Random content appearing in my account via email

[Mark Carter 4]

Over the past week, several clippings have appeared in Evernote that I have not added. These appear to contain confidential personal information regarding someone I don't know, including photographs. I immediately changed my password, just to be safe, but the additions have continued. All of my devices are in my possession and are password secured. I don't have any shared notebooks. I have checked the access log and as best I can tell, there are no accesses that correspond well to the clippings of concern. 

 

Apart from using the email address associated with my account (which seems unlikely given it is quite obscure), can anyone suggest how this might happen? Obviously, my concern is that my information might be available to the other party. 

 

I raised a ticket three days back but have had no response. Must admit, I would have thought a possible security breach would have been of concern. 

 

[gbarry 2,658]

I've sent Jack your ticket info and also appended some additional information in your ticket from this conversation. Last with the ticket, we were waiting to see whether or not the email change fixed the particular issue. If you're running into the problem still, the other side of this worth investigating may also be with the other party, to identify what particular process they're using with the notes that have been sent over to your account. Even though, as has been clarified in the conversation above, the author note info indicates otherwise.

[GrumpyMonkey 4,319]

Technical support have been investigating and the only explanation they can offer is that the notes must be being emailed accidentally to my (rather obscure) email address. They have now set up a seriously obscure email address for the account and we are waiting to see if this fixes the problem. I'll report back in a couple of weeks (or earlier if the problem reoccurs). 

 

Yeah. They reached the same conclusion I did earlier in the thread. Except, however, that you later said you were the author. I don't believe it is possible to email yourself a note and be the author of it. The author must (as far as I know) come up as the email address. If this isn't happening, I am afraid support is probably wrong (and so was I), and something else is happening. If you could put some screenshots of the offending notes into a note and pm me the link, I'll take a look at it. Please include the note and the information (the information popover if you are on a Mac). 

[Mark Carter 4]

Thanks again. Not sure how to "pm" the information. Have attached a screenshot of the only note that does not contain personal information for the other party. 

[BurgersNFries 2,407]

Yeah. They reached the same conclusion I did earlier in the thread. Except, however, that you later said you were the author. I don't believe it is possible to email yourself a note and be the author of it. The author must (as far as I know) come up as the email address. If this isn't happening, I am afraid support is probably wrong (and so was I), and something else is happening. If you could put some screenshots of the offending notes into a note and pm me the link, I'll take a look at it. Please include the note and the information (the information popover if you are on a Mac).

Yes, IME, a note that is emailed in shows the email address as the author. OP's screen shot shows him as the author, so doubtful this is what's happening.

OP, who else uses your computers and/or devices?

[GrumpyMonkey 4,319]

Thanks again. Not sure how to "pm" the information. Have attached a screenshot of the only note that does not contain personal information for the other party.

Hi. Thanks. Could you press that little arrow in the corner, share that note, and paste the link here for us? Or, send the link to me in a PM. Thanks!

[GrumpyMonkey 4,319]

Thanks again. Not sure how to "pm" the information. Have attached a screenshot of the only note that does not contain personal information for the other party.

Thanks. I've deleted your post because the note contains your location. What I see is a note created by you. There is nothing whatsoever to indicate that this was emailed into your account. As far as I know, the only way that this note could have been created is by someone logging in with your account username and password.

I could be wrong. The support folks are the experts. However, I have flagged this for the staff and requested that they re-visit their initial conclusion, which I don't think it is supported by the evidence. I am not ready to jump to any conclusions just yet, but it is better to be safe than sorry.

If I were you, I'd change your password now and implement two-factor authentication if you haven't already. This should stop it from occurring anymore unless you are using the same password for all of your stuff (a common practice). I have more information on passwords, security, etc. here just in case you have questions about securing your stuff.

http://www.christopher-mayo.com/?p=288

[JMichaelTX 4,117]

 

Thanks again. Not sure how to "pm" the information. Have attached a screenshot of the only note that does not contain personal information for the other party.

Thanks. I've deleted your post because the note contains your location. What I see is a note created by you. There is nothing whatsoever to indicate that this was emailed into your account. As far as I know, the only way that this note could have been created is by someone logging in with your account username and password.

I could be wrong. The support folks are the experts. However, I have flagged this for the staff and requested that they re-visit their initial conclusion, which I don't think it is supported by the evidence. I am not ready to jump to any conclusions just yet, but it is better to be safe than sorry.

 

 

Good hackers have ways of covering their tracks so that most people viewing the data can't tell they (the hacker) have been there.

