We noticed a new login to Evernote and wanted to make sure it was you.

[Crewood 1]

I guess this happens quite a bit but it's the first time for me. This morning I got an email saying "We noticed a new login to Evernote and wanted to make sure it was you."

Is this genuine and if it is, how do I stop people logging in to my account please?

[gazumped 11,664]

Hi.  I've never had that email from Evernote,  but I guess it could be a new procedure - have you checked your own account?  Your access history is here:  https://www.evernote.com/AccessHistory.action

Best way to check if the email is genuine is to see whether it asks you to click on a link to confirm you're OK with the login.  No one legitimate would EVER send that sort of email.  If the email says "if the login was you,  then ignore this email" then just delete it.

Make sure you follow the usual password rules - use a different password for Evernote than anything else;  make it complicated;  use 2-factor ID - and you can ensure that you are the only person using the account.

If you see access at the link above that you can't explain,  then get in touch with Evernote via Twitter @EvernoteHelps.

[Crewood 1]

Thanks for the reply. Yes, the history shows not only someone from Brazil but a couple of places in China too.

Can anyone advise how they get in or what even they would want to get in there for? Better still, is there any way I can prevent other people accessing my Evernote account?

 

[PinkElephant 8,107]

The places and devices are not relevant, it is easy to use servers in these places as in-betweens.

Probably you use the same login data for EN as for other accounts. If this was stolen in a security breach (not at EN, there is no reported breach) and you have reused your login data, they can access any service you are using.

1. Go to the web client - via browser - and immediately change your password. Use a strong, unique one, not used for any other service.
2. Then check the clients. Revoke access for any client that is not your own.
3. As a third measure I would activate 2-FA.

Finally I would get a password manager, that creates good passwords and helps to keep track of them. Then go to every account you have, and make them secure by changing the login. Start with your E-Mail accounts, then everything related to money (bank accounts, paypal, amazon, eBay etc.), then the others.

[DTLow 5,736]

57 minutes ago, Crewood said:

Can anyone advise how they get in or what even they would want to get in there for? Better still, is there any way I can prevent other people accessing my Evernote account?

To access your account, they must know your password   
This was probably obtained when you used it at a site with poor security

As per @PinkElephant, you need to change your Evernote password     
Also, this password should only be used for Evernote acccess.  Don't use the same password at other sites

[Crewood 1]

Thanks to everyone for all the great advice. Really appreciated.

Not sure what "I would activate 2-FA" really means . Could someone please advise?

[DTLow 5,736]

7 minutes ago, Crewood said:

Not sure what "I would activate 2-FA" really means . Could someone please advise?

See https://help.evernote.com/hc/en-us/articles/208314238-How-to-set-up-two-step-verification

Two-step verification, also known as two-factor authentication, adds an additional layer of security to the login process, requiring you to enter a verification code from your phone in addition to your regular username and password. The goal of this extra step is to combine something you know (your password) with something only you would have access to (your phone).

[Crewood 1]

Thanks for the help.

[Dave-in-Decatur 3,959]

6 hours ago, Crewood said:

This morning I got an email saying "We noticed a new login to Evernote and wanted to make sure it was you."
Is this genuine....

Just WRT this bit, see the just-updated Help & Learning article How to identify if an email received from Evernote is authentic.

[PinkElephant 8,107]

2FA is not only available with EN. Many services offer this option as an additional layer of security.

It is especially valuable for your mail accounts. Most logins have an option to reset your password. This is usually done by sending you an email to the address you used when you established your Account. If somebody can hack into your mail account, they can take over your virtual identity by resetting your other accounts. 

So make sure your Mail account(s) are locked up like Fort Knox ! A good password, not reused anywhere, plus 2FA should do the job.

[Crewood 1]

Thanks again for all the help.

[Wanderling Reborn 185]

Get Bitwarden password manager, it has a build in functionality where it checks if your password has been included in the lists of compromised passwords sold on the internet. Also a pretty good PM overall.

