Security breach more serious than made out by Evernote

[VanessaW 2]

Hi, I received an email at the end of last week warning me of a security breach in my Evernote account. Rich Tener from Evernote posted a reply to other concerns of the same nature. He said that one person using an iPhone obtained the username/password from another site and was 'trying' out the details in an attempt to obtain cryptocurrency information. This is in fact not true. Firstly, I received my first notification from Evernote only last week, however, when logging into my Evernote account (prompted by the alert) and checking the activity report, hundreds of people have been gaining access to my account from various places around the globe for the past two months (this is as far back as my activity monitor appears to let me go – it has likely been going on for much longer than that). In just one day, my Evernote account was being accessed by a person in Indonesia, another in India, another in Jakarta, and so on. Multiple access from multiple countries in just one day! How is it that I only received a "suspicious activity" email now? How does this type of activity over a period of months not send red flags to the Evernote security team? I have also been receiving blackmail emails from multiple people – sometimes several a day – my "password" was mentioned in the subject line of the email. I started receiving blackmail emails last year using my Evernote password in the subject line, clearly to get my attention and force me to open the mail! On opening the email, the sender said that they had my password and had accessed my computer. As it happened, one of my computers did indeed use that password (yes, a bad security practice on my part, I know!). The blackmailer was trying to get me to cough up $6000 to keep quiet about some "online activity" that I'd supposedly been involved in – in fact, they said they had gained access to my computer and "recorded" me and unless I paid up, those recordings would be circulated to everyone in my contacts list. Fortunately, I was able to safely ignore the emails, but I'm sure there are many people who are not in such a position and who also don't understand technology well enough to know what is and is not possible, only to cough up insane amounts of money to protect their reputations. I was also lucky in that I had no information in Evernote because I never really got to use the app. But what about other users, Evernote clients who have highly sensitive information in their accounts? There were only two other websites I had used that particular password on and I immediately went onto those sites last year and changed the password. I had completely forgotten about Evernote because I never use it. But the emails kept coming. I continued to ignore them. Whether the breach originated in Evernote cannot be known for sure, but I can say that since I changed my Evernote password last week, I've not received another blackmail email. I understand that breaches happen to even the best of systems, but I am very concerned about the "security" of a system that allows hundreds of people to access an account over a period of months from multiple "vast" geographical destinations in the space of just a day, every day, and pick that up only now???? I have attached a screenshot of that activity ..... this kind of activity completely undermines the integrity of the Evernote system. I feel an obligation to warn other Evernote users of this severe breach, particularly those who store sensitive information in their Evernote apps - it's not just a case of one person using an iPhone as Evernote has made out (my hundreds of hackers have used Android phones).

[gazumped 11,667]

Hi.  You're right of course to be concerned about so many accesses to your account,  but given that you don't use Evernote very much,  or for sensitive information at all (if I understood you correctly) it's odd that you were such a target.  If you changed your password,  and now use a unique one for each app,  you've probably dealt with the matter as far as you can.

I don't know whether it's because hackers are getting more aggressive,  or there are more technically aware bad guys out there,  but I've had some of the same experiences as you in the last few months.  They tried the 'we recorded you' trick,  but my camera has been covered over for years.  Someone who got another password from one website breach or another was threatening to download my address book and send 'incriminating material' to all my contacts.  I've had numerous "returned emails" that I never sent,  and I regularly get around a dozen emails a day containing links inviting me to 'click here'.

Being secure is as much a matter for the individual use as it is for tech firms,  so I subscribe to https://haveibeenpwned.com/ which warns me if/ when my email address is linked to a leak online.  I use long,  random unique passwords for security,  and change them regularly.  I use 2-factor access which (AFAIK) cannot be spoofed... yet.  I also use a Virtual Private Network which gives me an encrypted internet connection.

I don't keep information online that might be sensitive - even if you save to a 'secure' account,  you need to have access,  and someone pretending to be you may be able to find a way to get access to it.  Evernote do have a feature to keep some information on my local hard drive,  and when my computer is not in use it's switched off,  so really inaccessible.

The attention you've had - apart from the frequent Evernote accesses - is unfortunately pretty normal for this day and age.  I'm pretty confident that my account is secure,  but it will be interesting to see what Evernote say.

