Jump to content

We noticed a new login to Evernote and wanted to make sure it was you.


Recommended Posts

I guess this happens quite a bit but it's the first time for me. This morning I got an email saying "We noticed a new login to Evernote and wanted to make sure it was you."

Is this genuine and if it is, how do I stop people logging in to my account please?

Link to post
  • Level 5*

Hi.  I've never had that email from Evernote,  but I guess it could be a new procedure - have you checked your own account?  Your access history is here:  https://www.evernote.com/AccessHistory.action

Best way to check if the email is genuine is to see whether it asks you to click on a link to confirm you're OK with the login.  No one legitimate would EVER send that sort of email.  If the email says "if the login was you,  then ignore this email" then just delete it.

Make sure you follow the usual password rules - use a different password for Evernote than anything else;  make it complicated;  use 2-factor ID - and you can ensure that you are the only person using the account.

If you see access at the link above that you can't explain,  then get in touch with Evernote via Twitter @EvernoteHelps.

  • Like 1
Link to post

Thanks for the reply. Yes, the history shows not only someone from Brazil but a couple of places in China too.

Can anyone advise how they get in or what even they would want to get in there for? Better still, is there any way I can prevent other people accessing my Evernote account?

 

Link to post
  • Level 5

The places and devices are not relevant, it is easy to use servers in these places as in-betweens.

Probably you use the same login data for EN as for other accounts. If this was stolen in a security breach (not at EN, there is no reported breach) and you have reused your login data, they can access any service you are using.

  1. Go to the web client - via browser - and immediately change your password. Use a strong, unique one, not used for any other service.
  2. Then check the clients. Revoke access for any client that is not your own.
  3. As a third measure I would activate 2-FA.

Finally I would get a password manager, that creates good passwords and helps to keep track of them. Then go to every account you have, and make them secure by changing the login. Start with your E-Mail accounts, then everything related to money (bank accounts, paypal, amazon, eBay etc.), then the others.

  • Like 2
Link to post
  • Level 5*
57 minutes ago, Crewood said:

Can anyone advise how they get in or what even they would want to get in there for? Better still, is there any way I can prevent other people accessing my Evernote account?

To access your account, they must know your password   
This was probably obtained when you used it at a site with poor security

As per @PinkElephant, you need to change your Evernote password     
Also, this password should only be used for Evernote acccess.  Don't use the same password at other sites

  • Like 1
Link to post

Thanks to everyone for all the great advice. Really appreciated.

Not sure what "I would activate 2-FA" really means . Could someone please advise?

Link to post
  • Level 5*
7 minutes ago, Crewood said:

Not sure what "I would activate 2-FA" really means . Could someone please advise?

See https://help.evernote.com/hc/en-us/articles/208314238-How-to-set-up-two-step-verification

Two-step verification, also known as two-factor authentication, adds an additional layer of security to the login process, requiring you to enter a verification code from your phone in addition to your regular username and password. The goal of this extra step is to combine something you know (your password) with something only you would have access to (your phone).

Link to post
  • Level 5

2FA is not only available with EN. Many services offer this option as an additional layer of security.

It is especially valuable for your mail accounts. Most logins have an option to reset your password. This is usually done by sending you an email to the address you used when you established your Account. If somebody can hack into your mail account, they can take over your virtual identity by resetting your other accounts. 

So make sure your Mail account(s) are locked up like Fort Knox ! A good password, not reused anywhere, plus 2FA should do the job.

Link to post
  • 2 weeks later...
  • Level 5*

I'm pretty sure Bitwarden (which I also use...) connects to https://haveibeenpwned.com for their warnings.  I just connected to that website direct for my several email addresses (I'm a popular person!) and I get a depressingly happy "You've been Pwned!!" email every time one of them is detected in a leak online.

I am careful to use different passwords for every login, and change them regularly; and Bitwarden generates random collections of characters like "bv7LqiwCP#" (not one I use!) quite freely.  Since it is remembering the password on my phone / tablet / laptops I don't much care how human unfriendly that is - in fact the less friendly the better!

So if you're a 'bad actor' looking for a payoff - please have fun with whatever passwords of mine you may have found; they're likely out of date and will be unusable anywhere else...  

  • Like 1
Link to post
  • Level 5

Yes, this is the most popular website for warnings of this type. I am a bit worried about it’s future. The founder tried to find investors, and I have read he failed. So maybe he is a little  short of money to buy new breaches from the dark net. 

We have another in Germany, run by an IT institute sponsored by one of the founders of SAP. It is serving the same purpose:

https://sec.hpi.de/ilc/?lang=en

There are several password managers that check for this type of leaks. I use 1Password that has a function called Watchtower for this purpose. They check for leaks, and it warns you if you use a „trivial“ password that occurs frequently in breaches. If it is found often, it means that the „bad guys“ will probably have the hash for these password in their rainbow tables. Then even if the password is technically very strong, it will be found in a matter of seconds (unless the company it was taken from used a good salt to obscure the Hash file).

  • Thanks 1
Link to post
  • Level 5*
13 hours ago, PinkElephant said:

We have another in Germany

I tested it out - seems to provide much more detail than the 'pwned' service,  which just gives broad details of what information has appeared where.  Thanks for that!

  • Thanks 1
Link to post
  • 2 months later...

Today, 10/27, I received an email from Evernote (specifically from “mta-70-5-168.account.evernote.com.sparkpostmail.com ([156.70.5.168]:43077)”), saying “We noticed a new login to Evernote and wanted to make sure it was you.”  Or I guess I should say that I received ANOTHER email about this sort of problem.  The previous one was on 10/18. 

