Jump to content

My Evernote account got hacked


Recommended Posts

I haven't used Evernote for a couple of years but got an email saying that there was suspicious log on from Egypt.  I accessed my account, where I still had work, to find in the last couple of months (the extent of the time period shown), my account had been accessed from Denmark, Egypt and multiple Asian locations. 

What on earth is going on? I only got notified of the last access and not any of the former.

I have only study notes but that is one heck of breach, so has old email addresses been sold off? 

Link to post

I created a lame password due to which my account got hacked starting in August 2020. I got an email from Evernote today that someone has logged into my account from Brazil. That prompted me to change the password. Since then I have deleted all my notes. I had US expired license photos, family photos of parents, almost no username passwords of my bank logins, photos of expired bank cheques, and some useless notes, last 4 digits of SSN. My photos of license though expired have my DOB and previous US addresses. I don't live in the US anymore. What is the best way to tackle this situation? I am sure hackers have downloaded my information and may have taken out loans. I remember getting some calls from debt collection agencies a few months ago. I am not sure how to proceed besides wait and watch. Please advise me.

evernote_hacked.png

Link to post

Alright, so I just read an evernote email about a login from Ukraine. It's from 2 hrs back. 

I pretty much dumped my life in evernote so am less than thrilled. Clearly I changed my password, put on 2FA etc. 

(Although, the authentication sms code does not work... so I can't login my desktop / phone app now. This on top of this hack AND the fact that there's no Evernote hotline or easy way to reach them REALLY makes me consider dumping the service after almost a decade.)

 

OK, now I'm after the following:

Can I see what this hacker has done in my account? Have they downloaded all notes, browsed thru them etc? Is there any way to check this?

As we speak I'm changing all my passwords for literally everything - but this would be good to know. 


And this is for a mod / evernote employee:

Why the hell would you make it possible for people from a completely different country to login via new device, instead of blocking them and require a confirmation thru email? This is insane. Why would you allow this? 

  • Like 4
Link to post
  • Level 5*
4 minutes ago, Joost7 said:

Clearly I changed my password, put on 2FA etc w Evernote. 

I merged your post with a similar discussion   
It wasn't much of a hack - they logged in with your userid/password

The important point is to not share your password; only use it for the Evernote service

Link to post

"We are currently experiencing longer than normal wait times. It may take 10 or more days to receive an email reply. For faster help, check out the articles in Help & Learning or get assistance from other Evernote users in our discussion forums."

Really Evernote? 

Are there any employees on this forum at all?

And... anybody that can recommend an Evernote alternative that does have a semblance of professionalism? 

I'm honestly shocked that, as a loyal and paying customer who right now has a decade of highly personal data probably floating around on the dark web... that this it. This is the level of customer service from a company worth 100s of millions?

The unflattering reports on the company were unfortunately true. What a train wreck.  

Link to post
  • Level 5

If a hacker got access to your account, they can simply download the content by syncing it to a device. If it is a desktop, this creates a local copy of the account on that desktop. This can be browsed offline, as we all know.

If the access was by web browser, as in the example shown first in this thread, they can search on the EN server, and fetch the content of notes found, but it will not download all the data. Most likely the access did not come physically from all the places mentioned. The hacker (probably only one) instead used a VPN service to cloak his real location. Could be anywhere on the planet ...

So it depends on the type of access that is shown. Web is less critical than a device, and most critical are PC or Mac, that will create a complete local copy by syncing it.

Now, why is it hard to detect ? Because people with legitimate accounts as well travel (less so these days) and use VPNs to cloak their geolocation (if only to watch the latest Netflix stuff not yet released for their country). Because people with legitimate accounts will buy new computers, and sync their EN data there. So even if one thinks it should be easy to catch intruders, it probably is not.

In former breaches, EN communicated that there were searches done for Bitcoin wallets and related data. But this is no guarantee that others will not try to steal an identity.

Better to avoid it: Unique and strong password + 2FA.

Link to post
  • Level 5

@Joost7 Well the train wreck is called EN version 10, and the inundated support is collateral damage.

This is sort of exceptional, although self inflicted by releasing a very immature piece of software to the whole user base.

Anything urgent you want to get support on ?

Link to post
18 minutes ago, PinkElephant said:

@Joost7 Well the train wreck is called EN version 10, and the inundated support is collateral damage.

This is sort of exceptional, although self inflicted by releasing a very immature piece of software to the whole user base.

Anything urgent you want to get support on ?

Hi PinkElephant, you make fair points. And I on my end, am for a large degree blowing off steam to be fair. 

But my thinking is.... new location PLUS new device (Android). That oughta set off some alarm bells, right? If it's just one of the 2, it's a different story of course. 

The support I'm expecting, is basically just the ability the get in touch with someone from Evernote. Within a reasonable timeframe. Just know there's someone there for you in this company who's product I've (mostly) been happily using for years and years.

