My Evernote account got hacked

[Billy089 1]

I haven't used Evernote for a couple of years but got an email saying that there was suspicious log on from Egypt.  I accessed my account, where I still had work, to find in the last couple of months (the extent of the time period shown), my account had been accessed from Denmark, Egypt and multiple Asian locations. 

What on earth is going on? I only got notified of the last access and not any of the former.

I have only study notes but that is one heck of breach, so has old email addresses been sold off? 

[Darin New 0]

I created a lame password due to which my account got hacked starting in August 2020. I got an email from Evernote today that someone has logged into my account from Brazil. That prompted me to change the password. Since then I have deleted all my notes. I had US expired license photos, family photos of parents, almost no username passwords of my bank logins, photos of expired bank cheques, and some useless notes, last 4 digits of SSN. My photos of license though expired have my DOB and previous US addresses. I don't live in the US anymore. What is the best way to tackle this situation? I am sure hackers have downloaded my information and may have taken out loans. I remember getting some calls from debt collection agencies a few months ago. I am not sure how to proceed besides wait and watch. Please advise me.

[Joost7 15]

Alright, so I just read an evernote email about a login from Ukraine. It's from 2 hrs back. 

I pretty much dumped my life in evernote so am less than thrilled. Clearly I changed my password, put on 2FA etc. 

(Although, the authentication sms code does not work... so I can't login my desktop / phone app now. This on top of this hack AND the fact that there's no Evernote hotline or easy way to reach them REALLY makes me consider dumping the service after almost a decade.)

 

OK, now I'm after the following:

Can I see what this hacker has done in my account? Have they downloaded all notes, browsed thru them etc? Is there any way to check this?

As we speak I'm changing all my passwords for literally everything - but this would be good to know. 

And this is for a mod / evernote employee:

Why the hell would you make it possible for people from a completely different country to login via new device, instead of blocking them and require a confirmation thru email? This is insane. Why would you allow this? 

[DTLow 5,736]

4 minutes ago, Joost7 said:

Clearly I changed my password, put on 2FA etc w Evernote. 

I merged your post with a similar discussion   
It wasn't much of a hack - they logged in with your userid/password

The important point is to not share your password; only use it for the Evernote service

[Joost7 15]

Sure. That point is clear.

What about checking if the person getting access did an instant database download , used the account etc.? Knowing that would be super helpful.  

[Joost7 15]

"We are currently experiencing longer than normal wait times. It may take 10 or more days to receive an email reply. For faster help, check out the articles in Help & Learning or get assistance from other Evernote users in our discussion forums."

Really Evernote? 

Are there any employees on this forum at all?

And... anybody that can recommend an Evernote alternative that does have a semblance of professionalism? 

I'm honestly shocked that, as a loyal and paying customer who right now has a decade of highly personal data probably floating around on the dark web... that this it. This is the level of customer service from a company worth 100s of millions?

The unflattering reports on the company were unfortunately true. What a train wreck.  

[PinkElephant 8,088]

If a hacker got access to your account, they can simply download the content by syncing it to a device. If it is a desktop, this creates a local copy of the account on that desktop. This can be browsed offline, as we all know.

If the access was by web browser, as in the example shown first in this thread, they can search on the EN server, and fetch the content of notes found, but it will not download all the data. Most likely the access did not come physically from all the places mentioned. The hacker (probably only one) instead used a VPN service to cloak his real location. Could be anywhere on the planet ...

So it depends on the type of access that is shown. Web is less critical than a device, and most critical are PC or Mac, that will create a complete local copy by syncing it.

Now, why is it hard to detect ? Because people with legitimate accounts as well travel (less so these days) and use VPNs to cloak their geolocation (if only to watch the latest Netflix stuff not yet released for their country). Because people with legitimate accounts will buy new computers, and sync their EN data there. So even if one thinks it should be easy to catch intruders, it probably is not.

In former breaches, EN communicated that there were searches done for Bitcoin wallets and related data. But this is no guarantee that others will not try to steal an identity.

Better to avoid it: Unique and strong password + 2FA.

[PinkElephant 8,088]

@Joost7 Well the train wreck is called EN version 10, and the inundated support is collateral damage.

This is sort of exceptional, although self inflicted by releasing a very immature piece of software to the whole user base.

Anything urgent you want to get support on ?

[Joost7 15]

18 minutes ago, PinkElephant said:

@Joost7 Well the train wreck is called EN version 10, and the inundated support is collateral damage.

This is sort of exceptional, although self inflicted by releasing a very immature piece of software to the whole user base.

Anything urgent you want to get support on ?

Hi PinkElephant, you make fair points. And I on my end, am for a large degree blowing off steam to be fair. 

But my thinking is.... new location PLUS new device (Android). That oughta set off some alarm bells, right? If it's just one of the 2, it's a different story of course. 

The support I'm expecting, is basically just the ability the get in touch with someone from Evernote. Within a reasonable timeframe. Just know there's someone there for you in this company who's product I've (mostly) been happily using for years and years.

The fact that my data is out there, somewhere, fills me with dread, disgust and anxiety. No ability to get in touch with Evernote just throws salt in the wounds. 

(Btw, the 2FA is broken... the code sent to my phone is "invalid." so now I can't even access evernote - except for my browser. The current version of evernote is indeed a hot piece of garbage, something I kind of overlooked due to nostalgia. But this reddit topic seems to hit the nail on the hit.)

[Angelo 7]

Your password might have been used across multiple services.  One of those services might have had a data breach, in which case your password may have been attempted across multiple services including EN. I'd suggest resetting your password, enabling 2FA, or if you're not using the service/no longer need it to close the account. 

 

[DTLow 5,736]

On 11/9/2020 at 12:31 AM, Billy089 said:

What on earth is going on?

It's not much of hack when they have your userid and password    
Change your password and only use it on the Evernote site

[Joost7 15]

I've cancelled my Evernote Premium subscription and am moving my notes over to a competitor who shall not be named...

I like supporting independent software companies, but Evernote can't be among them anymore for me.

