unauthorized web clipper for chrome keeps appearing after password breach

[ASop 1]

My account was breached (someone got my password) last week. I immediately changed my password several times, but have noticed the app Evernote web clipper for Chrome keeps reappearing in the authorized apps in my account security section. I have never approved this app so I assume this is being done by the hacker somehow. I keep revoking the app and changing my password, but it keeps showing up again, sometimes there are 5 or 6 of them running at a time. Because I'm not the one who approved the app in the first place, I can't change the setting from within my Chrome browser. (I don't even use Chrome). This is very disturbing. I don't know what they are able to do with this app. Are they using it to access my notes even though my password has been changed? Or are they using it to track my web browsing? (I use Firefox though.)

At least there have been no more unrecognized devices accessing my account since I changed my password.

Also, I had to upgrade to a paid account to access my notes because after I revoked access for the hacker's computers, I was locked out of my own accounts due to the limit of revoking only two devices per month. Thank goodness the hacker did not change my password.

[PinkElephant 8,284]

Enable 2FA to stop it, using a mobile device.

And then you need to sanitize your devices - starting with Windows, but others may be affected as well.

Malware often installs keyloggers and screen grabbers. Every character you type, and every screen you open will be transmitted to the hacker.

You can reset your password as often as you like - the hedgehog will already be there when the rabbit arrives.

If you have such a problem it will not be restricted to EN. Safeguard all your accounts, starting with your mail account, and then everything related to money or shopping.

[Dave-in-Decatur 3,985]

11 hours ago, ASop said:

My account was breached (someone got my password) last week. I immediately changed my password several times, but have noticed the app Evernote web clipper for Chrome keeps reappearing in the authorized apps in my account security section. I have never approved this app so I assume this is being done by the hacker somehow. I keep revoking the app and changing my password, but it keeps showing up again, sometimes there are 5 or 6 of them running at a time. Because I'm not the one who approved the app in the first place, I can't change the setting from within my Chrome browser. (I don't even use Chrome). This is very disturbing. I don't know what they are able to do with this app. Are they using it to access my notes even though my password has been changed? Or are they using it to track my web browsing? (I use Firefox though.)

Actually, I'm not sure there's a problem here. Evernote Web Clipper is a browser extension that lets you save material from Websites directly into Evernote. I've got a lot of them showing up in the apps page (https://www.evernote.com/AuthorizedServices.action) too, which I assume is because I have a lot of browser windows open, and there is a clipper in every one of them. It's a green elephant icon to the right of the address bar at the top (in Bing). It's meant to be there, and I'm not surprised that it comes back when you revoke access. ("For Chrome" is kind of generic, I suspect, since it works in every browser.)

[ASop 1]

Thanks to you both for taking the time to reply. I have done malware scans on my devices which have detected nothing, and I have seen no evidence of unauthorized activity on any of my devices. My Activity Monitor is not showing anything unusual on my CPU. Other than the breach of my Evernote account (which was due to my own negligence in reusing a password), I have seen no other incidents.

There have been no unauthorized devices on my Evernote account since changing my password. I am inclined to think Dave-in-Decatur is right, that the reappearing webclipper app is somehow resulting from my own activity. However, I have been unable to locate where it is coming from. There are no Evernote extensions installed on any of my browsers, including on my phone. I never looked at the Applications section of Evernote before the breach, so I can’t 100% determine if this activity is new since the breach.

I have decided to quit using Evernote anyway, since I’m using the free version and somehow it locks me out on all of my devices if I revoke too many devices in a month (eg when I got a new phone & kept revoking the wrong one since both phones appeared with the same name, or when I mistakenly sign in online to check my security instead of using the link on the app). Highly inconvenient & gives me a heart attack every time I get locked out of my own notes.

If PinkElephant is right and the webclipper app is reappearing because the hacker has access to my computer and can detect my Evernote password changes, then they must have somehow been able to breach my computer through Evernote (maybe by installing code secretly into my notes, which I then copied to TextEdit which somehow allowed them to install something on my Mac without triggering any warnings?) and are running programs that are undetectable by my malware scanning software and don’t show up on my CPU activity report. I suppose that’s possible. I hope not.

Thanks again to the two of you for putting your brains to my problem. All best to you.