account hacked, deactivated, now another notification of a hack the next day

[Cynthia S 0]

Hello,

I had my account hacked and have been changing passwords, started two factor authentication, etc -- only to continue to get notifications. So I decided to deactivate my account. I did this yesterday. Today, I receive another note that someone from Egypt (I live in CA) has logged in.  How is this possible if I deactivated my account? I try to log in , and evernote asks me to reactivate. So I  try to reactivate, but now my password doesn't work. Can anyone help me? I opened a new trial premium account, so I could open a helpdesk ticket today but apparently there are significant delays. Any thoughts or ideas would be appreciated.

Thanks!

C

[gazumped 11,652]

Hi.  You seem to have taken all necessary steps - it's difficult to see how any unauthorised access could still be possible.  Unfortunately Evernote Support are the only people with access to the account to carry out any checks so I'm afraid you'll have to wait for their response.  Meantime though if you have anything in your Evernote account that you really don't want anyone to have access to - and as soon as you can get access yourself - I'd suggest you find somewhere else to keep it!

If it's any consolation I don't know how accurate those 'access from Egypt' warnings are - some connections were flagged on my account that were supposed to come from India,  but I recognised the IP address as my own...  and I wasn't anywhere outside the UK.

[PinkElephant 8,068]

IPv4 addresses are in short supply. They were sold in large blocks in former times, and were roughly related to geographic regions. But today the stock is completely assigned, and companies start to deal with IPv4 they were able to liberate (for example by switching cable customers to IPv6). This may happen intra-company at one of the global,players, or by selling them. It may happen that IPv4 from a block that was sold to one country will be reused in another.

Another explanation (probably more frequent) is the use of VPN services by hackers. Because this can’t be separated from legitimate owners traveling to another place, it is not easy for a global service like EN to tell users and hackers apart.

[disgruntled123 0]

i am having the exact same problem. i haven’t deactivated my account (yet) but even with enabling 2 factor authentication i’m still constantly having issues with people trying to break into my account. i’ve even changed my password multiple times and i’m still being hacked.

[PinkElephant 8,068]

I find this plainly not plausible, if I take EN alone. Changing a password is a 1:1 communication with the EN server, and 2FA is a short lived code that allows access for a brief period of time only.

If you have a larger security problem, it is however possible. There are trojan attacks to PCs that plant a whole set of malware on a computer (typically on a Windows PC, Macs and Linux are harder to crack). Among them are keyloggers (that record every key you type) and screen recorders (that grab your whole activity on the screen) that send this information to their control server. If you use an infected PC, and hackers really want to get into your account, it is possible that you send them the information they need every time you try to bump up security.

No way for me to see if this is true.

If I had a security issue and wanted EN to do something about it, I would use another device (like a phone, through mobile data connection, not the usual WiFi) to log into my account, go to support and send EN a support ticket about the security problem. Select „Account“ as ticket type, because EN will only allow this type of ticket for a Basic account.

And then I would the hell solve my security exposure, either myself or if I don’t know about it by professional assistance. Not cheap, but letting it continue is no alternative either.

[disgruntled123 0]

1 hour ago, PinkElephant said:

I find this plainly not plausible, if I take EN alone. Changing a password is a 1:1 communication with the EN server, and 2FA is a short lived code that allows access for a brief period of time only.

If you have a larger security problem, it is however possible. There are trojan attacks to PCs that plant a whole set of malware on a computer (typically on a Windows PC, Macs and Linux are harder to crack). Among them are keyloggers (that record every key you type) and screen recorders (that grab your whole activity on the screen) that send this information to their control server. If you use an infected PC, and hackers really want to get into your account, it is possible that you send them the information they need every time you try to bump up security.

No way for me to see if this is true.

If I had a security issue and wanted EN to do something about it, I would use another device (like a phone, through mobile data connection, not the usual WiFi) to log into my account, go to support and send EN a support ticket about the security problem. Select „Account“ as ticket type, because EN will only allow this type of ticket for a Basic account.

And then I would the hell solve my security exposure, either myself or if I don’t know about it by professional assistance. Not cheap, but letting it continue is no alternative either.

Okay well I'm not lying, and Evernote is the only thing this happens to, so no, I don't have a security problem. Also, I feel like I should clarify, since enabling 2FA, nobody has been able to actually get into my account. I just keep get text messages saying "your verification code is xxx." But obviously before this, people were able to get into the account and I'd have to log in and revoke their access. I've had EN since June, and I've been actually hacked 5 times (including after a password change) and twice with 2fa.