I hope you as company will be able to get your ***** together. It's good you guys got rid of your weekly sushi lunches, line of polyurethane socks and other extravaganzas. Hope it isn't too little too late. Good luck getting out of your death spiral. 

[Texas2020 0]

Same problem. Same solution. My account was hacked on 30 October, but I never got an alert from Evernote. Downgrading and canceling, immediately.

[Lisa W 0]

I have the same thing happening. When I try to login and change my password, it tells me that my email is not recognized as having an account. I do t believe I have any vital information in the account as I never really used the platform. Not sure who to contact to find out how to delete the account or change the password. 

[someguy12345 9]

Just made an account to say the same thing happened to me.  This can not be a matter of a couple of isolated incidents - this is (hopefully "was") a security vulnerability of Evernote.   Fortunately, I did not have anything sensitive stored on Evernote - I had like 3 links saved because I tried Evernote years ago but settled on other solutions for my needs.

I personally haven't legitimately logged into Evernote for years, but received an email this evening alerting me to check if a login from Jakarta, Indonesia was legitimate.  I live in the US, and my VPN only connects through specified US servers.  So I logged into Evernote and looked at the access history on the account and I've got the same exact situation as the users above - for as far back as the history shows (early September) it's an endless stream of logins from seemingly every country on the planet. (Obviously spoofed locations)

At first I was thinking "Was this a scripted brute force? Could it be possible that a platform like Evernote would somehow not be routing their API through Cloudflare or similar CDN?" 

But then I noticed.. what's really disturbing is that the logins show as being from my own (decommissioned about a year ago) Macbook Pro.  Evernote thinks it's my device that's been logging in all this time.  This indicates to me that there's been a serious breach on the backend of Evernote, because it's hard enough to build a Hackintosh, let alone clone an existing machine.  If someone had managed to do that to me, it would be a nation-state calibre threat and Evernote would be the least of my concerns.  So - and I am ultimately speculating here - I'm thinking whoever is behind this must have gained access to the Evernote auth DB, and somehow cloned or otherwise figured out how to spoof the cookies/pixels that indicate whether the device is known, and if so, which device it is.

This is very concerning, especially as googling around isn't turning up any notable posts or articles.  Perhaps this situation is still slowly emerging.  So I came on here in hope this helps others recognize and take seriously what's happened, including Evernote.

[Medbee3 2]

The same thing happened to me. Starting end of November, about 15 new devices not recognizable to me (iPhone and android) accessed my account from all around the world. I only got my first email tonight and found this out. 
 

i have everything on there...from receipts to income tax info and all my kids identity documents are scanned into there.

 

i can’t believe I have trusted this company for 10 years. 
 

Obviously turned on 2 step authentication (after literally 10 attempts at this) and changed my password and removed all the authorized devices. 
 

How can I save this data, cancel my account and transfer to another company? Is there a similar competitor? 
 

Thanks for any advice on what to now to protect myself and my family. 

[PYNC 1]

what is frightening is that this appears to be a rather common problem. the first time i received an email that someone accessed my account elsewhere was today; the log shows this has been going on and passed around for MONTHS. I had sensitive information I trusted was secure or I would be notified well before now. What is being done to rectify this?

Evernote for Android Android -Android-SM-a4334	12/25/2020	94.20.54.210 (Baki, Azerbaijan)
Evernote Web	12/25/2020	58.137.89.226 (Krung Thep, Thailand)
Evernote Web	12/23/2020	113.175.170.130 (Nam Dinh, Vietnam)
Evernote Web	12/17/2020	81.225.49.242 (Skane Lan, Sweden)
Evernote Web	12/14/2020	149.129.62.226 (Singapore)
Evernote Web	12/13/2020	202.69.35.197 (Punjab, Pakistan)
Evernote Web	12/07/2020	76.7.177.11 (Tennessee, United States)
Evernote Web	11/10/2020	212.45.88.66 (Almaty City, Kazakhstan)
Evernote Web	10/23/2020	110.77.244.207 (Buriram, Thailand)
Evernote for Android Android -Android-SM-f083b	10/08/2020	180.253.46.239 (Jawa Timur, Indonesia)
Evernote Web	10/02/2020	88.247.89.72 (Istanbul, Turkey)
Evernote Web	09/30/2020	91.92.181.251 (Iran, Islamic Republic of)
Evernote Web	09/29/2020	5.111.55.210 (Makkah, Saudi Arabia)

 

[SuzeW 0]

This has also happened to me and I too only was notified about the last of 10 logins to my account from hackers around the world. It’s appalling. After changing passwords for virtually all my accounts for everything, I am going to delete my account with Evernote as it is clearly not secure and am notifying others of this problem with Evernote.

[someguy12345 9]

Hey Evernote - when are you going to disclose to the public?  You're stacking up some serious liability by delaying - especially in the EU.  Is your CTO being forthcoming to the Board?  This isn't rocket science.  Salt your passwords if they're unsalted, use a properly configured CDN if you don't already, triple check API access logs, end to end encryption if not already implemented.. and if you're stumped, there's no shame, just hire a third party forensic.  Your loyal users deserve better than not even being made aware.  And your extremely late-to-the-game emails advising users to double check account access history does NOT count as disclosure.  

[DTLow 5,736]

2 minutes ago, someguy12345 said:

This isn't rocket science. 

My understanding is the accounts are being accessed with userid and password    
The issue is users not keeping their password secure

[PinkElephant 8,088]

... plus not using 2FA which is offered to the free users as well.

But it is always easier to blame somebody else instead of healing the own mistake. This can be costly in such a situation, because probably it is not only the EN account the user himself has put at risk. While guys are texting new posts here, hackers work themselves probably through more accounts of the same people who reused their login credentials over and again.

Will be a tough learning curve !

[someguy12345 9]

19 minutes ago, PinkElephant said:

... plus not using 2FA which is offered to the free users as well.

But it is always easier to blame somebody else instead of healing the own mistake. This can be costly in such a situation, because probably it is not only the EN account the user himself has put at risk. While guys are texting new posts here, hackers work themselves probably through more accounts of the same people who reused their login credentials over and again.

