Jump to content

(Archived) Lack of visibility for security breach


Recommended Posts

Posted

I read about the security breach this weekend from (several) online news sources.

 

As of today I have still not received an e-mail from Evernote about the breach and information to reset my password.

 

I opened a ticket and the response was:

 

We also sent this information out in an email to all users entitled "Evernote Security Notice: Service-wide Password Reset" from the email address "team@email.evernote.com".

 

 

I use gmail for my e-mail.  I received an email on 2/26 from the above e-mail address titled "Evernote News: Introducing the new Penultimate, redesigned Evernote Hello, and a whole lot more."

Since that date I have not received any other mail from Evernote with the exception of my password change notification (which I performed due to *my own* research into the issue) and the response to the ticket I opened.

 

In other words, Evernote has not sent an e-mail to "all users" as they have described - because I am a user and have not received it.  I work in Information security, and have been an e-mail administrator in the past.  I know how SPAM works, and how to search an inbox.  This is not user error - Evernote did not send an e-mail - or at least not in any reliable way.

 

Additionally, I questioned in my support ticket why as of today there is still no easily available link on the front page of the Evernote site explaining the situation.  I was told that the following exists:

 

http://evernote.com/corp/news/password_reset.php

 

This link however does not seem to be accessible directly from anywhere on the front page.  Which means that I would not know it exists had the representative not provided it for me,

 

I would like some official answers to explain both why users have to rely on news outlets as opposed to Evernote themselves to hear of this breach, and why Evernote is not prominently displaying the notifications and details of the breach on the front page.

 

thank you

  • Level 5*
Posted

I read about the security breach this weekend from (several) online news sources.

 

As of today I have still not received an e-mail from Evernote about the breach and information to reset my password.

 

I opened a ticket and the response was:

 

 

We also sent this information out in an email to all users entitled "Evernote Security Notice: Service-wide Password Reset" from the email address "team@email.evernote.com".

 

 

I use gmail for my e-mail.  I received an email on 2/26 from the above e-mail address titled "Evernote News: Introducing the new Penultimate, redesigned Evernote Hello, and a whole lot more."

Since that date I have not received any other mail from Evernote with the exception of my password change notification (which I performed due to *my own* research into the issue) and the response to the ticket I opened.

 

In other words, Evernote has not sent an e-mail to "all users" as they have described - because I am a user and have not received it.  I work in Information security, and have been an e-mail administrator in the past.  I know how SPAM works, and how to search an inbox.  This is not user error - Evernote did not send an e-mail - or at least not in any reliable way.

 

Additionally, I questioned in my support ticket why as of today there is still no easily available link on the front page of the Evernote site explaining the situation.  I was told that the following exists:

 

http://evernote.com/corp/news/password_reset.php

 

This link however does not seem to be accessible directly from anywhere on the front page.  Which means that I would not know it exists had the representative not provided it for me,

 

I would like some official answers to explain both why users have to rely on news outlets as opposed to Evernote themselves to hear of this breach, and why Evernote is not prominently displaying the notifications and details of the breach on the front page.

 

thank you

 

Hi. An employee might be along to explain, but I think it is rather straightforward. First, something might have gone wrong and you mistakenly did not receive your email. This is something to bring up with support. I received emails for a couple of my accounts, but (maybe) not for all of them yet, so it might still be on the way. I have to login to the emails associated with those, go through the spam boxes, etc. to see if it came and didn't get forwarded properly to my main address. The point is that your email is supposed to have arrived.

 

As for the website, there is a link at the top of the page to the blog (http://blog.evernote.com/blog/2013/03/02/security-notice-service-wide-password-reset/), and there is a link in the middle of the page directing you to your account if you received an email. I am not terribly keen on the lack of information available on the home page (ideally, some kind of news feed or a more "active" front page would be available), but it is actually kind of standard these days to move all "news" items to blogs. Dropbox, for example (as long as I can remember) has a "dead" front page as well.

 

These are not the "official" answers you are looking to hear, but hopefully they help explain what is happening. 

Posted

The password link you refer to to reset the password simply brings you to the login prompt - there is no information provided there as to "why" you would have received this e-mail and as someone who did not receive it, the small message at the top is irrelevant to me.

 

The situation may be straightforward that my email was "supposed to have arrived."  However straightforward and true or acceptable are not the same things.  It is straightforward that a security breach occurred, but that doesn't offer any explanation of why all users have not been properly notified or an acceptable level of attention has not been given on the main page.

 

I'm apparently able to receive with no problems marketing e-mails from the same addresses that a password reset was supposed to come from - but not the password reset itself.

Oh, BTW - I am answering your response because I got an e-mail from Evernote telling me you responded - almost instantaneously.

 

And, while certainly most news items can be moved to blogs - lets take a look at the current front page:

 

"The all new  Evernote Hello 2.0"

"A quick introduction to Evernote"

"Evernote business is here"

 

So apparently Evernote can take up space to advertise new products, show people how to use the product, and advertise the pay-premium features, but they cannot adequately show that a major security breach took place?

