, they were able to connect their iPhone app a second time.

You need to take some actions to protect access to your account. 

1. Change your password to a unique one. Make it one that isn’t easy to guess. Make it one that you don’t use on another web site. Consider using a password manager to keep track of your passwords.
2. Revoke any Authorized Applications that you are suspicious about or that accessed your account from an IP address you don’t know
3. Install an anti-malware application on your computer and run it periodically to clean up any known malware.
4. Setup two-factor authentication on your account, especially if you don’t want to use a unique password on your Evernote account. Even if someone learns your password, they won’t be able to access your account without also stealing your phone.

[Rogueblue 1]

Hi Rich. I'm sorry but I think that is rubbish. I work alone and no one has access to my password. And secondly if anyone did, they surely would have no reason to want to access my personal notes as what I save is of no interest to anyone.

I have removed the access twice already. It can only come from Evernote itself!

[Rich Tener 86]

@Rogueblue, if you are using a unique password on your Evernote account that you've never used anywhere else, I'm happy to open a support case to look into your specific situation.

It's unlikely anyone stole your Evernote password from us. We only store your password using a secure, irreversible hashing method. Even we don't know what your password is; we can only take the password you enter when you login and run it through the same one-way secure hashing method and compare the result. 

The unauthorized user isn't targeting you specifically. They are testing a list of stolen usernames and passwords and if they find one that works, they are logging in to search for things like cryptocurrency credentials and other passwords.

If you are using your Evernote password on other web services, you might want to check out https://haveibeenpwned.com/ . It's not an exhaustive list, but will tell you some of the public breaches that affected you.

[lishfish 1]

I am having this exact issue! I've removed the unauthorised account about 4 times, changed my password and the email associated with my account. Under access history settings it shows the iphone in Brazil, China, Philippines, vietnam all in a matter of days. I don't own an iphone, no one knows my password and I haven't been in any of these countries...ever. 

[DTLow 5,736]

2 hours ago, lishfish said:

changed my password

Is this password unique for Evernote, or are you using it in other services?

[PinkElephant 8,091]

1) People with bad intentions have ways to hide their real position. The easiest way is to connect to a VPN or proxy service that runs exit points all over the world. It looks the access comes from the place where the exit server is located. You can move in minutes from one place to the other, even half way around the globe.

2) If your password is not unique, used for other services as well or can easily be guessed, a third party can enter your account. This is not the fault of the service you use. Change your password to a completely new, completely random one. Best is to use a password manager, that generates unique, strong passwords for every account.

3) It is advisable to activate 2-factor-authentication. This will make it practically impossible for others to enter your account, even if the password was leaked. Since you are on BASIC, you have to use Google authenticator.

[lishfish 1]

16 hours ago, DTLow said:

Is this password unique for Evernote, or are you using it in other services?

I initially changed it to a common one i use, then a unique one. Didn't seem to have much impact. 

I'll try using a VPN and see if it makes a difference.

Thank you! 

[PinkElephant 8,091]

Yes - if you use a secure password on an insecure WiFi this may cause a problem. Anybody with a little knowhow and equipment can read the traffic through this network. He can even compromise connections with a SSL-key like https-secured web sites. It is not said that this was the case, but it is possible.

VPN is a good idea for this situation.

In any case use the web client to throw the unknown device out of your account.

[Jeshi 7]

@PinkElephant @Rich Tener Sorry to revive an old thread (hopefully that's better than creating a new one with the same issue). I just found out logins and access that aren't mine...how frustrating! I've gone through most of the steps above: change to a new unique password, revoked all device access, scan for malware. I'm on the BASIC plan.

I'm having trouble with the two-factor authentication setup. I scanned the QR codes with my phone, which says the code isn't recognized. When I click the "can't read barcode link," I get info for Google authenticator on the Google Play store. Can you provide the link to the correct app in the Apple App Store? I searched for it myself, but there look to be more than one, and I don't want to download and install the wrong one. Please advise.

Also, is there somewhere we can report security breaches privately? I don't understand a lot about VPN's. Does that mean reporting/blocking the offending IP (either personally or if Evernote as a company does it) does not actually protect you?

[PinkElephant 8,091]

It is always a bad feeling when you don’t know whether your data is secure. It seems you did the right steps for a start.

2-FA is supported for basic plans as well, but not with the Authenticator. You find more here

https://help.evernote.com/hc/en-us/articles/208314238-How-to-set-up-two-step-verification

If on Premium, you can use an Authenticator app. Opposite to what the EN Support text and system messages say you can use any tool that creates one-time-codes. I use Microsoft Authenticator, and many password managers generate 2FA-codes as well. But it is premium only. 

With the Basic plan you can put your mobile phone number and receive messages with a code. 

To report a breach you could try this, which is open for Basic plans as well. Be aware that others can read it as well, so don’t put anything confidential there:

https://twitter.com/evernotehelps

A VPN will protect (encode) the communication between you and a counterpart in the internet, like the EN-server. It will not protect the Server against access by somebody who has your login credentials from somewhere else. Putting other uses aside, a VPN is most useful when connecting from a public or foreign network to the internet. There it avoids that somebody in between can copy or interfere with your data stream. This is probably not the use case you have in mind.