Will be a tough learning curve !

 

See my earlier post above.  Credential stuffing to exploit simple passwords on a platform the size of Evernote should not be remotely possible with standard protocols in place, some examples being:  Authentication triggers that dynamically increase security measures based on conditionals, such as 1) the number of failed attempts to authenticate for a given account over a given duration of time, and/or 2) authentication attempts coming from unrecognized browsers, operating systems, MAC addresses, IP addresses (exponentially bigger red flag if its a known VPN address), new geographic locations, etc.  Either of those conditions being satisfied (or both in some combination) should at minimum trigger a CAPTCHA image test, a default 2FA by means of requiring an email verification link, and/or a password change.  With some combination of those measures, credential stuffing passwords should be extremely impractical at best these days, with very little incentive for a hacker to overcome those hurdles.

BUT, that all said, again I'll direct you to my post above.  I hadn't logged into Evernote from any device in years when I discovered this the other day.  I had no personal data of any value whatsoever on the account (I mention this for what it may be worth in communicating that I don't have a passionate or biased take on this particular situation - I just get irritated seeing companies this size disregard security).  But what's certainly most worthy of noticing in my previous post is that ~70%-80% (I since deleted my account entirely, but rough estimate) of the authentications were identified as being from my own device that I originally setup an Evernote account on many many years ago.  That laptop is in my closet, where it's lived - broken and thoroughly off - for close to a year now.  So that's a pretty strong indicator that this wasn't even a case of brute force / credential stuffing.  Whoever was accessing the account apparently spoofed whatever pixel/tracking cookie Evernote uses.  

[Joost7 15]

On 12/24/2020 at 10:56 AM, Medbee3 said:

The same thing happened to me. Starting end of November, about 15 new devices not recognizable to me (iPhone and android) accessed my account from all around the world. I only got my first email tonight and found this out. 
 

i have everything on there...from receipts to income tax info and all my kids identity documents are scanned into there.

 

i can’t believe I have trusted this company for 10 years. 
 

Obviously turned on 2 step authentication (after literally 10 attempts at this) and changed my password and removed all the authorized devices. 
 

How can I save this data, cancel my account and transfer to another company? Is there a similar competitor? 
 

Thanks for any advice on what to now to protect myself and my family. 

I've been quite happy with Notes from Apple. If you're a Windows user, supposedly OneNote is a good alternative, too. 

7 hours ago, someguy12345 said:

 

See my earlier post above.  Credential stuffing to exploit simple passwords on a platform the size of Evernote should not be remotely possible with standard protocols in place, some examples being:  Authentication triggers that dynamically increase security measures based on conditionals, such as 1) the number of failed attempts to authenticate for a given account over a given duration of time, and/or 2) authentication attempts coming from unrecognized browsers, operating systems, MAC addresses, IP addresses (exponentially bigger red flag if its a known VPN address), new geographic locations, etc.  Either of those conditions being satisfied (or both in some combination) should at minimum trigger a CAPTCHA image test, a default 2FA by means of requiring an email verification link, and/or a password change.  With some combination of those measures, credential stuffing passwords should be extremely impractical at best these days, with very little incentive for a hacker to overcome those hurdles.

BUT, that all said, again I'll direct you to my post above.  I hadn't logged into Evernote from any device in years when I discovered this the other day.  I had no personal data of any value whatsoever on the account (I mention this for what it may be worth in communicating that I don't have a passionate or biased take on this particular situation - I just get irritated seeing companies this size disregard security).  But what's certainly most worthy of noticing in my previous post is that ~70%-80% (I since deleted my account entirely, but rough estimate) of the authentications were identified as being from my own device that I originally setup an Evernote account on many many years ago.  That laptop is in my closet, where it's lived - broken and thoroughly off - for close to a year now.  So that's a pretty strong indicator that this wasn't even a case of brute force / credential stuffing.  Whoever was accessing the account apparently spoofed whatever pixel/tracking cookie Evernote uses.  

This is dead on. 

E.g., even if I don't use my Twitter account for a couple of months, I've got to login through an email verification. This is an attempted login from the same IP address and device, mind you.

So @PinkElephant, with all due respect, I think you're completely missing the point here. YES, people should use 2FA and unique & secure passwords. In fact, I had beefed up pretty much all of my accounts' security. But due to a blind spot, I missed out on Evernote (ironically my most important account). Stupid? Sure. But if companies have simple tools at their disposal to protect users against their own negligence, then shouldn't you think they oughta apply those? Evernote did notice someone made a suspicious log in attempt and made me aware of that. They could've easily taken it up a notch by sending an email verification. Like any reputable tech company does. 

[Lisa W 0]

Same thing happening to me. Haven’t used Evernote in years and don’t believe there is anything of use to the hackers; however, I want to delete the account. When I try to change my password, it doesn’t even recognize my email address. I have found no way to access my account to delete. Can anyone help with this?

[PinkElephant 8,088]

Probably you will have a problem to follow this support document, if you have no more access to the e-Mail used to open the account:

https://help.evernote.com/hc/en-us/articles/360056549574

If this is the case, log in, go to the support page, and select „account issue“ when opening the support ticket.

Basic accounts have no access to technical support,  but for account issues it should work.

 

[EverSuck 0]

On 12/26/2020 at 12:36 PM, PYNC said:

what is frightening is that this appears to be a rather common problem. the first time i received an email that someone accessed my account elsewhere was today; the log shows this has been going on and passed around for MONTHS. I had sensitive information I trusted was secure or I would be notified well before now. What is being done to rectify this?