[DTLow 5,736]

2 minutes ago, disgruntled123 said:

I just keep get text messages saying "your verification code is xxx."

So someone knows your password and is trying to access your account
Update the password, and only use it on the Evernote service
Don't use the same password on other services

[disgruntled123 0]

3 minutes ago, DTLow said:

So someone knows your password and is trying to access your account
Update the password, and only use it on the Evernote service
Don't use the same password on other services

okay but like i said, i have changed it, and that didn't help

[PinkElephant 8,068]

There are other threads here in the forum regarding security issues.

If you read them (the forum search will take you to them), you find a lot of background and advise.

Common issues: Reused or weak user and passwords, no 2FA, security breaches on other services where login data was extracted (not at EN itself). It is a known issue that even 2FA based on messaging (not on apps) has been breached in the past (again not at EN), by hackers tricking a phone company into issuing a new SIM card for the same phone number.

Finding out what happens in your case needs more details than can and should be disclosed in an open forum. And not knowing if you have a security issue does not mean you don’t have one - it just means you don’t know. I can just repeat you probably should involve EN support - how to is described in my post above.

And that is it.

 

[Peppone 1]

Ho lo stesso problema da tre settimane. Puntualmente mi arrivano notifiche da Evernote relativo ad un accesso ad Evernote , una volta dall’India, una volta dal Sudafrica e ora dalla Russia. Ho cambiato tre volte la password. Penso abbiano un problema loro. 

[On my way out.... 4]

Also hacked.  I don't use public computers and access almost exclusively from my phone. Thankfully no sensitive information in EN, but since I *did* reuse a password across what I felt was a low-risk block of accounts, about 1 month after the EN hack they did get into Spotify which triggered me that this was systemic and I changed all my login info that used that password.  The issue I have with 2FA, is EN is asking for my phone number to enable it, which seems like just one more opportunity for these people to collect more information about me through EN.  My EN password that was hacked was 10 characters long, mix of symbols, capitals, numbers fairly randomized... not words or anything else guessable.   I struggle with the premise presented on most of these threads that *I'm* the problem here, and don't want to give EN any more of my information that may later have to be changed to protect security on my other accounts, or against identity theft.  Maybe I'll keep the account to continue to store recipes and gift ideas for my sister in law (whomever in Bali is welcome to that info if they really want it), or maybe I'll drop it because I have l trouble supporting a company that doesn't seem to be taking this systemic issue seriously.

[disgruntled123 0]

3 hours ago, On my way out.... said:

 I struggle with the premise presented on most of these threads that *I'm* the problem here

Yup! Really annoying, especially since it takes a quick google search to see that this something a lot of users struggle with. I just deleted my account because I was sick of getting the 2FA text messages caused by people trying to hack in. besides the fact that, like you said, the insistence that it's my fault my account keeps getting hacking attempts pretty much made it an easy decision to delete

[PinkElephant 8,068]

You guys obviously created a problem for yourself in the past, now you are suffering through the consequences.

First rule: Create strong passwords - a length of 10 may be good today, but can already be weak in a few years time. Because you usually don't make your passwords longer every other year, better use a really long one. And it is good only if it can't be attacked through a rainbow table attack, which means it needs to be completely random.

Second rule: Don't reuse passwords. Don't be smart, and think that a small modification like exchanging a few positions make it a new password.

Third rule: Use 2FA. Premium users can use an authenticator app, so no need to tell EN your phone number. But even if you do - it is much safer with phone number + 2FA enabled than without both of them.

@disgruntled123 If attacks persist even after you changed your password, you should think about malware on your computer. If there is a key logger installed, you can do whatever you want - the new passwords will go right to the hackers. Not only this, but every other information you type as well. Modern malware is not easy to detect and remove, and antivirus programs offer only a relative security. But as you know how to "Google it", you are probably aware of this already.

[disgruntled123 0]

@PinkElephantdo you work for Evernote or are you just an aggressive Evernote fan? i guess i'll repeat myself 1.) I had changed my password (with a never before used password, might I add) AND enabled 2FA and was still getting hacking attempts. 2.) This is the only website/app where this happens to me, so no, it's not my computer.

if you work for evernote, you're terrible at customer service. if you don't, you're really salty about an app. 

i obviously didn't create this problem myself, and you can keep blaming me despite everything i've said, i don't really care. i already deleted my account. Evernote security seems to be an actual problem but I guess Evernote would rather have their crusty moderators deflect than accept any blame.

