Access from unknown IPs in Access History

[arnoldikl 1]

I was just doing a big restructuralization of my notes and also some exports. Then I randomly reviewed Access History and noticed two unknown IPs, that supposedly accessed my account (both just today. IPs in the past are fine.). However those entries have my computer's name in it, so I am guessing that my computer somehow accessed something on Evernote by those IPs? But how? I am not using any VPN or something.

The IPs are 184.25.254.166 + 23.218.93.102 - both related to AKAMAI.

Is this a common thing or should I be worried? (I am using strong pw + 2FA)

 

[PinkElephant 8,174]

You can Google for Akamai, and will find they are one of the big players in the internet, maybe similar to Cloudflare. They are handling and routing a lot of web traffic.

This does say nothing about whether the access was legit or not.

If I were you, I would treat it like an illegitimate access: Change your password and contact support.

[arnoldikl 1]

Ok, I have created a support ticket, we'll see.

Was just hoping someone can also observe same behaviour

[Dave-in-Decatur 3,977]

Usually when people report unauthorized access it is because they are using a single password across multiple sites, and someone stole it from a different site and tried it on Evernote. That should not apply in your case, with 2FA. Does the time of the accesses line up with your use of Evernote on your computer?

[arnoldikl 1]

Yes, as I was saying, the IPs are only from today's date (unfortunately, there is no time, just the date) and today I was just using Evernote pretty heavily - I went basically through all of my notes, edited some and also exported all of them. I also have lot of web pages saved using Evernote web clipper, so there may be some external links, that could somehow trigger this behaviour.

Regarding password complexity, it's really complex and unique, stored by Google password manager and not used on any other site. (+ 2FA, of course)

[Dave-in-Decatur 3,977]

Got it. If it were me, I wouldn't be too concerned at this point. Changing the password couldn't hurt. I'd monitor the accesses for a few days, and if anything showed up when I knew I wasn't using Evernote, then I'd be concerned.

[arnoldikl 1]

It would be too late to be concerned anyway Considering that 2FA was cracked also, not only the Evernote account is compromised, but most possibly my PC or phone too

[PinkElephant 8,174]

The usual way to „crack“ 2FA is social engineering or spearphishing, plus some sophisticated setup to (ab-)use the codes within the short time in which they can be entered.

I am not aware of a method that would break the cipher codes directly. Maybe cracking a password manager would do this, if the codes are managed there as well. But using an independent app should still be very secure.

Better because fortified against phishing as well is only the new passkeys concept. But it’s not yet widely supported. EN doesn’t support it either.

[arnoldikl 1]

Well I have tried the support, but unfortunately I am getting only generic responses. Was hoping for some more specific info about those accesses - like what actions were made or at least exact time. But no

So I guess the mystery will remain unresolved.

[PinkElephant 8,174]

The first rule is to give your devices individual names. When your iPhone is called „iPhone“ it will show up in the list with this name. If you would call it ArnoldPhone, you could see at once that it was your own device, only routed through another IP (=the server of another network operator, or another branch of the same operator). It costs you nothing, but would probably prevent a lot of fearful thinking. 

Because no Hacker will know how you call your devices, it is hard to cloak an access attempt under a different device name.

[arnoldikl 1]

Not sure what is your point. I have already stated, that the entry has my computer name in it, so I think it's more probable that it was access from my computer. But it still doesn't answer why it was proxied through that IPs.

And anyway, if it was a hacker, then he still may have somehow stolen some Evernote session token from my PC, in which case he knows my PC name and would have no problem in replicating it.

[PinkElephant 8,174]

Either you have been moving, and on the move accessing different networks. Or your provider has switched between different servers.

Both is absolutely normal, and if you can identify your own device without doubt, why do you bother at all ?

• You sit in a train, using the trains WiFi. They use different providers as they go, roaming all train connections through one provider here, and some kilometers further through a different carrier. This alone creates widely differing points of entry into the general web.
• You go to a hotel, that belongs to a chain, and they route the hotel WiFi to a central server via a private network for all hotels. From there it is handed over to the web. You are in city A, and the exit node is in town B, maybe even in another country.
• You enter a well known coffee shop, your mobile device connects to the open hotspot. Again they are routing everything internally, and again the exit point is somewhere else. Because their main server is down for maintenance, the use the backup, in another place than usual.

The list could be continued. You should really learn more about how the web (especially the mobile network, and the local WiFi access points) work. Then you stop wondering about the ways of the data.

[arnoldikl 1]

No moving or switching networks involved. It's a desktop PC. My IP has not been changed for at least a month already (still same before and after this incident). + The culprit IPs are outside of my ISP's assigned IP range.

[PinkElephant 8,174]

Actually I have IPs from all over the place at my log. I don’t care - if anybody can break a professional password plus 2FA, the world should worry about other problems.

IPv4 are in short supply, providers may use blocks the hold in another country. WTF, it’s their business to provide me access.

I won’t loose any sleep over it.

[arnoldikl 1]

I don't know, I don't think it has anything to do with the ISP. I have the same ISP for 20 years and it never happened. And also, I would have seen that in access history of other apps. And it would be weird if the ISP was able to assign you IP from block that doesn't belong to it, especially block from other country, or even continent in my case. For example, it would have caused a lot of troubles for users that uses services secured by geoblocking.

I would put my money on some Evernote specific "feature". Or maybe some Windows "feature".

[Federico Simionato 1,025]

I just checked with the team, the IP you see is indeed caused by a server misconfiguration in computing IP addresses. We use Akamai as CDN, there's nothing to worry about. Apologies for the confusion.

[arnoldikl 1]

Thanks for confirmation.😉