 

I understand the PR aspect of not displaying it - but when will anyone learn?  Own up and own up loud and publicly to anyone willing to listen.  From the 10 minutes I have spent on this forum, and from your tagline as an EN Evangelist, I think that your statement of " am not terribly keen on the lack of information available on the home page" can be the understatement of the year for this.  If you are willing to admit a modicum of discomfort at the handling of this, then I think it is safe to say that any reasonable person can assume a much larger displeasure at how this was handled.

 

Still waiting some official responses.

  • Level 5*
Posted

The password link you refer to to reset the password simply brings you to the login prompt - there is no information provided there as to "why" you would have received this e-mail and as someone who did not receive it, the small message at the top is irrelevant to me.

 

The situation may be straightforward that my email was "supposed to have arrived."  However straightforward and true or acceptable are not the same things.  It is straightforward that the bombings at Hiroshima and Nagasaki killed tens of thousands of people (most conservative estimates) - but that doesn't offer any explanation or moral/ethical stance.

 

I'm apparently able to receive with no problems marketing e-mails from the same addresses that a password reset was supposed to come from - but not the password reset itself.

Oh, BTW - I am answering your response because I got an e-mail from Evernote telling me you responded - almost instantaneously.

 

And, while certainly most news items can be moved to blogs - lets take a look at the current front page:

 

"The all new  Evernote Hello 2.0"

"A quick introduction to Evernote"

"Evernote business is here"

 

So apparently Evernote can take up space to advertise new products, show people how to use the product, and advertise the pay-premium features, but they cannot adequately show that a major security breach took place?

 

I understand the PR aspect of not displaying it - but when will anyone learn?  Own up and own up loud and publicly to anyone willing to listen.  From the 10 minutes I have spent on this forum, and from your tagline as an EN Evangelist, I think that your statement of " am not terribly keen on the lack of information available on the home page" can be the understatement of the year for this.  If you are willing to admit a modicum of discomfort at the handling of this, then I think it is safe to say that any reasonable person can assume a much larger displeasure at how this was handled.

 

Still waiting some official responses.

 

Hi. You received an immediate email about my response to your post because the Evernote user forum is an entirely different thing than Evernote the corporation.

 

I don't think it is appropriate to bring the bombings in Hiroshima and Nagasaki into this conversation on the missing email / inadequate information on the home page, because it both trivializes those two tragic events, and exaggerates the significance of the current hacking incident. 

 

This is a user forum. Employees read everything, and often post here, but do not respond to everything. I don't know if employees will join this thread or not (I imagine they are a little busy this week), so I do hope that you will address your question to them directly via the support link (see my signature below) if you want to know their answers to your specific questions. 

 

In the meantime, if you wander around the forums a little, I think you will see many comments from employees about the hacking incident and Evernote's response to it. Hopefully, that will provide some insight into what happened / is happening.

 

[EDIT:] By the way, this thread might be a good place to start http://discussion.evernote.com/topic/35560-how-evernote-should-have-responded-to-security-issue/

Posted

I'm aware that the forum most likely operates on a separate e-mail system.  That is only an indicator that Evernote has chosen a poor system to notify their users of security breaches if their forum system can notify that same user of a waiting response.

 

My tangential usage of the bombings stated no objective viewpoint on their importance, so it is impossible for me to have trivialized them, nor were they used as a correlation in terms of magnitude to the severity of the breach.  They were simply used to show that something "straightforward" as to intent of facts has no direct relevance to the actual happenings of an event.  Your attempt to make that correlation bigger than that is either an attempt at misdirection from the issues at hand (most likely), or else you have a close connection to these events that you are projecting your own thoughts and feelings onto (in which event I am personally sorry for any perceived slight, although I have absolutely no personal responsibility for those events).

 

I am also aware this is a user forum that is moderated partly by employees - as this is no different from the majority of such product forums from various companies.  Although I do not necessarily expect an official response within 60 minutes of posting this, I do expect one.  I would think that I am not the only user affected by and perturbed by the same series of events which I am detailing here, and my post may voice the opinions of some of those users as well.  Additionally, If you had read my initial e-mail you will see that I already have submitted a support ticket and the response was sub-par.

 

It is quite apparent that you are an Evernote fan-boy - and I use that in the least-offensive way possible.  Your dismissal of their lack luster efforts or other attempts at placating or misdirection however do nothing to diminish the facts.  I believe you have voiced your response sufficiently which, as the original poster, I find inadequate.  At this point I am interested to hear only from others that are in a similar predicament (to find out how wide-spread the lack of response was) or from an official spokesperson.

 

Personally I am a fan of the Evernote product, but am left disillusioned by this response to the breach.

  • Level 5*
Posted

I'm aware that the forum most likely operates on a separate e-mail system.  That is only an indicator that Evernote has chosen a poor system to notify their users of security breaches if their forum system can notify that same user of a waiting response.