Evernote for Android Android -Android-SM-a4334	12/25/2020	94.20.54.210 (Baki, Azerbaijan)
Evernote Web	12/25/2020	58.137.89.226 (Krung Thep, Thailand)
Evernote Web	12/23/2020	113.175.170.130 (Nam Dinh, Vietnam)
Evernote Web	12/17/2020	81.225.49.242 (Skane Lan, Sweden)
Evernote Web	12/14/2020	149.129.62.226 (Singapore)
Evernote Web	12/13/2020	202.69.35.197 (Punjab, Pakistan)
Evernote Web	12/07/2020	76.7.177.11 (Tennessee, United States)
Evernote Web	11/10/2020	212.45.88.66 (Almaty City, Kazakhstan)
Evernote Web	10/23/2020	110.77.244.207 (Buriram, Thailand)
Evernote for Android Android -Android-SM-f083b	10/08/2020	180.253.46.239 (Jawa Timur, Indonesia)
Evernote Web	10/02/2020	88.247.89.72 (Istanbul, Turkey)
Evernote Web	09/30/2020	91.92.181.251 (Iran, Islamic Republic of)
Evernote Web	09/29/2020	5.111.55.210 (Makkah, Saudi Arabia)

 

This exact thing just happened to me. Got an email last night and find that my account was also accessed once before in December without any notification. I have just spent the last 10hours enabling 2FA and changing ALL my passwords as just like most of you, I kept alot of sensitive information on this app. Makes me sick thinking about it. 

[Tim Wangler 0]

I've been a victim of this also. I got an email that somebody had logged into my account on a device in Hanoi. Obviously not me. I checked the login history and the first login starts 7 January, and continues until now from a series of locations around the world.

Why was I not informed about all these other logins? They were all in the web application, but it should have raised a red flag, and I should have been notified.

I had an anomalous deposit into my checking account on 10 January that I had to spend some time with my bank fixing. Now I know where they got the data from.

Reading these accounts makes me think this is much more serious than they are letting on. I am downgrading/canceling. This is a huge problem. Advice on how to save these data and migrate to a new, more secure application?

[e-b 0]

This happened to me today. However I can see activity from other countries which I have not travelled to dating back to November 2020. Evernote was my go to for years and where I have kept confidential family records. Closing account ASAP! Clearly there was a very big security breach last November and no announcement was made. 

[PinkElephant 8,088]

There was no breach at EN (the forum would be full by now).

There seems to be a breach in your personal account security. This typically is the result of

• reusing passwords (use the same or similar password on different services)
• using weak passwords that can be guessed
• using a (public) computer with malware installed, like a keylogger

What to do ?

First change your password. Create a new one, never used before, strong (a password manager would help) and unique (don’t reuse it anywhere else). If you suspect your computer could be „wormed“, use a mobile device switched to mobile network to do so.

Second go to the web client, account information, devices and deauthorize any unknown device.

Third I would think about activating 2FA.

[e-b 0]

29 minutes ago, PinkElephant said:

There was no breach at EN (the forum would be full by now).

There seems to be a breach in your personal account security. This typically is the result of

• reusing passwords (use the same or similar password on different services)
• using weak passwords that can be guessed
• using a (public) computer with malware installed, like a keylogger

What to do ?

First change your password. Create a new one, never used before, strong (a password manager would help) and unique (don’t reuse it anywhere else). If you suspect your computer could be „wormed“, use a mobile device switched to mobile network to do so.

Second go to the web client, account information, devices and deauthorize any unknown device.

Third I would think about activating 2FA.

Thanks PinkElephant. That may be true. It is unclear how much support EN is offering and how safe the platform is in 2021. Having been a long time user it seems there are better performing options out there now. EN was a leader but I just can't wrap my head around how many people have had their accounts hacked. I received one alert this morning and had not been notified of how many times prior my account was accessed from someone outside my country beginning in November 2020. It seems slowly people are learning about this situation.

[PinkElephant 8,088]

When you have 200 million users (the last figure I have seen published), of which probably a good percentage is traveling, or using VPN services from time to time, a simple geolocation block won’t do.

Here in the forum there is appr. 1 case per week with a hacked account. Even if I allow a quota of 10 or even 100 unknown cases per each one that makes it here, it is a very small number related to the total accounts.

AFAIK we never had a case where a good password plus 2FA was used, and an account was hacked.

Beyond these measures, you probably would get a conflict of usability vs. security. I doubt that the percentage of accounts with 2FA enabled is larger than a few percent. So it is not even widely used what would be possible for all users, free of charge.

[davidfball 1]

On 1/17/2021 at 2:34 AM, EverSuck said:

This exact thing just happened to me. Got an email last night and find that my account was also accessed once before in December without any notification. I have just spent the last 10hours enabling 2FA and changing ALL my passwords as just like most of you, I kept alot of sensitive information on this app. Makes me sick thinking about it. 

Me too. The number of 'customers' with this same issue points to an extreme problem with this program. Blaming the customer is the easy way out. I'm very upset knowing that information I trusted to this program is floating around out there. Unfortunately, if you were hit it's almost too late to do much. Back to paper and pencil.

[On my way out.... 4]

Also hacked.  I don't use public computers and access almost exclusively from my phone. Thankfully no sensitive information in EN, but since I *did* reuse a password across what I felt was a low-risk block of accounts, about 1 month after the EN hack they did get into Spotify which triggered me that this was systemic and I changed all my login info that used that password.  The issue I have with 2FA, is EN is asking for my phone number to enable it, which seems like just one more opportunity for these people to collect more information about me through EN.  My EN password that was hacked was 10 characters long, mix of symbols, capitals, numbers fairly randomized... not words or anything else guessable.   I struggle with the premise presented on most of these threads that *I'm* the problem here, and don't want to give EN any more of my information that may later have to be changed to protect security on my other accounts, or against identity theft.  Maybe I'll keep my EN account to continue to store recipes and gift ideas for my sister in law (whomever in Bali is welcome to that info if they really want it), or maybe I'll drop it because I have l trouble supporting a company that doesn't seem to be taking this systemic issue seriously.

I appreciate the others that took time to comment here, and also created a profile to comment, though my story is not unique.

And yes, it would be more secure with 2FA on, and I will/can keep a unique password for this account. But I'm reading of people that are getting pings w/codes that they're not requesting...meaning new passwords getting compromised.   AND, of all of the online accounts I have, I've never had an issue on a single other platform besides the Spotify issue secondary to an EN hack...it seems to be EN that this hackers are targeting repeatedly and ground zero for issues.  When there's reasonable alternatives to EN out there not plagued by these issues... why would I volunteer for this nonsense?!  I have too many other things to do.