The fact that my data is out there, somewhere, fills me with dread, disgust and anxiety. No ability to get in touch with Evernote just throws salt in the wounds. 

(Btw, the 2FA is broken... the code sent to my phone is "invalid." so now I can't even access evernote - except for my browser. The current version of evernote is indeed a hot piece of garbage, something I kind of overlooked due to nostalgia. But this reddit topic seems to hit the nail on the hit.)

Link to post

Your password might have been used across multiple services.  One of those services might have had a data breach, in which case your password may have been attempted across multiple services including EN. I'd suggest resetting your password, enabling 2FA, or if you're not using the service/no longer need it to close the account. 

 

Link to post
  • Level 5*
On 11/9/2020 at 12:31 AM, Billy089 said:

What on earth is going on?

It's not much of hack when they have your userid and password    
Change your password and only use it on the Evernote site

  • Haha 1
Link to post

I've cancelled my Evernote Premium subscription and am moving my notes over to a competitor who shall not be named...

I like supporting independent software companies, but Evernote can't be among them anymore for me.

I hope you as company will be able to get your ***** together. It's good you guys got rid of your weekly sushi lunches, line of polyurethane socks and other extravaganzas. Hope it isn't too little too late. Good luck getting out of your death spiral. 

  • Like 3
Link to post
  • 5 weeks later...

I have the same thing happening. When I try to login and change my password, it tells me that my email is not recognized as having an account. I do t believe I have any vital information in the account as I never really used the platform. Not sure who to contact to find out how to delete the account or change the password. 

Link to post

Just made an account to say the same thing happened to me.  This can not be a matter of a couple of isolated incidents - this is (hopefully "was") a security vulnerability of Evernote.   Fortunately, I did not have anything sensitive stored on Evernote - I had like 3 links saved because I tried Evernote years ago but settled on other solutions for my needs.

I personally haven't legitimately logged into Evernote for years, but received an email this evening alerting me to check if a login from Jakarta, Indonesia was legitimate.  I live in the US, and my VPN only connects through specified US servers.  So I logged into Evernote and looked at the access history on the account and I've got the same exact situation as the users above - for as far back as the history shows (early September) it's an endless stream of logins from seemingly every country on the planet. (Obviously spoofed locations)

At first I was thinking "Was this a scripted brute force? Could it be possible that a platform like Evernote would somehow not be routing their API through Cloudflare or similar CDN?" 

But then I noticed.. what's really disturbing is that the logins show as being from my own (decommissioned about a year ago) Macbook Pro.  Evernote thinks it's my device that's been logging in all this time.  This indicates to me that there's been a serious breach on the backend of Evernote, because it's hard enough to build a Hackintosh, let alone clone an existing machine.  If someone had managed to do that to me, it would be a nation-state calibre threat and Evernote would be the least of my concerns.  So - and I am ultimately speculating here - I'm thinking whoever is behind this must have gained access to the Evernote auth DB, and somehow cloned or otherwise figured out how to spoof the cookies/pixels that indicate whether the device is known, and if so, which device it is.

This is very concerning, especially as googling around isn't turning up any notable posts or articles.  Perhaps this situation is still slowly emerging.  So I came on here in hope this helps others recognize and take seriously what's happened, including Evernote.

  • Like 1
Link to post

The same thing happened to me. Starting end of November, about 15 new devices not recognizable to me (iPhone and android) accessed my account from all around the world. I only got my first email tonight and found this out. 
 

i have everything on there...from receipts to income tax info and all my kids identity documents are scanned into there.

 

i can’t believe I have trusted this company for 10 years. 
 

Obviously turned on 2 step authentication (after literally 10 attempts at this) and changed my password and removed all the authorized devices. 
 

How can I save this data, cancel my account and transfer to another company? Is there a similar competitor? 
 

Thanks for any advice on what to now to protect myself and my family. 

  • Like 1
Link to post

what is frightening is that this appears to be a rather common problem. the first time i received an email that someone accessed my account elsewhere was today; the log shows this has been going on and passed around for MONTHS. I had sensitive information I trusted was secure or I would be notified well before now. What is being done to rectify this?