[gazumped 11,664]

I'm pretty sure Bitwarden (which I also use...) connects to https://haveibeenpwned.com for their warnings.  I just connected to that website direct for my several email addresses (I'm a popular person!) and I get a depressingly happy "You've been Pwned!!" email every time one of them is detected in a leak online.

I am careful to use different passwords for every login, and change them regularly; and Bitwarden generates random collections of characters like "bv7LqiwCP#" (not one I use!) quite freely.  Since it is remembering the password on my phone / tablet / laptops I don't much care how human unfriendly that is - in fact the less friendly the better!

So if you're a 'bad actor' looking for a payoff - please have fun with whatever passwords of mine you may have found; they're likely out of date and will be unusable anywhere else...  

[PinkElephant 8,107]

Yes, this is the most popular website for warnings of this type. I am a bit worried about it’s future. The founder tried to find investors, and I have read he failed. So maybe he is a little  short of money to buy new breaches from the dark net. 

We have another in Germany, run by an IT institute sponsored by one of the founders of SAP. It is serving the same purpose:

https://sec.hpi.de/ilc/?lang=en

There are several password managers that check for this type of leaks. I use 1Password that has a function called Watchtower for this purpose. They check for leaks, and it warns you if you use a „trivial“ password that occurs frequently in breaches. If it is found often, it means that the „bad guys“ will probably have the hash for these password in their rainbow tables. Then even if the password is technically very strong, it will be found in a matter of seconds (unless the company it was taken from used a good salt to obscure the Hash file).

[gazumped 11,664]

13 hours ago, PinkElephant said:

We have another in Germany

I tested it out - seems to provide much more detail than the 'pwned' service,  which just gives broad details of what information has appeared where.  Thanks for that!

[PinkElephant 8,107]

Yes it is o.k.

I just found that both together give a better overall result. They seem to have a slightly different stock of data to which they compare.

[ward927 0]

Today, 10/27, I received an email from Evernote (specifically from “mta-70-5-168.account.evernote.com.sparkpostmail.com ([156.70.5.168]:43077)”), saying “We noticed a new login to Evernote and wanted to make sure it was you.”  Or I guess I should say that I received ANOTHER email about this sort of problem.  The previous one was on 10/18. 

Today’s gatecrasher was an Evernote for Android user at IP address: 31.183.189.119 in Lodzkie, Poland.  The previous one was another Evernote for Android user or, I suppose, the same Android user who travels a lot.  That one was from IP address: 118.71.137.231 in Ha Noi, Vietnam.

Here’s the problem.  When the first one occurred, I was indeed using a password that I had used on a couple of other accounts, so I took it seriously.  I couldn’t find any modifications to any of my Evernote content, but I nevertheless changed my password to a 10-character password that was randomly generated by my password vault, using uppercase, lowercase, numeric, and special characters.  I am CERTAIN that this password is not used on any of my other accounts.  (I suspect there’s a chance that it’s never been used before by anyone, at any time, on any account, in the life of the Internet.)  Then, since I had apparently already been breached once, I decided that 2-factor authentication was worth the inconvenience.  So, I added that option to my Evernote account. 

All is well… until today, when I get a message that someone in Viet-freaking-Nam has LOGGED IN to my account on a device that I am CERTAIN is not from one of my approved devices, meaning that they had to actually provide the correct credentials, including the 2-factor challenge/response.  Something smells more than a little funny.

I’ve checked the access history for my account, and it shows no login from either device or IP address, on those dates or as far back as the end of July.

So, since Evernote has made it… well, challenging, to reach out to a support desk (don’t I feel like a chump for getting a paid subscription?), I thought I would reach out to you, the “community” who provide crowdsourced and – I assume unpaid – support on behalf of Evernote.   You are digital saints for doing this.