Also, the idea that there are only XX reports of an issue amongst a larger user base means it's not a systemic problem seems flawed to me.  I see several cases above where EN didn't flag the user to many of the initial incidences by email.  How many poor folks out there that DO put things in more important than a recipe for spicy chili have had this happen and simply don't know, or didn't escalate it publicly or to EN.   Or in my case got the email (I currently have about 400 unread non-promotional emails so it was lucky I saw it in the first place), thought "that was weird," and went on with their busy lives, that is until some ...ahem...person... started fighting me every 4 seconds for the rights to play my own spotify stream.

If I'm at Evernote, I'd figure this out before it becomes a PR nightmare.

[hackedevernote123 0]

Same issue here. I received an email saying that somebody logged in to my evernote account from Bolivia. I checked the access history. It doesn't mention Bolivia in the history but it mentions Germany and Netherlands. 

I do not use public wifi. I do not use public computers. I am extremely careful. This has never happened to me before. Not even once !

AND I HAD SENSITIVE INFORMATION! My ID, my company's EIN number and my ITIN. 

I CANT SLEEP !!!

[ramonpere 0]

Today I got the exactly problem.

Evernote notify me by email a suspicious log from february 2nd.
When I verified to my log history I saw loggins from Venezuela, Pakistan, USA, Germany and so many others since december 26th 2020, none of those were notified to me...

I had important information stored there that now I don't know if they will be selling it somewhere or if they will use it in the future to do something against me.

It is a lack of respect on the part of Evernote that so far they have not taken action, because it seems to be a common problem that has affected many others. I hope that legal action is taken for its nefarious security system.

 

Aplicación	Accedido	Dirección IP (Ubicación estimada) ?
Evernote for Android Android -Android-SM-a604f	02/02/2021	79.250.44.98 (Nordrhein-Westfalen, Germany)
Evernote for Android Android-Samsung-H-6815Q	11/01/2021	107.173.199.29 (United States)
Evernote Web	27/12/2020	203.160.60.242 (Jawa Barat, Indonesia)
Evernote Web	27/12/2020	146.196.107.150 (Jakarta Raya, Indonesia)
Evernote Web	27/12/2020	102.113.231.187 (Grand Port, Mauritius)
Evernote Web	27/12/2020	91.250.36.31 (Donets'ka Oblast', Ukraine)
Evernote Web	27/12/2020	49.145.182.167 (Cebu City, Philippines)
Evernote Web	26/12/2020	202.87.248.134 (Indonesia)
Evernote Web	26/12/2020	187.19.127.179 (Paraiba, Brazil)
Evernote Web	26/12/2020	139.159.48.155 (China)
Evernote Web	26/12/2020	137.59.162.114 (Jawa Barat, Indonesia)
Evernote Web	26/12/2020	121.205.216.73 (Fujian, China)
Evernote Web	26/12/2020	109.68.189.22 (Moscow City, Russian Federation)
Evernote Web	26/12/2020	103.60.181.210 (Jakarta Raya, Indonesia)
Evernote Web	26/12/2020	81.16.9.2 (Yerevan, Armenia)
Evernote Web	26/12/2020	77.242.29.192 (Tirane, Albania)
Evernote Web	26/12/2020	45.71.108.18 (Bahia, Brazil)
Evernote Web	26/12/2020	45.65.129.38 (Espirito Santo, Brazil)
Evernote Web	26/12/2020	8.242.232.14 (Distrito Federal, Venezuela)

[PinkElephant 8,088]

200 million users

Let us say 1% of them are handling their security as it is described above (which is way too low, since "123456" is still the most used password in 2021): Setting up bad passwords, reusing them, not even talking about 2FA. Maybe running malware on their PCs without noticing, crypto miners, key loggers, the like.

Oooops, 2 million accounts at risk. Not because EN is running bad security, it is because users ignore simple IT security measures.

Probably the real figure is closer to 20, 30, or more millions of accounts.

But sure, it MUST be the company, and they MUST have a problem, bla bla. I just imagine the uproar if EN would simply enforce stricter security on all accounts. Mimimi, they lock us out, we can't access our data, mimimi. 

Until there is any proof that there is a security problem with EN, any user who has a security issue better solves it himself. Because not doing so does not only put the EN account at risk, there are other and potentially more dangerous / expensive accounts to fix. Usually bad security does not happen at one software or one account only. Waiting for EN to "fix" anything is a bad strategy, when the own data is at risk.

[ArjenC 124]

Security is a problem for EN and Users. Both have responsibilities in a strong defense against unauthorized/unwanted access.
EN could opt for a stronger password policy and/or force 2FA usage, to protect them and us (the users of service) 

The average user is not aware of the danger / not aware that their password policy is insecure.
So when breached at one service, most likely more services will face unwanted access by hackers.

For those who want a more secure approach, look at a good password service / manager.
They will encourage you to use safe, unique and strong passwords, reports you when your account is leaked etc...

[PinkElephant 8,088]

Personally I use 1Password to keep track of all the logins that somehow tend to build up, plus an authenticator app to generate the keys. 1PW has a nice feature telling you which services you are using offer 2FA. Currently from my logins only 10% do - EN being one of them. If I take this sample (which is not representative) EN is in the TOP 10% with security.

About 2FA, the only apps that enforce it AFAIK are online banking apps. Some do it when accessing the account, others only when executing a transaction. Some other accounts ask for a second factor when accessing certain account functions, but use a static key like a PIN.

Ironically Basic users run sort of safer than paying users, because they have the device limit. When both devices are in use, they often get a message about a hack as a „third device“. Maybe because of this, threads in the forum about hacking tend to be posted mainly by Basic users. And most are asking EN to fix what does not need to be fixed, and that somebody else must solve their  self induced security problem.