Evernote for Android

Android -Android-SM-a4334

  • 12/25/2020
94.20.54.210
(Baki, Azerbaijan)

Evernote Web

  • 12/25/2020
58.137.89.226
(Krung Thep, Thailand)

Evernote Web

  • 12/23/2020
113.175.170.130
(Nam Dinh, Vietnam)

Evernote Web

  • 12/17/2020
81.225.49.242
(Skane Lan, Sweden)

Evernote Web

  • 12/14/2020
149.129.62.226
(Singapore)

Evernote Web

  • 12/13/2020
202.69.35.197
(Punjab, Pakistan)

Evernote Web

  • 12/07/2020
76.7.177.11
(Tennessee, United States)

 

   

Evernote Web

  • 11/10/2020
212.45.88.66
(Almaty City, Kazakhstan)

Evernote Web

  • 10/23/2020
110.77.244.207
(Buriram, Thailand)

Evernote for Android

Android -Android-SM-f083b

  • 10/08/2020
180.253.46.239
(Jawa Timur, Indonesia)

Evernote Web

  • 10/02/2020
88.247.89.72
(Istanbul, Turkey)

Evernote Web

  • 09/30/2020
91.92.181.251
(Iran, Islamic Republic of)

Evernote Web

  • 09/29/2020
5.111.55.210
(Makkah, Saudi Arabia)

 

  • Like 1
Link to post

This has also happened to me and I too only was notified about the last of 10 logins to my account from hackers around the world. It’s appalling. After changing passwords for virtually all my accounts for everything, I am going to delete my account with Evernote as it is clearly not secure and am notifying others of this problem with Evernote.

Link to post

Hey Evernote - when are you going to disclose to the public?  You're stacking up some serious liability by delaying - especially in the EU.  Is your CTO being forthcoming to the Board?  This isn't rocket science.  Salt your passwords if they're unsalted, use a properly configured CDN if you don't already, triple check API access logs, end to end encryption if not already implemented.. and if you're stumped, there's no shame, just hire a third party forensic.  Your loyal users deserve better than not even being made aware.  And your extremely late-to-the-game emails advising users to double check account access history does NOT count as disclosure.  

Link to post
  • Level 5*
2 minutes ago, someguy12345 said:

This isn't rocket science. 

My understanding is the accounts are being accessed with userid and password    
The issue is users not keeping their password secure

Link to post
  • Level 5

... plus not using 2FA which is offered to the free users as well.

But it is always easier to blame somebody else instead of healing the own mistake. This can be costly in such a situation, because probably it is not only the EN account the user himself has put at risk. While guys are texting new posts here, hackers work themselves probably through more accounts of the same people who reused their login credentials over and again.

Will be a tough learning curve !

Link to post
19 minutes ago, PinkElephant said:

... plus not using 2FA which is offered to the free users as well.

But it is always easier to blame somebody else instead of healing the own mistake. This can be costly in such a situation, because probably it is not only the EN account the user himself has put at risk. While guys are texting new posts here, hackers work themselves probably through more accounts of the same people who reused their login credentials over and again.

Will be a tough learning curve !

 

See my earlier post above.  Credential stuffing to exploit simple passwords on a platform the size of Evernote should not be remotely possible with standard protocols in place, some examples being:  Authentication triggers that dynamically increase security measures based on conditionals, such as 1) the number of failed attempts to authenticate for a given account over a given duration of time, and/or 2) authentication attempts coming from unrecognized browsers, operating systems, MAC addresses, IP addresses (exponentially bigger red flag if its a known VPN address), new geographic locations, etc.  Either of those conditions being satisfied (or both in some combination) should at minimum trigger a CAPTCHA image test, a default 2FA by means of requiring an email verification link, and/or a password change.  With some combination of those measures, credential stuffing passwords should be extremely impractical at best these days, with very little incentive for a hacker to overcome those hurdles.

BUT, that all said, again I'll direct you to my post above.  I hadn't logged into Evernote from any device in years when I discovered this the other day.  I had no personal data of any value whatsoever on the account (I mention this for what it may be worth in communicating that I don't have a passionate or biased take on this particular situation - I just get irritated seeing companies this size disregard security).  But what's certainly most worthy of noticing in my previous post is that ~70%-80% (I since deleted my account entirely, but rough estimate) of the authentications were identified as being from my own device that I originally setup an Evernote account on many many years ago.  That laptop is in my closet, where it's lived - broken and thoroughly off - for close to a year now.  So that's a pretty strong indicator that this wasn't even a case of brute force / credential stuffing.  Whoever was accessing the account apparently spoofed whatever pixel/tracking cookie Evernote uses.  

  • Like 2
  • Thanks 1
Link to post
On 12/24/2020 at 10:56 AM, Medbee3 said:

The same thing happened to me. Starting end of November, about 15 new devices not recognizable to me (iPhone and android) accessed my account from all around the world. I only got my first email tonight and found this out. 
 

i have everything on there...from receipts to income tax info and all my kids identity documents are scanned into there.

 

i can’t believe I have trusted this company for 10 years. 
 

Obviously turned on 2 step authentication (after literally 10 attempts at this) and changed my password and removed all the authorized devices. 
 

How can I save this data, cancel my account and transfer to another company? Is there a similar competitor? 
 

Thanks for any advice on what to now to protect myself and my family. 

I've been quite happy with Notes from Apple. If you're a Windows user, supposedly OneNote is a good alternative, too. 

