Help me understand how my Evernote was Hacked

[datguy348 0]

Unfortunately my Evernote account was compromised on Wednesday March 15th and sensitive financial data was stolen.

I watched the hack take place realtime and it was heart breaking. I did not have 2FA enabled.

Correct me if I'm wrong, but on the free plan only two devices should be allowed. My phone and my computer, that's it.

Here's a timeline of events:

• 12:05PM - Receive an email notification from Evernote that someone tried to log in. Evernote mentions they have blocked new logins until they can verify it's me. I was never verified.
• 1:54PM - Receive an email notification of a new login from an IP in Wyoming (turns out to be a TOR Exit Node address). I end up disabling access
• 2:48PM - Receive an email notification of a new login from an IP in Germany (turns out to also be a TOR Exit Node address. I scramble to change pw and check data and to my horror I realize it's stolen

Is there an exploit going around targeting Evernote accounts or was I the victim of a targeted attack? How was this user allowed to access when there is a two device limit and none were removed?

Thanks

[gazumped 12,073]

Hi.  We're mainly users here.  You already have lots of useful links from Evernote direct;  if you have genuinely lost data,  I'd suggest you contact Support as soon as possible.

[Boot17 1,539]

11 hours ago, datguy348 said:

Is there an exploit going around targeting Evernote accounts or was I the victim of a targeted attack?

You've mentioned that you didn't have MFA enabled at the time. Are you also re-using the same password across different accounts using the same email address?

What often happens is that an un-secured system (not Evernote) gets hacked and people with accounts in that hacked system have used the exact same password and email for their Evernote account also! Bad actors will try the hacked email and password (again, from another system) against multiple other systems because people re-use the same password across different systems so often.

[PinkElephant 8,832]

The only know exploit is by hackers getting hold of a user name & password elsewhere, and opening the account with a legitimate login. That different IOS are used is rather the norm than an exception.

Most times a crack happens when the user name and password manager were obtained in a breach on another service. Many (not all) are listed here - you can try your user name against this site:

https://haveibeenpwned.com

The other (less likely) chance is one of your devices got infected by malware, including a keylogger and/or screen grabber. Then it was stolen directly from one of your devices, or from another computer where you may have logged in.

Usually 2FA would stop such an attack - this is why 2FA is recommended for all accounts. If you decide to store sensitive information in any account, not using 2FA is a serious lack of good security practices in itself.

[r00t 0]

This happened to me too on March 25th. I also did not have MFA enabled. I received an email on the 25th about a suspicious login on my account from Ho Chi Minh City, Ho Chi Minh, Vietnam, (probably also a Tor exit node).  On March 26th, two of my crypto wallets were emptied by the same address. Of course, I shouldn't have ever stored my recovery seed phrases online, so that's my own fault for putting that trust in evernote.

[gazumped 12,073]

16 hours ago, r00t said:

Of course, I shouldn't have ever stored my recovery seed phrases online

I'd agree with that...  some of the major companies who appear to have been hacked in the past few years include: (in no particular order)

1. SolarWinds
2. Marriott International
3. Twitter
4. Zoom
5. EasyJet
6. MGM Resorts
7. Capital One
8. Home Depot
9. Yahoo
10. Equifax

Please see this thread for possible vectors for such attacks.

[Boot17 1,539]

16 hours ago, r00t said:

so that's my own fault for putting that trust in evernote

16 hours ago, r00t said:

I also did not have MFA enabled.

🤨

Evernote hasn't been hacked. There are a myriad of reasons accounts can be compromised: keyloggers and other viruses and malware, bad browser extensions, re-using account credentials across different services, etc, etc.

[PinkElephant 8,832]

Just to mention it: EN is no place to store sensitive data. For passwords, there are password managers. And crypto should never be stored in a "hot" storage like any cloud service. The best place for crypto is a cold wallet, that is only connected to the internet during a transaction.

EN as far as we observe it as users is not compromised. It is either a reused password - slightly altered passwords like counting a number up or down classify for "reusing" as well. Then it is stolen in one of the breaches elsewhere - see the list @gazumped posted, and tried on different accounts by chance.

Or it is malware on a device, stealing the login credentials. Or - quite on a rise - it is phishing, a campaigning method tricking people into entering their credentials on a bogus (but very professional looking) website.

Two-factor-authentication creates another layer of security, but there are recent phishing campaigns that are cracking even this security method. Just to be very clear about this: Phishing means the service is NOT hacked, it is the user himself who is tricked into entering the credential where the hackers can grab them.

Either way, what is not stored in an accessible server or device can't be stolen.