[EarlyAdopter 1]

Same issue. And before someone asks: yes, I've been using a unique password for Evernote for at least the last year (thanks LastPass) and yes, I have 2FA enabled. So this is definitely an Evernote problem.

[AnnaDoe777 0]

I experienced the same issue yesterday.
- Change your password
- Change the email address used to login
- Remove the compromised email address from your profile

- deauthorize any suspicious devices and apps

I am not adding 2FA to the list because I am not comfortable giving my cell phone number to Evernote. That said, if 2FA can be activated through a third-party app like Microsoft Authenticator, I'll say for go it.

 

[CathieF 0]

Hello,

 I have the same story about my EN account- that it had been hacked since Dec.7,2020. People have been accessing it from all over the world. I have changed my password & set up the 2 step authentication. Had the app since 2014. The original password was strong & different. It is frustrating that the first notice I received from EN was yesterday morning! From Turkey. Never been there, or Colombia, Egypt, Pakistan, Etc. This seems to be a problem for all of us in the last 6 months. Why hasn't support responded with more details????  I am afraid of ID Theft for myself & grown children.  It looks like it is time for us to all abandon this EN ship. Really awful support & security.

[On my way out.... 4]

On 2/5/2021 at 4:03 AM, ArjenC said:

Security is a problem for EN and Users. Both have responsibilities in a strong defense against unauthorized/unwanted access.
EN could opt for a stronger password policy and/or force 2FA usage, to protect them and us (the users of service) 

Here's where I agree, and thank you for stating my key point in a more concise and understandable fashion.  And corporate responsibility is an interesting/debatable topic itself, I understand... but hey in some cases you do see the market encourage some basic level of this when users stop supporting companies that do not have their interests as core priority. 

I am only interested in Evernote or any other online tool/application in it's value for assisting me in living a rich "in person" life.  I'm not saying that you can't love the ins and outs of all of this security stuff and still do that... but there are only so many hours in the day, and I would rather invest those hours in things other than researching all the ways I can get hacked and monitoring the safety of my online accounts beyond the bare minimum.  EN has lost my blind trust, and I'm not willing to invest the ongoing time to actively maintain "safety" in this single account when there are more inherently secure (with less direct effort/research required from me) or less targeted alternatives. 

This experience has demonstrated that EN is a bad fit for me.  Maybe a fine fit for someone more naturally interested and informed in this space.  Since EN is putting the responsibility on my for my own "safety"...could I find, try to confirm security of, install, and run a secondary authenticator, so I don't need to give them my phone?  Sure. Same for password managers.  Do I want to spend my time on that?  Not really.  (oh, and forcing 2FA aside, did EN do anything to at least educate me about the importance of investing time in those things for their service?  Nope, just PinkElephant after the problem had already occurred.)  At this point for me, it's easier to just stop using EN, since per PinkElephant, "Waiting for EN to "fix" anything is a bad strategy, when [their](sic) own data is at risk."  

(BTW I don't delude myself that this is some threat to EN I'm making, with hundreds of millions of users.)

[PinkElephant 8,088]

Hey - they don’t access from „all over the world“. They sit in their hackers closet, wherever, and use a VPN to move around their virtual position.

The first attempt will be by an automated process. So the bad guy is more likely sitting by his pool, drinking cocktails and waiting for one of many attempts to work. This will be logged, and then retried to exploit.

When it happens by „spraying“, many accounts will be tried, not as in „brute force“ just one account many times. When this is the case, it will be pretty hard for any company to get ahead of these login attempts.

[madmadamquinn 0]

My evernote was also hacked by someone in Vietnam. They deleted all my notes and then emptied the trash. I lost years of notes without a way to retrieve them. The fact that someone log in from another country and have access to delete everything without a security system coming into play is ridiculous. I've already removed the Evernote app from my phone and will not be recommending it.

[PinkElephant 8,088]

Even if it may sound harsh to you: Hope you learned a lesson or two from that - like

• I will never use the same password on several services again
• I use a password manager to generate stronger-than-need-be, unique passwords
• I always activate 2FA to protect valuable accounts
• No backup, no mercy

and most important

• I take responsibility for myself, don’t expect others to nanny me, don’t play blame games 

 

[Harsh Singh 0]

Hi , Perhaps someone has hacked into my account , and i can see hacker /anonymous person logging in my account from various locations like - UK , vietnam , indonesia ,..etc. I haven't got all the  alerts from evernote team . It  was in december 2020 when i saw that someone from egypt tried to login into my system , and due to this ,  i changed my password and also went for double authentication .  I am deleting my account on evernote . pathetic technical support team . Even for sending a mail we need to have a premium account . 

 

[ThatFlyGuy 3]

On 3/17/2021 at 6:25 PM, PinkElephant said:

Even if it may sound harsh to you: Hope you learned a lesson or two from that - like

• I will never use the same password on several services again
• I use a password manager to generate stronger-than-need-be, unique passwords
• I always activate 2FA to protect valuable accounts
• No backup, no mercy

and most important

• I take responsibility for myself, don’t expect others to nanny me, don’t play blame games 

 

 

Frankly, your attitude throughout this thread is pretty ridiculous. I work in cyber sec and the fact that there is obviously no automated system in place to throw notifications of suspicious logins to registered email accounts is utterly unacceptable and appalling by industry standards. That’s not even broaching the topic of a breach on Evernote’s end, which I’m almost certain there has been. I haven’t accessed Evernote in years and use algorithmically generated unique passwords for all of my accounts. I just received notification of a login from Columbia. The chances that I was key logged and then the hacker waited literally years to attempt a login is preposterous.

[Hen J 3]

Hello everyone,

I'm trying to investigate if my evernote account was hacked (lots of sensitive stuff there) 'cause I discovered something strange in my account.

I used to use evernote on 2 devices: an Android and a Window laptop. I NEVER opened evernote for more than 2 years until yesterday on chrome web. I did not unsync, sign out or revoke both the Android device and the evernote app on my Window laptop (I just did not open the app for a long time). However, when I logged in to evernote on Chrome yesterday, I saw that the Android device was still linked/synced to my account while the Window laptop was NOT.

