Jump to content

Security concerns and failure by Evernote to detect hacked account for months


Recommended Posts

Hello,

This is my first post. I have decided to post to bring attention to the user community.

I had opened my account ten years ago. Evernote was a stellar note taking app at the time, when there were almost none on the market.

Over the years I have met my years on my mobile phone Notes app.

I received an email this morning that my account was accessed in some outlandish country. I have not used the app, which I have uninstalled for lack of use, nor logged into my account from the web. So this was a shocker to me. I was further shocked to find out that my account was being accessed from pariah states such as the Republic of North Korea, Vietnam and Venzuela over the last two months (please see account access log screenshot attached). :huh:

NOT ONCE I was approached by Evernote to verify it was me accessing the account before this morning. This didn't trigger any red flags considering I have never been to those countries and I have never used an Android device. Of course, as a non-premium user, I am not entitled to check on devices login into my account or to use two factor authentication. Could this have been a marketing gimmick? I surely hope not.

This really got me thinking why isn't Infosec team at Evernote monitoring account access?  Why did it take two month to be notified.

Just gone ahead and opened a support ticket. My heart is set to close the dormant account anyways, but I think a platform with 250 million users deserve better security practices as the last breach was in 2013, which is really way back in time. My intention is to raise attention of executives in Evernote to take security more serious and prevent such incidents for other users. 

 

Warm regards ..

 

PS: please find my access log screen shot 

 

 

 

 

Link to comment
  • Level 5*
On 11/9/2020 at 6:26 AM, DisappointedUser said:

NOT ONCE I was approached by Evernote to verify it was me accessing the account before this morning.

Hi. If someone purporting to be you uses the right user ID and password, Evernote has no way to know what countries you might or might not work in or visit.  The app also prides itself on being available on most devices and any internet connection - they can hardly query every single new access from their 250 million users...

On 11/9/2020 at 6:26 AM, DisappointedUser said:

as a non-premium user, I am not entitled to check on devices login into my account or to use two factor authentication.

You can easily do both via your account page here: https://www.evernote.com/Settings.action

On 11/9/2020 at 6:26 AM, DisappointedUser said:

executives in Evernote to take security more serious and prevent such incidents for other users. 

Evernote already appear to take these issues seriously - What to do if you suspect unauthorized access to your Evernote account

Link to comment
  • Level 5

@DisappointedUser The core issue is you most likely reused a password used for other services as well for you EN account.

There are collections of such combinations of user and password circulating dark platforms in the internet. These lists are bought and used in automatic searches on accounts with many different services. Hackers make use of VPN services to cloak their activities. The server location of the access does say nothing about the real place these guys operate from.

Because bad habits are reused like passwords, you probably have many more weak account data. Not all of them offer security like EN, with an access history and 2FA even for free accounts. So better think really hard and make ALL of your accounts safe, starting with e-mail, banking and online shopping.

Link to comment

I don’t doubt this is the highest possibilities. 2FA would have stopped it. The cost Is negligible to Evernote. 
 

I just wonder why didn’t get the alert email during the other logins though it was obviously done on a new device? The cost to the email would have been negligible as well. 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...