Account hacked, access from Skitch. What does this mean?

[RobinGL 1]

Yesterday I received an email with a login on my Evernote account from Brazil. Unfortunately I saw the email 1 hour later and I see countless logins from all over the world on my account, all from "Skitch for Iphone". I'm not familiar with the app, but does somebody know if they could have had access to all my notes when entering my account with Skitch? I'm kinda freaking out and of course already changed my password and enabled 2FA (which isn't working now when trying to access my profile...).

I hope somebody can help me out and know what they could have done with my account with the Skitch app. Thanks for your help!

[PinkElephant 8,119]

Skitch is an independent app that sends its content through the API into your EN account. The API is an universal interface on the web - your account is connected to the API using the same login data as the official account login that you know.

Basically this is what likely happened, and what you should do NOW:

1) Your password is unsafe, probably because you use the same or a similar password on multiple services. When one of them is cracked, the hackers try all sort of other accounts using the same login data. We have no indication that this breach would have happened with EN. If you had 2FA enabled, nothing would have happened even with the password in circulation.

To check whether your user ID and passwords are circulating in the internet, you can check at this page:

https://haveibeenpwned.com

2) You need to make your account safe again. Everything you need to know is in this help article:

https://help.evernote.com/hc/en-us/articles/115004395487

3) Because the bad habit of reusing passwords is usually not limited to only one account, you should take immediate action for all accounts that share the same or similar passwords. All of them are in danger ! The best method to create and manage safe, unique and strong password is a password manager.

4) Because passwords are not enough to protect important accounts, you should enable 2FA wherever possible. EN offers this service for Free accounts by SMS, for subscribers by any authenticator app (not only by Google authenticator).

 

 

[RobinGL 1]

Hi PinkElephant,

Thanks for the quick response. My password was indeed not very safe, so I changed it immediately when I found out and enabled 2FA as well. I also changed all other passwords.

If I understand correctly, Skitch can only send content to my EN account? Or could they have also accessed the data inside my EN account and downloaded it's contents? I only see access from the Skitch for Iphone app, not the web app or desktop apps. I'm really scared they had access to my data. Hope you can help me understand!

Thanks again!

[PinkElephant 8,119]

Skitch is only the app as which the bot used by the hackers identified himself. There was no Skitch app used for the access.

The API can be used to retrieve information as well as write it. Basically they probably used a predefined set of search words to find corresponding content in your database, and download them from the account. In former cases we had searches for "crypto", "wallet" and the like, to find and get at cryptocurrency data. This sort of information should never be stored in any account that is permanently online - the best is a safe device used as a cold wallet, and kept offline unless needed for a transaction.

If on a subscription you can access support and see if they can tell more.

[RobinGL 1]

Thanks for helping me out, I understand now! I will contact support to see if they can tell me more. Fortunately I don't have any cryptocurrency data in my account.

Thanks PinkElephant!

[JR Silvey 0]

I haven't used my Evernote account in sometime because I no longer used Windows. I received an email today saying I had a login to my Evernote account so I checked it out.. 

My account had been used since nearly the same date as the original poster. When I realized this I secured my account by changing my password, removing all other connected devices and enabling 2FA. 

I generally stay abreast of current security vulnerabilities and other types of hacks. I hadn't heard of any Evernote hacks. 

If this same style of attack was used successfully against both the original posted and myself there are likely many, many more people affected. I expect Evernote to fully investigate this. 

Thank you. 

PS: The image below shows all of my logins since June. Only the most recent and obfuscated login is from me. I do not have Windows nor do I have an iPhone. It clearly aligns with the dates of this post so I strongly believe this is bigger than just the original poster and myself.