 

My tangential usage of the bombings stated no objective viewpoint on their importance, so it is impossible for me to have trivialized them, nor were they used as a correlation in terms of magnitude to the severity of the breach.  They were simply used to show that something "straightforward" as to intent of facts has no direct relevance to the actual happenings of an event.  Your attempt to make that correlation bigger than that is either an attempt at misdirection from the issues at hand (most likely), or else you have a close connection to these events that you are projecting your own thoughts and feelings onto (in which event I am personally sorry for any perceived slight, although I have absolutely no personal responsibility for those events).

 

I am also aware this is a user forum that is moderated partly by employees - as this is no different from the majority of such product forums from various companies.  Although I do not necessarily expect an official response within 60 minutes of posting this, I do expect one.  I would think that I am not the only user affected by and perturbed by the same series of events which I am detailing here, and my post may voice the opinions of some of those users as well.  Additionally, If you had read my initial e-mail you will see that I already have submitted a support ticket and the response was sub-par.

 

It is quite apparent that you are an Evernote fan-boy - and I use that in the least-offensive way possible.  Your dismissal of their lack luster efforts or other attempts at placating or misdirection however do nothing to diminish the facts.  I believe you have voiced your response sufficiently which, as the original poster, I find inadequate.  At this point I am interested to hear only from others that are in a similar predicament (to find out how wide-spread the lack of response was) or from an official spokesperson.

 

Personally I am a fan of the Evernote product, but am left disillusioned by this response to the breach.

 

I am not sure what "fan-boy" means, I didn't see my criticism of their response as dismissal, and I am not (as you implied) nefariously misdirecting things when I respond to the points that you yourself raised in your post. Perhaps, we simply see things differently.

 

I get the sense that you are not interested in discussing this with other users like myself, but again, this is a user forum, so you may not find the answers you are seeking here. Please visit the thread that I linked to above if you would like to hear what other users, like yourself, thought about Evernote's response to the incident. You can also find an employee there responding. I wouldn't expect an employee response to your posts on a user forum, especially as your concerns overlap with threads that already exist, and I would also recommend following up with customer support until you get a satisfactory response to your questions. 

 

You never know, though. They might respond to you individually here. I guess we can wait and see. I just wouldn't expect it.

Posted

I don't think it is appropriate to bring the bombings in Hiroshima and Nagasaki into this conversation on the missing email / inadequate information on the home page,

 

Absolutely agree.  Please refrain from these types of comparisons.

Posted

While I totally disagree with any perceived "comparison" other than that of a strictly linguistic/logical nature to my example, I have gone ahead and edited it for those of you who can't seem to stop using it as a focusing point rather than actually address Evernote's failings to properly deal with notifying users of this breach.

 

Please now find some other equally obscure part of my presented facts to harp on in between defending Evernote for their lack luster response.

 

At this point, it is a waste of time to continue to  respond to anything less than an official response.  After all this is the reason I posted this, not to argue with fanboys/girls or those who are attempting to troll up mountains out of mole hills.  Please realize that when you have a) spoken at Evernote sponsored conferences or b ) proudly admit that Evernote is an integral part of your life, any response attempting to lessen the impact of this breach on the Internet security world or diminish those calling for better communications is undermined by your "evangelical" commitment to the product.

 

Those of you who rely on this product to the extent that you incorporate it into your psyche should be the ones most critical of breaches and lack of response to this effect.

Posted

While I totally disagree with any perceived "comparison" other than that of a strictly linguistic/logical nature to my example, I have gone ahead and edited it for those of you who can't seem to stop using it as a focusing point rather than actually address Evernote's failings to properly deal with notifying users of this breach.

 

Please now find some other equally obscure part of my presented facts to harp on in between defending Evernote for their lack luster response.

 

At this point, it is a waste of time to continue to  respond to anything less than an official response.  After all this is the reason I posted this, not to argue with fanboys/girls or those who are attempting to troll up mountains out of mole hills.  Please realize that when you have a) spoken at Evernote sponsored conferences or b ) proudly admit that Evernote is an integral part of your life, any response attempting to lessen the impact of this breach on the Internet security world or diminish those calling for better communications is undermined by your "evangelical" commitment to the product.

 

Those of you who rely on this product to the extent that you incorporate it into your psyche should be the ones most critical of breaches and lack of response to this effect.

 

The breach has been discussed.  A lot.  Please check the existing threads, if you care to.  The fact that you seem to want a personalized answer directly from EN & are not getting it when you think you should is not something any of us can control.

Posted

I am a bit confused. Have you not received help via your support ticket? Are you having issues finding the right page and resetting your password?

Posted

I don't think it is appropriate to bring the bombings in Hiroshima and Nagasaki into this conversation on the missing email / inadequate information on the home page,

 

Absolutely agree.  Please refrain from these types of comparisons.

 

I also find it quite offensive. 

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...