Today’s gatecrasher was an Evernote for Android user at IP address: 31.183.189.119 in Lodzkie, Poland.  The previous one was another Evernote for Android user or, I suppose, the same Android user who travels a lot.  That one was from IP address: 118.71.137.231 in Ha Noi, Vietnam.

Here’s the problem.  When the first one occurred, I was indeed using a password that I had used on a couple of other accounts, so I took it seriously.  I couldn’t find any modifications to any of my Evernote content, but I nevertheless changed my password to a 10-character password that was randomly generated by my password vault, using uppercase, lowercase, numeric, and special characters.  I am CERTAIN that this password is not used on any of my other accounts.  (I suspect there’s a chance that it’s never been used before by anyone, at any time, on any account, in the life of the Internet.)  Then, since I had apparently already been breached once, I decided that 2-factor authentication was worth the inconvenience.  So, I added that option to my Evernote account. 

All is well… until today, when I get a message that someone in Viet-freaking-Nam has LOGGED IN to my account on a device that I am CERTAIN is not from one of my approved devices, meaning that they had to actually provide the correct credentials, including the 2-factor challenge/response.  Something smells more than a little funny.

I’ve checked the access history for my account, and it shows no login from either device or IP address, on those dates or as far back as the end of July.

So, since Evernote has made it… well, challenging, to reach out to a support desk (don’t I feel like a chump for getting a paid subscription?), I thought I would reach out to you, the “community” who provide crowdsourced and – I assume unpaid – support on behalf of Evernote.   You are digital saints for doing this.

So, does anyone have any insight into what’s happening?  Is the wording in the Evernote email alerts misleading about whether other people have actually pierced security on my account and gotten completely logged in, with full access to my account?  Does this just mean that someone tried, but didn’t REALLY have the password?  Does Evernote 2FA not work?  If others have accessed my account, why do they not show up on my account’s access history?  If they haven't, why am I getting these messages?

ANY help/guidance/answers/suggestions would be welcome.

Link to post
  • Level 5*
18 hours ago, ward927 said:

since Evernote has made it… well, challenging, to reach out to a support desk

Hi.  Have you checked the IP addresses of these wandering access points?  I did have a couple of confusing notifications myself where an IP address I know is mine connected - allegedly - from India.  Which was impossible.  I reported the glitch and India hasn't since shown up,  but it does indicate that there can be some weird messages.

Support are the only people who can help in this case - not least because it should be impossible to beat 2-factor logins.  If that's not the case I'd certainly like to know about it!

As you're apparently having some issues with the report I flagged your post for an Admin to take a look at - hopefully you'll get a reaction within a few days;  although as you can tell from the traffic in the forums,  they're a little busy right now...

Link to post
On 8/16/2020 at 5:18 AM, PinkElephant said:

Yes, this is the most popular website for warnings of this type. I am a bit worried about it’s future. The founder tried to find investors, and I have read he failed. So maybe he is a little  short of money to buy new breaches from the dark net. 

Respectfully, you're not quite correct there.  He in the process of open sourcing the code base, and he's still actively running the site - I don't expect it to go anywhere.

Trying to sell the site was not about needing money, he was trying to make sure someone else was looking after it and he wasn't a single point dependency.  Hence, open sourcing it.  For more detail, read his blog here: https://www.troyhunt.com/im-open-sourcing-the-have-i-been-pwned-code-base/

Link to post
  • Level 5

Whatever - newer information is always welcome. It is a very nice service, and I would be sad not to have it around. But run by a single person, everything can happen every day. The German Site is run by an university, which provides more stability.

About the „traveling“ devices mentioned in many threads: If I would be seriously engaging in hacking, one thing I would do for sure is to cloak my IP, which could give me away. So I probably use a bunch of VPN services, which as well allow to select the country of exit into the general web with a click of the mouse. I will change my device settings as well, to avoid any fingerprinting.

So one day I will be an iPhone from Russia with love, the other day an Android in a rice bowl. In fact it is probably a dull Linux machine sitting in a basement with a neon tube and fast internet, churning through some automatic hacking routines with a database extracted by other hackers in a breach of security and then sold in the darknet to scum like me.

The IP will be one of the IPs of the VPN Server of the Service used. If a number of people used it at the same time, it is practically impossible to find out who used it for the hacking attack. This if the VPN service hold logs - which many of them deny.

From former forum reports it is known they enter (if they enter) an account, search for Bitcoin wallets stored in EN and leave again when they did not find anything. An EN Account is pretty safe against a ransom attack (beware: Somebody could probably encrypt notes using the existing tool), so this Bitcoin theft and stealing of sensitive information is the main risk here.

How they can approach an account safeguarded with a new password and 2FA: No idea. Maybe go to the web client and revoke all access for services and apps, because these may still use the old PW. Then we had another thread where somebody changed to „sign in with Google“. This done, he thought he was safe. Not so, because the old login data was still active, even when the main access now was through the Google account. Same with Facebook or Apple signin - one need to delete the old access information.

  • Like 1
  • Haha 1
Link to post
  • 3 weeks later...
  • Level 5*
On 11/14/2020 at 12:33 PM, carlitoinFR said:

Is there a way to see what other people have seen? I didnt login for years and can't recall what was on my Evernote, can I know if they for example downloaded something then deleted it?thank you

No way to separate what one person did using your login details from any other person with the same information.  If you kept local backups of your account you could do some basic checks in case content has been deleted or changed, but otherwise look for any edits during the period you weren't using the account,  and check the Trash notebook for deletions... 

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...