[Rich Tener 86]

Hi @VanessaW,

We are always keeping an eye out for suspicious activity and once we start to see a pattern, we take action to protect the affected customers. I appreciate your feedback that we didn’t act as quickly as you expected us to. We are primarily focused on detecting breaches of our service, which this was not. This was someone that knew your password and logged into your account. The number of Evernote customers affected by this issue is a small percentage.

While it looks like hundreds of hackers accessed your account from different countries, it is more likely that it was only one person or a small group. They are using an automation tool that makes it look like they are using an iPhone or Android phone. It isn’t a human logging in with a mobile device, just a machine pretending to be one. Once they discover a username and password that works, they use their automation tool to login over and over, probably as they expand their search for different things. It started as cryptocurrency but could have evolved to other sensitive information types. It looks like they are logging in from many different countries because they are proxying their tool through a large network of devices that spans almost every country.

Protecting your account is a shared responsibility between us and you. If you reuse a password on Evernote that you use on other sites, you are putting your data at risk. We recommend that you either setup two-factor authentication or change your Evernote password to a unique one that you don’t use anywhere else. I suggest checking out https://haveibeenpwned.com/ to give you an idea of how many data breaches you might have been included in and change any password that you used on those sites.
 

[VanessaW 2]

Hi Gazumped and Rich

Thank you for your quick and detailed response. And yes, Gazumped, I got those same "you've been filmed" emails with threats to expose me to my contacts. I also started using VPN when I first started getting the threats. And thanks to both of you for your recommendation of the https://haveibeenpwned.com site. That is very helpful indeed! Yes, I accept that account owners need to become more vigilant about their passwords and usernames – I've seen now first-hand the dangers of using the same password/username across multiple sites/apps. And what you say makes sense, namely that it only LOOKS like there are multiple people in different countries accessing the account. The point is that the Evernote system did warn me of suspicious activity - eventually. So clearly it is capable of doing so. My point is this: how many months does it take to define activity as 'suspicious'. Just two logins from different countries within the space of a couple of hours should be suspicion enough, simply because it's impossible. Many other platforms note suspicious activity straight away. For instance, Amazon will warn me of suspicious activity even on a second attempt at logging in from a different IP address (I have multiple devices and sometimes I may use my partner's computer). I am forced to undergo a security check as they deem that to be suspicious activity. Other services I use do the same. I understand that truly sensitive info should not be stored online (or in an app that syncs with a server online) and that there is an onus on users to ensure good security practices to keep their data safe, however, there is an even GREATER responsibility on software developers to set up the checks that detect suspicious activity a lot sooner than, for instance, Evernote's has done. After all, the integrity and usefulness of your service depend on it. We're not talking about an innocuous online graphics app or photo library site or some other relatively harmful app or site that's been hacked. We're talking about an app that could contain private or confidential information. And while you may not be able to prevent the initial entry of a hacker, suspicious activity such as a change in IP address or change in country should really be picked up immediately, and a simple check presented, like "click the robots/street signs in the picture", or something to prevent the automation tool from gaining entry again. A change in IP address or country login should also be emailed to the account owner immediately, as a security check. If the entry is unauthorized, the user is alerted and can at least more quickly change their password. Thanks again for your quick response – I'm off now to check out the site above (with much trepidation ....)

[TBro50 0]

I also recieved the same email and found the same iPhone access from Indonesia.

My question: I only use the Evernote on my Android with the Basic service and I am not doing any cloud back-up, (that I know of).

 Can my phone notes still be accessed?

Thank you

[gazumped 11,667]

On 3/14/2019 at 1:02 PM, TBro50 said:

I also recieved the same email and found the same iPhone access from Indonesia.

My question: I only use the Evernote on my Android with the Basic service and I am not doing any cloud back-up, (that I know of).

 Can my phone notes still be accessed?

Thank you

Hi.  Your Evernote account exists on the central server.  Check that its there by using a desktop browser and signing in to Evernote.com.  Your phone doesn't retain a complete copy of your database,  that's stored in the cloud;  so yes - if you haven't changed your password or followed the other advice here,  your notes are still potentially at risk.

[eric99 980]

On 3/5/2019 at 9:51 AM, VanessaW said:

 My point is this: how many months does it take to define activity as 'suspicious'. Just two logins from different countries within the space of a couple of hours should be suspicion enough, simply because it's impossible.