So, does anyone have any insight into what’s happening?  Is the wording in the Evernote email alerts misleading about whether other people have actually pierced security on my account and gotten completely logged in, with full access to my account?  Does this just mean that someone tried, but didn’t REALLY have the password?  Does Evernote 2FA not work?  If others have accessed my account, why do they not show up on my account’s access history?  If they haven't, why am I getting these messages?

ANY help/guidance/answers/suggestions would be welcome.

[gazumped 11,664]

18 hours ago, ward927 said:

since Evernote has made it… well, challenging, to reach out to a support desk

Hi.  Have you checked the IP addresses of these wandering access points?  I did have a couple of confusing notifications myself where an IP address I know is mine connected - allegedly - from India.  Which was impossible.  I reported the glitch and India hasn't since shown up,  but it does indicate that there can be some weird messages.

Support are the only people who can help in this case - not least because it should be impossible to beat 2-factor logins.  If that's not the case I'd certainly like to know about it!

As you're apparently having some issues with the report I flagged your post for an Admin to take a look at - hopefully you'll get a reaction within a few days;  although as you can tell from the traffic in the forums,  they're a little busy right now...

[Big Trev 35]

On 8/16/2020 at 5:18 AM, PinkElephant said:

Yes, this is the most popular website for warnings of this type. I am a bit worried about it’s future. The founder tried to find investors, and I have read he failed. So maybe he is a little  short of money to buy new breaches from the dark net. 

Respectfully, you're not quite correct there.  He in the process of open sourcing the code base, and he's still actively running the site - I don't expect it to go anywhere.

Trying to sell the site was not about needing money, he was trying to make sure someone else was looking after it and he wasn't a single point dependency.  Hence, open sourcing it.  For more detail, read his blog here: https://www.troyhunt.com/im-open-sourcing-the-have-i-been-pwned-code-base/

[PinkElephant 8,107]

Whatever - newer information is always welcome. It is a very nice service, and I would be sad not to have it around. But run by a single person, everything can happen every day. The German Site is run by an university, which provides more stability.

About the „traveling“ devices mentioned in many threads: If I would be seriously engaging in hacking, one thing I would do for sure is to cloak my IP, which could give me away. So I probably use a bunch of VPN services, which as well allow to select the country of exit into the general web with a click of the mouse. I will change my device settings as well, to avoid any fingerprinting.

So one day I will be an iPhone from Russia with love, the other day an Android in a rice bowl. In fact it is probably a dull Linux machine sitting in a basement with a neon tube and fast internet, churning through some automatic hacking routines with a database extracted by other hackers in a breach of security and then sold in the darknet to scum like me.

The IP will be one of the IPs of the VPN Server of the Service used. If a number of people used it at the same time, it is practically impossible to find out who used it for the hacking attack. This if the VPN service hold logs - which many of them deny.

From former forum reports it is known they enter (if they enter) an account, search for Bitcoin wallets stored in EN and leave again when they did not find anything. An EN Account is pretty safe against a ransom attack (beware: Somebody could probably encrypt notes using the existing tool), so this Bitcoin theft and stealing of sensitive information is the main risk here.

How they can approach an account safeguarded with a new password and 2FA: No idea. Maybe go to the web client and revoke all access for services and apps, because these may still use the old PW. Then we had another thread where somebody changed to „sign in with Google“. This done, he thought he was safe. Not so, because the old login data was still active, even when the main access now was through the Google account. Same with Facebook or Apple signin - one need to delete the old access information.

[carlitoinFR 0]

Is there a way to see what other people have seen? I didnt login for years and can't recall what was on my Evernote, can I know if they for example downloaded something then deleted it?thank you

[gazumped 11,664]

On 11/14/2020 at 12:33 PM, carlitoinFR said:

Is there a way to see what other people have seen? I didnt login for years and can't recall what was on my Evernote, can I know if they for example downloaded something then deleted it?thank you

No way to separate what one person did using your login details from any other person with the same information.  If you kept local backups of your account you could do some basic checks in case content has been deleted or changed, but otherwise look for any edits during the period you weren't using the account,  and check the Trash notebook for deletions... 