[PinkElephant 8,068]

Glad you are gone - from user to user. See, now you know that I don't receive money to try to help even the hopeless cases. Quod erat demonstrandum - sorry, you have asked for it.

Hope you get your security problem fixed. Blaming others is always easier, but it does rarely lead to the desired result.

Because you know everything, you know already that you can check your exposure here:

https://haveibeenpwned.com

[disgruntled123 0]

@PinkElephantI do already know that, and my passwords were all already changed because of that. 🙂

never seen someone so pressed over a note taking app before. you good bro?

[PinkElephant 8,068]

Nomen est omen - at least you picked a good one.

[ArjenC 124]

@disgruntled123 

Just my 2 cents on this matter:
When you use a strong password, like: 66.GXQBMNqQ2wPgC7moE (don't use this one any more) and activated 2FA than it is really hard to breach your account. (not impossible).

When you write: still getting hacking attempts i assume that someone tries to get access to your account. This is (most likely) because the "hacker" knows your email and/or username. If this is known, it is shared in several databases. You will never get rid of this leaked information. 

My advice: change username and email registration information. Go for a total new account registration (with again new password and 2FA activation).
Contact Evernote and explain your current situation, think they can and will help you.

Security is a pain, for companies and end users. Once breached it is hard to repair your security. (and I know due to personal experience) 
Whish you all the best, and hope it will be solved quickly.

Best Regards,

(not an Evernote  employee😉)

[AnnaDoe777 0]

On 2/5/2021 at 4:25 AM, ArjenC said:

@disgruntled123 

 

My advice: change username and email registration information. Go for a total new account registration (with again new password and 2FA activation).

I second that: change both the email registration AND the username. Also make sure to go afterwards to your profile and remove the compromised email address

Edited February 23, 2021 by AnnaDoe777
Forgot to add something

[On my way out.... 4]

On 2/4/2021 at 5:25 PM, PinkElephant said:

You guys obviously created a problem for yourself in the past, now you are suffering through the consequences.

Hi @PinkElephant...  I have to say, despite what seems a fundamental difference of opinion around EN's responsibility in this space, I do appreciate how informed you are and that you take your time to share that info with folks having these issues!

I'm curious, question for you or anyone else on here... 2FA would have helped me earlier identify the breach, but lack of it doesn't explain how someone obtained my email/password combo in the first place.  In my specific case, I don't have malware, I don't use public computers, I don't click on links from emails or web without checking them out first (eg. mistrustful even of your pwned link without checking it first... interesting story/site), and my password that was hacked met all your recommendations.  Sharing passwords between EN, Spotify, and the GAP, lol seems to be my greatest risk factor... but what is the scenario under which sharing passwords between the three leaked my info externally?  Sure, a data breach at any of the three would compromise all three... in my case EN was logged into first, spotify second, and no suspicious activity on the third...but then we're still talking about a data breach at one of these three sites, not *me* giving my info away to someone nefarious.

What else am I missing?  

[PinkElephant 8,068]

You can check if your account was in any of the breaches of the past years on these web sites:

https://haveibeenpwned.com

https://sec.hpi.de/ilc/

They probably can not tell when it happened, or where. And of course they don’t have data from every breach.

[nuvolacielo 1]

On 1/27/2021 at 7:32 PM, Peppone said:

Ho lo stesso problema da tre settimane. Puntualmente mi arrivano notifiche da Evernote relativo ad un accesso ad Evernote , una volta dall’India, una volta dal Sudafrica e ora dalla Russia. Ho cambiato tre volte la password. Penso abbiano un problema loro. 

Anche a me sta succedendo da India, Bangladesh, New Mexico ma io vivo in Italia. Si tratta di hacker o di un problema di evernote? Sono preoccupata. 

[gazumped 11,652]

2 hours ago, nuvolacielo said:

It is happening to me too from India, Bangladesh, New Mexico but I live in Italy. Is it hacker or is it an evernote problem? I'm worried.

Hi.  Check the IP address(es) of these attempted connections - if you don't recognise the address,  then it could be a problem. Follow Evernote's instructions and you will be safe...  https://help.evernote.com/hc/it