Evernote Security Breach - Is it that bad?

[jeancharlesbkk 0]

Hello all

After using Evernote for years, i finally got hacked on 11/11 and 14/11 two connections happening from Germany and Paris whereas I live in Bangkok for years... how come this happen? can the Evernote team investigates how can people enter my account so easily? I feel cheated badly, since then has set Google Authenticator, but still, this deserves an audit and see from where it comes from?

[DTLow 5,699]

1 hour ago, jeancharlesbkk said:

how come this happen?  ...  how can people enter my account so easily?

The only way to access your account is with your account-id and password     
We're guessing our password was compromised outside of Evernote

 

[agsteele 1,898]

@jeancharlesbkk  don't forget to change your password for something secure, use a password manager to store passwords and enable two-factor authentication.

[gazumped 9,836]

Detailed help here - https://help.evernote.com/hc/en-us/articles/115004395487-What-to-do-if-you-suspect-unauthorized-access-to-your-Evernote-account

[PinkElephant 5,588]

You can check if your UserID has been compromised in the past here. The site draws from data circulating in the dark net, stolen at many services (not from EN …). If you recycle passwords, it is very easy to crack your account open: 

https://haveibeenpwned.com

[NinaN 0]

I haven't logged in for a while and when I logged in today I also found that my account has been hacked and it's showing zillions of access from an Android device from multiple countries. I am not sure how I could possibly get hacked considering:

* My Evernote password is not re-used anywhere else. It is 15-character long and is a random mix of upper&lower case, numbers and symbols. 

* My password is only stored in two places - Google Chrome and Norton Identity Safe which I assume are pretty secure.

* Only accessing from two devices - my worklaptop which has zillions of security stuff installed so unlikely to have a keylogger or anything of that sort, and my iPhone which has Norton 360 Mobile Security installed. No one else touched these devices for years. 

I haven't set up two-step verifications so I'll do that now and reset password, but it's really strange that two Evernote users experience a similar security issue in a short period of time?

[gazumped 9,836]

On 11/21/2021 at 2:39 AM, NinaN said:

it's really strange that two Evernote users experience a similar security issue in a short period of time?

Out of 200M+ users I'm surprised that only two people raised a query.  Millions of people have been users on various websites that have been hacked in the last few years for email, user names and passwords,  and your phantom attempted logins are probably a symptom of the general black hat community trying random details to find what accounts are vulnerable.  Basic protections like 2 factor auth will lock that down for you.

[PinkElephant 5,588]

I get nervous when I hear about Norton as a security suite, and I get really nervous when I hear about Norton installed to an iPhone. But be it, maybe only my bad vibes. In general having a shitload of security stuff installed is bad, because usually they get into the way of each other. This does not avoid holes, it creates them. On an iPhone it is plain useless, because iOS won’t allow it to see any interesting parts of the device. It just sits there, provides a good feeling and consumes the battery in exchange.

To narrow it down:

• Password - sounds pretty good, but given the latest advances in GPUs maybe not good enough any longer. GPUs are used for cracking passwords, and there is a shitload of idle GPU-farms in China since they cracked down on bitcoin mining. But anyhow, let us say pretty safe. EN will block a typical brute force attack - but there is a variant called „spraying“ that is much harder to detect.
• Storage - not as good as it could be, storage should be separate from the tool used for access. Storing in the browser IMHO is a no go for any value password - it is OK for the occasional website I revisit for non critical stuff. Norton may be OK (it still gives me the creeps, but I know, my bad vibes). And never use the same app or device for the second factor as for the first, just to mention.
• Devices: May be, may be not. If security on work devices would be that good, there would be nearly no ransom attacks. They install sneaky scripts on work machines all over the planet, grab passwords and other stuff, and then use it to damage data storage and steal tons of archives right under the eyes of the admins. If you would tell „my Linux laptop“ or „my Mac“ I would be less concerned, but ANY Windows machine …
• And then it could be on the network (always using a VPN ?), or somebody peering over your shoulder, the USB stick from a friend or business contact (search for „rubber ducky“ if you want to learn more), there are plenty of other opportunities.

Be it as it may be, we „old“ forum users (none of us except those marked with a staff badge work for EN) have seen the „breach“ hypothesis over and again - it was never proved here, nor in other independent places in the web.

So better check on your side where the login data may have leaked. There may be more hole to plug, for other services as well.