[Andy123 0]

I received an email today with a message that "We noticed a new login to Evernote and wanted to make sure it was you." and location of the Login was in "Brazil". 

I checked the access history, but there is no record of this login. 

What am I suppose to do? I don't know if there is no access history, then why I'm receiving this email?

[Big Trev 35]

On 1/31/2021 at 1:13 AM, Andy123 said:

What am I suppose to do? I don't know if there is no access history, then why I'm receiving this email?

In the first instance, I would change your password and make sure MFA is on.  

[sallysmith 5]

I am getting the  "We noticed a new login to Evernote and wanted to make sure it was you." emails at least once a week.  I have read all the articles on this issue and have followed all the suggested solutions.  I have 2 factor, I have checked my history, I have changed passwords every single time it happens.  I have cleared cache, cookies and history from by browser. I use a password that generates 10+ numbers, characters and upper and lowercase and never use the same one twice.  I show no mysterious devices in my device history. Yet, I get these emails constantly.  I reached out to Evernote and they were unhelpful.  Basically told me there is nothing they can do.  Totally frustrated at the lack of concern on the part of Evernote and my confidence in their product security is zero. 

[PinkElephant 8,107]

The message shows attempted logins. Be happy they did not work - else you would see it in access history and devices.

To see if the mail address you use as login was compromised in past breaches of internet services (not EN, but plenty others), you can check here:

https://haveibeenpwned.com

If your email shows, it may be a good idea to change it. Get a new one, and switch your EN account to it following this help document:

https://help.evernote.com/hc/en-us/articles/208313338

Whether you change it only for EN, or in general is up to you. Once your mail address is in one of the breaches, it will never return to a virgin status ever. Bad guys will continue trying it, on all sort of accounts.

So it may be a good idea to get a new one, and forward mails from the old one to it.

[sallysmith 5]

15 minutes ago, PinkElephant said:

The message shows attempted logins. Be happy they did not work - else you would see it in access history and devices.

To see if the mail address you use as login was compromised in past breaches of internet services (not EN, but plenty others), you can check here:

https://haveibeenpwned.com

If your email shows, it may be a good idea to change it. Get a new one, and switch your EN account to it following this help document:

https://help.evernote.com/hc/en-us/articles/208313338

Whether you change it only for EN, or in general is up to you. Once your mail address is in one of the breaches, it will never return to a virgin status ever. Bad guys will continue trying it, on all sort of accounts.

So it may be a good idea to get a new one, and forward mails from the old one to it.

That is great information! I did check and fortunately the email has not been pawned.  The one thing that EVERNOTE 'support' said was that if I received one of the login emails, then most likely someone did get into the account.  This is very disturbing. 

Thank you, for taking the time to respond. 

[PinkElephant 8,107]

The above website has not 100% of all breaches - they practically get what is on the (black) market, but not everything is on sale. There are more services like this, but none will have a complete picture.

As I said, as long as the access history is clean, and no new devices show, there most likely was no completed access. I give my own names to all devices - any foreign device would stand out. Up to now no problems.

As a background: Many hackers have changed strategy, because the usual brute force attacks by trying many passwords on a single account with high speed were easy to detect and block. Statistically it is the same if you try 1 account with a million passwords, or a million accounts with one password.So they cycle trough a high number of accounts, but testing each account only within larger intervals. Once an IP is blocked, they switch to another (hijacked) server.

The technique is called „Spraying“ - because they are hard to block, these attacks can go on for weeks and months. Typically there are intervals between visiting individual accounts, so you will be notified here and then only. As brute forcing, most attempts fail - but the few cases when they get through seem to make up for it. Beside a good, unique password 2FA will stopp it cold, even when they get lucky with the password once.