7 hours ago, someguy12345 said:

 

See my earlier post above.  Credential stuffing to exploit simple passwords on a platform the size of Evernote should not be remotely possible with standard protocols in place, some examples being:  Authentication triggers that dynamically increase security measures based on conditionals, such as 1) the number of failed attempts to authenticate for a given account over a given duration of time, and/or 2) authentication attempts coming from unrecognized browsers, operating systems, MAC addresses, IP addresses (exponentially bigger red flag if its a known VPN address), new geographic locations, etc.  Either of those conditions being satisfied (or both in some combination) should at minimum trigger a CAPTCHA image test, a default 2FA by means of requiring an email verification link, and/or a password change.  With some combination of those measures, credential stuffing passwords should be extremely impractical at best these days, with very little incentive for a hacker to overcome those hurdles.

BUT, that all said, again I'll direct you to my post above.  I hadn't logged into Evernote from any device in years when I discovered this the other day.  I had no personal data of any value whatsoever on the account (I mention this for what it may be worth in communicating that I don't have a passionate or biased take on this particular situation - I just get irritated seeing companies this size disregard security).  But what's certainly most worthy of noticing in my previous post is that ~70%-80% (I since deleted my account entirely, but rough estimate) of the authentications were identified as being from my own device that I originally setup an Evernote account on many many years ago.  That laptop is in my closet, where it's lived - broken and thoroughly off - for close to a year now.  So that's a pretty strong indicator that this wasn't even a case of brute force / credential stuffing.  Whoever was accessing the account apparently spoofed whatever pixel/tracking cookie Evernote uses.  

This is dead on. 

E.g., even if I don't use my Twitter account for a couple of months, I've got to login through an email verification. This is an attempted login from the same IP address and device, mind you.

So @PinkElephant, with all due respect, I think you're completely missing the point here. YES, people should use 2FA and unique & secure passwords. In fact, I had beefed up pretty much all of my accounts' security. But due to a blind spot, I missed out on Evernote (ironically my most important account). Stupid? Sure. But if companies have simple tools at their disposal to protect users against their own negligence, then shouldn't you think they oughta apply those? Evernote did notice someone made a suspicious log in attempt and made me aware of that. They could've easily taken it up a notch by sending an email verification. Like any reputable tech company does. 

  • Like 3
Link to post

Same thing happening to me. Haven’t used Evernote in years and don’t believe there is anything of use to the hackers; however, I want to delete the account. When I try to change my password, it doesn’t even recognize my email address. I have found no way to access my account to delete. Can anyone help with this?

Link to post
  • Level 5

Probably you will have a problem to follow this support document, if you have no more access to the e-Mail used to open the account:

https://help.evernote.com/hc/en-us/articles/360056549574

If this is the case, log in, go to the support page, and select „account issue“ when opening the support ticket.

Basic accounts have no access to technical support,  but for account issues it should work.

 

Link to post
  • 3 weeks later...
On 12/26/2020 at 12:36 PM, PYNC said:

what is frightening is that this appears to be a rather common problem. the first time i received an email that someone accessed my account elsewhere was today; the log shows this has been going on and passed around for MONTHS. I had sensitive information I trusted was secure or I would be notified well before now. What is being done to rectify this?

Evernote for Android

Android -Android-SM-a4334

  • 12/25/2020
94.20.54.210
(Baki, Azerbaijan)

Evernote Web

  • 12/25/2020
58.137.89.226
(Krung Thep, Thailand)

Evernote Web

  • 12/23/2020
113.175.170.130
(Nam Dinh, Vietnam)

Evernote Web

  • 12/17/2020
81.225.49.242
(Skane Lan, Sweden)

Evernote Web

  • 12/14/2020
149.129.62.226
(Singapore)

Evernote Web

  • 12/13/2020
202.69.35.197
(Punjab, Pakistan)

Evernote Web

  • 12/07/2020
76.7.177.11
(Tennessee, United States)

 

   

Evernote Web

  • 11/10/2020
212.45.88.66
(Almaty City, Kazakhstan)

Evernote Web

  • 10/23/2020
110.77.244.207
(Buriram, Thailand)

Evernote for Android

Android -Android-SM-f083b

  • 10/08/2020
180.253.46.239
(Jawa Timur, Indonesia)

Evernote Web

  • 10/02/2020
88.247.89.72
(Istanbul, Turkey)

Evernote Web

  • 09/30/2020
91.92.181.251
(Iran, Islamic Republic of)

Evernote Web

  • 09/29/2020
5.111.55.210
(Makkah, Saudi Arabia)

 

This exact thing just happened to me. Got an email last night and find that my account was also accessed once before in December without any notification. I have just spent the last 10hours enabling 2FA and changing ALL my passwords as just like most of you, I kept alot of sensitive information on this app. Makes me sick thinking about it. 

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...