Here are things:

1. The Android device was reset several times after the last time I used evernote on that device and I did not reinstall. And to be clear again, I did not unsync, sign out or revoke this device before resetting. And this device is still linked/synced to my evernote account so far. So I assume that unless I manually revoke or sign out, the device would still be flagged as a synced device.

2. In case of the Window laptop, I never opened the evernote app from July 2018. Yesterday, I opened the app after 2 years and 10 months and the app is still logged in with my evernote account but keeps asking me to enter the password for syncing. This to prove that I did not sign out from my laptop. And this laptop is NOT linked/synced to my evernote account so far.

So my question is "Does evernote ever automatically revoke a device for some case, like re-architecting event, long time NO use, ect?" If the answer is yes, it is really a huge relief to me!

My second question is that the "How far does the Access History feature store logins info? Is it more than 6-9 months?"

I don't try to blame anyone or anything, I just try to prove everything is alright. I was a victim of identity theft so I do know that my questions are some kind of anxiety disorder and I'm sorry for that in advance. I much appreciate any help/any answer or any hint from you guys. Thanks and thanks very much!

(to moderator: please approve my post . really appreciate)

[Paul A. 609]

@Hen JI'm in a bit of a rush but the below link may help, suggest you read it carefully and follow the links to help troubleshoot your security issue. Good luck! 

https://help.evernote.com/hc/en-us/articles/115004395487-What-to-do-if-you-suspect-unauthorized-access-to-your-Evernote-account

 

[Hen J 3]

8 minutes ago, Paul A. said:

@Hen JI'm in a bit of a rush but the below link may help, suggest you read it carefully and follow the links to help troubleshoot your security issue. Good luck! 

https://help.evernote.com/hc/en-us/articles/115004395487-What-to-do-if-you-suspect-unauthorized-access-to-your-Evernote-account

 

Thanks so much for helping me, Paul A. Your source helps me answer the second question: Access History stores logins' information for the past three months. 

Fyi, I immediately changed my password yesterday and now from your source I know that there's no login within 3 months. My evernote account is safe now I believe. What I do now is to try to prove that I was not being hacked.

Any idea for the first question "Does evernote ever automatically revoke a device for some case, like re-architecting event, long time NO use, ect?" would help me feel more relieved. I haven't opened evernote app in my window laptop for 2 years and 10 months.  

[PinkElephant 8,088]

There were other postings about being hacked, but they all showed foreign devices in the access list.

In the current version of EN access is AFAIK granted for a maximum of 1 year. But I am not sure this means the device is revoked as well.

If there was no access in the logged period, I would assume nothing has happened. In most cases where accounts got hacked they searched for crypto currency wallet data, and left when they didn’t find any. Probably what many of us regard as sensitive information is of little interest for the „average“ hacker, who is after money.

All hacks reported here so far originated from access data stolen somewhere else, and used to enter an EN account. To prevent this, use a strong and unique password for every service you are using. To keep track a password manager is advisable. For all accounts there is 2FA available that adds another layer of security.

[Hen J 3]

2 hours ago, PinkElephant said:

There were other postings about being hacked, but they all showed foreign devices in the access list.

In the current version of EN access is AFAIK granted for a maximum of 1 year. But I am not sure this means the device is revoked as well.

If there was no access in the logged period, I would assume nothing has happened. In most cases where accounts got hacked they searched for crypto currency wallet data, and left when they didn’t find any. Probably what many of us regard as sensitive information is of little interest for the „average“ hacker, who is after money.

All hacks reported here so far originated from access data stolen somewhere else, and used to enter an EN account. To prevent this, use a strong and unique password for every service you are using. To keep track a password manager is advisable. For all accounts there is 2FA available that adds another layer of security.

Wow, your information means a lot to me. Thanks very much!

Besides using strong & unique passwords, I suggest we should consider changing passwords periodically as well. Although we are sure we generated strong passwords, hackers are smart and it is not easy to figure out how our passwords were stolen today. And I'm happy to receive notification emails for every single login for every service I am using now, which I felt so annoyed in the past...

Again, thanks PinkElephant and Paul A. I feel relieved now.

[PinkElephant 8,088]

You can check whether your account is in one of many (not all) security breaches on this web site:

https://haveibeenpwned.com/

[LateToTheGame 31]

Could unrecognized access history simply reflect the use of a VPN on the user side? I'm not a tech expert. When I look at my Evernote Access History, I see logins from around the world. Most, but not all, reflect my past choice of login location using my VPN. Perhaps the other non-recognized locations reflect the VPN service bouncing around to different nodes (again, not a techy). I do use a 2FA and a complex and unique password.

[PinkElephant 8,088]

Hackers use all sort of cloaking available. This includes VPNs to relocate, setting up false device profiles (reported here is often access of an „iPhone“, most likely a PC or Linux machine) and other means.

If you use a VPN yourself, the access profile can be similar. You should be able recognize your devices. I tend do give my devices names that allow to identify them in access history.

[LateToTheGame 31]

Yep, even the unknown locations on my Evernote Access History use my personal device names. I appear to be logging in from around the world when on my VPN.

[LateToTheGame 31]

I'm not ruling out being hacked, but the pattern and data seem to reflect my own vpn use.

[JstBery 0]

The more we rely on technology, the more potential power hackers gain over us.

[glasgonam 0]

it's quite interesting! I have just started studying this topic, but I can already say that I really like it.

[PinkElephant 8,088]

You probably like it, unless you are on the receiving end of an attack. Then you better know other people who like it as well, and can help you out.

[LittleElephant88 0]

Hi, My account was hacked and 1 log in in Vietnam.  I changed my password.  I have a free account so only allowed two devices to sync at a time and already have two devices set up.   After reading this thread I realize my password was too basic.  I set it up in 2010 and not sure I would use it as much as I end up and never change a more secure password.

1. Is is possible to download all my notes from the web access?  I do not see a method.  

2. Would someone at EverNotes be able to tell me definitively how long they were login and what they viewed or downloaded?  Is so who would I point that inquiry?