I understand your frustration, but if you would have activated 2FA ,  there would even be no breach at all.  If you are so concerned about security, why don' t you use  all the  security layers provided by evernote right now?

[hyacinthjt 0]

On 3/19/2019 at 3:02 AM, eric99 said:

I understand your frustration, but if you would have activated 2FA ,  there would even be no breach at all.  If you are so concerned about security, why don' t you use  all the  security layers provided by evernote right now?

Hi. VanessaW has already recognized the risks and what she needed to do, but those are beside her point. I echo her concern: it's important to question Evernote, seeing that this is not the first security breach this service has had, and it has affected many users. I myself have only just received an email from Evernote about suspicious logins to my account, and like VanessaW, it's taken Evernote days to alert me. My account shows accesses from India, Vietnam, Russia, and South Africa, among others -- a clear warning sign that Evernote missed or failed to address immediately. Of course, I changed my password right away, but it's already been more than a week since the suspicious logins began.

It's high time Evernote took stronger responsibility and beef up their security and detection, instead of just telling their users "Do this, do that." We already acknowledge what we should do; Evernote should do the same.

[eric99 980]

On 3/26/2019 at 2:17 AM, hyacinthjt said:

Hi. VanessaW has already recognized the risks and what she needed to do, but those are beside her point. I echo her concern: it's important to question Evernote, seeing that this is not the first security breach this service has had, and it has affected many users. I myself have only just received an email from Evernote about suspicious logins to my account, and like VanessaW, it's taken Evernote days to alert me. My account shows accesses from India, Vietnam, Russia, and South Africa, among others -- a clear warning sign that Evernote missed or failed to address immediately. Of course, I changed my password right away, but it's already been more than a week since the suspicious logins began.

It's high time Evernote took stronger responsibility and beef up their security and detection, instead of just telling their users "Do this, do that." We already acknowledge what we should do; Evernote should do the same.

It is not beside the point: you ask an earlier detection of a possible breach, but whatever the speed, it's always too late because the breach already took place. It is much better to prevent  the breach and this can  be achieved right now by providing EN a list of your devices by activating 2FA. All the rest is guesswork...

[John Dolgoth 0]

Is there any reference to where the login details were stolen from? It would be handy to figure out if there is a larger problem for any other service accounts we may have?

[gazumped 11,667]

On 3/4/2019 at 10:28 PM, Rich Tener said:

We recommend that you either setup two-factor authentication or change your Evernote password to a unique one that you don’t use anywhere else. I suggest checking out https://haveibeenpwned.com/ to give you an idea of how many data breaches you might have been included in and change any password that you used on those sites

@John Dolgoth - Hi.  Please check the website above with the email address you have registered to Evernote.  It can tell you if those details have been published anywhere else...

[k8h 0]

Received the breach email from evernote today. For me, it's not safe to use evernote anymore since someone can stole our password from evernote servers.

[gazumped 11,667]

3 hours ago, k8h said:

Received the breach email from evernote today. For me, it's not safe to use evernote anymore since someone can stole our password from evernote servers.

Hi.  If you follow the advice in the email,  your account is again secure,  and subscribing to the website and more frequent password changes will keep it that way.  I don't think its been shown or confirmed that Evernote's own servers were compromised.  If you have more information on that,  then please share it here.  And if you're saving sensitive data to the internet,  you may wish to investigate additional encryption for word processor documents and PDF files which is freely available from various providers.  Your information will be as safe as you're prepared to make it.

[ChrisB009 0]

I received the same email and changed my password. Seems several logins from off shore of the US was successful over the past few weeks. This is nothing new - look back in history. Evernote was hacked several years back (around 2013 I believe). If memory serves me - Evernote required all 50MM accounts to change passwords. My rule of thumb; I don't store any sensitive information on the web unless I don't care if it's compromised / stolen. Nothing is secure regardless of how intense one tries to safeguard as the security was built by man - it can be defeated by man (coming from someone who worked in cryptology).

[Rich Tener 86]

@k8h - as we mentioned in the email: "We believe someone has learned your password from a website or service not associated with Evernote." They didn't learn your password from us. The most likely way they learned it was by stealing it from another site that you used the same password on.

 

@ChrisB009- Your memory serves you correctly, but the email you just received wasn't because Evernote was breached. This was someone learning your password from another site and opportunistically logging into your account. They are automating that process and logging in multiple times as they come up with new things to search for. I agree with you that nothing is 100% secure, but to anyone reading this, if you care about protecting the data in your account, you need to use a unique password or setup two-factor authentication.

[PinkElephant 8,117]

In the last sentence, I would change the „or“ into an „AND“ - at least if you file information of all kinds.

The 2FA of Evernote is very elaborate: One first device plus a second one as backup plus a code list. And non of the stupid „Security questions“ that only create a feeling of security, but can typically be breached much more easily than a good PW.

Thumbs up from my side for Evernote for this solution.

To share another experience: For me it was practically impossible to maintain a set of individual passwords for each account, plus creating new ones manually. Yes, there are rules how to do this yourself, but it is hard to follow it through. So I had to do something else, and did it.

So, everybody, get yourself a good Password Manager (some are for free, others may cost a fee). Then, reserve a slot of some hours, and CHANGE ALL THE F***ING ACCOUNTS you have used up to now. Start with the E-Mail-Accounts, because these are used to set other PWs back. Then everything related to money (yes, the bad guys could change the delivery address of your online shopping service and use your credit card for their shopping). Then any service that is important to you, including Evernote and the social media stuff. And then all the others, when you still remember them - if not set the PW back (via your SECURE E-Mail-accounts, see above) and decide whether to continue to use it, or delete the account.

On all important accounts you continue to use, delete the „security“ questions (because they are an unsafe backdoor into your account) and activate 2-FA wherever offered.

Some of my old access data is found circulating in the internet. This is the result of security breaches in the past (not with Evernote), and there are web services where you can test your accounts for this. But if anybody can use this old stuff today to get access to an account you still use, then stop blaming others. Up to my knowledge, my account security has never been breached - at least I never had any negative experience out of this.

The most important person regarding your internet security is yourself. And you can do a lot to make access hard for everybody just trying, using data stolen in the past.

[BrushMan 0]

The same emails here showing in the topic my evernote password. I know it was always app specific password since it contained evernote related word.
Looks like someone except doing money should make his homework from hashing passwords... or at least being honest with users.

[PinkElephant 8,117]

Have you activated 2-Factor-Authentication yet ? This is the single most effective measure against others entering your EN account.

You assume that your PW must have been stolen from an EN server - which is blaming them not to look for the safety of your login credentials.

Even if your PW is application specific (and really good, and well protected, etc.), it is much more likely that it was stolen from your own devices or activities.

Just a few possibilities to think about:

- Login in while on a public hotspot without using a VPN

- Having malware on your own PC or Android phone (Macs and iOS devices seem to be more robust against that sort of attack). The modern dark stuff can be removed in one way only: Get a new PC - and pray you have a backup that is not affected.

- Accessing the EN account through another PC, at the hotel, the library, the college, the office, ....

The likeliness of loosing access data in your personal sphere is much higher than somebody to break into EN servers, steal the salt & hash recipes, recalculate the access data and then pick your account first of nearly all to play games. Because if others would be attacked in a high number, you would hear the rumble.

As long as you do not find & fix it, more of your personal information can be taken from you through the same means.

[gazumped 11,667]

...And I'd suggest checking your email address(es) on https://haveibeenpwned.com/ to see what data exists about you.  The list of breached sites is depressingly long - though it doesn't seem to include Evernote.

[PinkElephant 8,117]

Most of the breaches are several years old, some even older than 10 years. The largest one was at AOL years ago, if I remember it correctly. It is somehow weird that people have their accounts hacked in year 2019 with passwords stolen in (say) 2008. Plus what was a solid PW in 2008 is today just a small morning brute force training for a GPU needing some warm up to do the real stuff.So even if it was changed a little, this is most likely not enough with today capabilities, although EN up to my knowledge does not allow brute force attacks through their servers. 

The data from this breaches is sold on the Internet in large batches for amazingly little money. So the hacking can come from disaster kid sitting in his homely bedroom bored by his homework as from professionals searching for bitcoin wallet data.

For me the 2FA is the single most EN specific measure one can apply who has done everything else before to protect his data. Most important of this is using a strong, application-specific password for each access. To create and maintain these without falling into a pattern, a good PW-manager is essential.