Any help would be greatly appreciated.  

[LateToTheGame 31]

Were you using a VPN?

Is "Android-Zoji-A-3347J" the device name for your Android device? 

[PinkElephant 8,088]

Downloading is only possible through one of the desktop clients, not through web or mobile. Desktop clients can download to ENEX (an export file format) or export as HTML.

About the details of the access, maybe they can read something from the server log files. Although I doubt it, and what would it tell ? On other cases reported in the forum, the hackers were searching for crypto-currency. When done, they left the account.

To avoid they return, you better take measures. Beside changing the password, I would as well enable 2FA. Free users can only use the method by messaging.

https://help.evernote.com/hc/en-us/articles/115004395487-What-to-do-if-you-suspect-unauthorized-access-to-your-Evernote-account

Access to support is subscribers only.

[Joe_17076 0]

Is it posibble for hackers to break the two factor authentication also ? Because eventhough  I have changed my password multiple times and revoked acess to all other devices  , whenever I am asking to send the verification code after password verification  , I am getting very weird text messages with the code reply that doesnt look like it isnt coming from evernote 

[PinkElephant 8,088]

If you use the SIM code, it can be broken the way I described, by SIM scamming.

App generated codes can be broken as well, but it is much harder because they expire rapidly.

In both cases your computer needs to be compromised as well !

[dingleberry 0]

Same issue, 

 

Trying to find what they accessed but you would think multiple logins from around the world would trigger some automated wtf security threat or... 

 

This is not a location your in typically please verify by email. Simple security measure. Simple. 

Evernote, please help us who got hacked. In 1 day I have close to 100 logins. How does that not raise a flag? 

[Dave-in-Decatur 3,950]

As has been mentioned several times in this thread, this kind of hack is usually traceable to using the same password for Evernote as for other services. If someone gets your email address and a password you commonly use, they can get into your Evernote account. Hopefully, you've already changed your Evernote password to something unique.

I agree, it might be good if Evernote issued security alerts for unusual logins. OTOH, if they did I guarantee someone would pop in here to say "I travel all over the world on business and log in to Evernote every day. Why does Evernote nag me with these warnings?"

[aurien 0]

This has just happened to me, same 1000 logins from multiple cities at the same day. NO SINGLE EMAIL FROM EVERNOTE. I´m reading that this is because of inconvenience. REALLY? It's not a bit weird that a person travels the world in less than a day?

I realized this because some accounts were hacked and the only place i saved these was here.

[LateToTheGame 31]

Were you using a VPN? I believe this could make it appear that you were logging in from all over the world.

[PinkElephant 8,088]

It seems this thread is a collector for people who run bad account security (weak, reused passwords, no 2FA) and come here complaining about they were not warned.

Bad account security can't be solved by a warning. Every warning is retrospective, and needs a trigger point before it kicks in. Before a reasonable trigger can activate himself, everything that could have happened has already happened.

Reasonable means only kicking in when it is very unlikely that there are legitimate access events. Access from different IPs can be coming from a legitimate user, employing something like a VPN. If an account is cracked, there can be several access events in a short period of time, driven by bots that check for a single item each.

In the above printout the access is coming from "Skitch for iPhone". This means it is no regular login, it uses the API that is available for Skitch, the separate app provided by EN for picture editing and annotation. APIs are used for automatic access from other apps, so its probably pretty hard to detect if it is the app, or a bot mimicking the app.

Anybody in doubt about a security issue should contact support. The ticket type "Account" is available for Free users as well:

https://help.evernote.com/hc/en-us/requests/new

 

Beside this, improve account security: Change the password at once to one strong & unique. Then enable 2FA. Check if in the past you have authorized API-access for other apps. In this case the safest way is to revoke them, and only grant them again after account security was beefed up.

[Roger__ 0]

I'm really confused by this thread.  Is there any moderation on this?  is PinkElephant an employee of Evernote or this is just people chatting about a serious issue that can lead to wrong actions?

How anyone recommends to check a random site like https://haveibeenpwned.com/. ???   Why is not Evernote official posts not clearly identified (if there any)?

[agsteele 2,944]

Only accounts marked STAFF are from staff members.

All these threads are users attempting to help other users.

[PinkElephant 8,088]

Just for those who don’t know: The site mentioned above is one of the most renowned security websites in the world. They fetch lists circulating in the darknet with real life user data, and allow to probe own IDs XOR passwords against this data treasure.

XOR means you can either check your ID, or your password, but not the combination of both (which would be very unsafe).

There are other sites with a similar approach, but this one is still the standard:

https://haveibeenpwned.com/

 

[Bere 0]

I am using my wife's Evernote since mine was hacked after I received the warning, I just deleted at 3 am 2 days ago, but I think too late since passport and users and passwords were retrieved and used in fake and not safe places around the world. This is not safe, Evernote can't give access to if using different device not authorized, now i will have a nightmare.

The hacker synchronized all my data and since I deleted all and deleted my account now, I don't remember how much private data was there. I am stating from the beginning changing strong passwords for all.

 

Is possible to restore my account change the password and then able to see all I have there? If yes just reply

[Gaetano BonGiovanni 0]

On 11/9/2020 at 12:31 AM, Billy089 said:

I haven't used Evernote for a couple of years but got an email saying that there was suspicious log on from Egypt.  I accessed my account, where I still had work, to find in the last couple of months (the extent of the time period shown), my account had been accessed from Denmark, Egypt and multiple Asian locations. 

What on earth is going on? I only got notified of the last access and not any of the former.

I have only study notes but that is one heck of breach, so has old email addresses been sold off? 

 

[Luke Lugares 0]

Out of curiosity, if I have a similar problem with unauthorized logins (which I was not notified for). Is it possible to check what else other accounts and apps have been accessed (which I was not notified about)?

For example, with bank accounts I had fraudulent transactions once and was notified, with my gmail I get notified when logging in from different computers. How about more obscure accounts such as Discord or Adobe Acrobat. Should I assume this "hacker" is accessing these other accounts and I'm not being notified. Similar to what happened with Evernote?