Also, you'd probably need access to low level data that only Evernote server technicians have access to.

 

I'm all for reserving judgement until Evernote has completed their investigation.

[Mark Carter 4]

Thanks again. I don't think I have been hacked. Since I had full contact details for the other party, I let them know I was receiving their information. They were clearly surprised and concerned - we are talking about medical and banking information that they would certainly not want me to access. I also changed my password (using a randomly generated high security password) after the first notes appeared and the problem reoccurred. The other party indicated they were having problems with Evernote on their iPhone and reinstalled it shortly before the problem occurred. Not sure if this is causally related or just coincidence. 

[GrumpyMonkey 4,319]

Thanks again. I don't think I have been hacked. Since I had full contact details for the other party, I let them know I was receiving their information. They were clearly surprised and concerned - we are talking about medical and banking information that they would certainly not want me to access. I also changed my password (using a randomly generated high security password) after the first notes appeared and the problem reoccurred. The other party indicated they were having problems with Evernote on their iPhone and reinstalled it shortly before the problem occurred. Not sure if this is causally related or just coincidence.

Thanks for following up with this information. This is looking more and more like a security flaw. Unless you guys both used the same third-party integration and it was doing something funky, it sounds to me like this might be a new bug we haven't seen before. I will be interested to hear what conclusions the tech support staff reach. Please let us know!

[Jackolicious 808]

Please post your support ticket #. I'll look into it.

[Sentinel 195]

So, do we know what happened or how?

Anything we need to know in the interest of our own clippings?

[Mark Carter 4]

Just an update. I have had no further unexpected notes appear since the email change about a month ago so this may have fixed the problem. 

[Mark Carter 4]

I spoke too soon. Just had another note appear in EverNote suggesting the problem is not related to emailed notes. Have updated my support ticket. 

[GrumpyMonkey 4,319]

I spoke too soon. Just had another note appear in EverNote suggesting the problem is not related to emailed notes. Have updated my support ticket. 

 

Sorry to hear that. Thanks for keeping us updated. I continue to be skeptical of the solutions proposed so far, and this seems to confirm my suspicions, but I will be interested to see how support solves the problem. Please check back in when you know more!

[ScottLougheed 1,316]

I've got my ear on this one too, with skepticism and curiosity.

[Mark Carter 4]

Just a final update. More confidential notes from another user appeared in my account so I have deleted all my notes from Evernote and moved to an alternative product. To top it off, after a month of silence, I received the following unimpressive response from Evernote support:

 

Thank you for contacting Evernote customer support. We are unable to personally answer your inquiry. I'm closing this request today and encourage you to find the answer to your inquiry via a search on the Evernote Support page or with our active user community in theEvernote forums.

If you are having issues with login, account access, or a purchase, please reply to this email and we will respond to you as soon as possible.

The Evernote Support Team

Seems like security is not much of a priority for Evernote. This experience has certainly made me fully appreciate that you can't assume that anything in the cloud is necessarily secure, even with a well established company.

 

I appreciate the attempts to assist from the users on the forum.

[GrumpyMonkey 4,319]

Just a final update. More confidential notes from another user appeared in my account so I have deleted all my notes from Evernote and moved to an alternative product. To top it off, after a month of silence, I received the following unimpressive response from Evernote support:

 

Thank you for contacting Evernote customer support. We are unable to personally answer your inquiry. I'm closing this request today and encourage you to find the answer to your inquiry via a search on the Evernote Support page or with our active user community in theEvernote forums.

If you are having issues with login, account access, or a purchase, please reply to this email and we will respond to you as soon as possible.

The Evernote Support Team

Seems like security is not much of a priority for Evernote. This experience has certainly made me fully appreciate that you can't assume that anything in the cloud is necessarily secure, even with a well established company.

 

I appreciate the attempts to assist from the users on the forum.

I'm sorry to hear this. It looks to me like they dropped the ball again. I think they take security seriously, judging by past experience, but something is probably dysfunctional right now between customer support and the developers, not to mention between customer support and you.

As for the cloud, I was never entirely comfortable with it, but over the last couple years, I've become even more wary, and drastically reduced my usage. Professional concerns make it unlikely that I'll ever use anything that doesn't have encryption anymore unless it is just for silly stuff. In this case, though, I suppose even encryption wouldn't help the poor dude on the other end, so this seems especially serious.

[ScottLougheed 1,316]

Mark, I don't blame you for a second. What a terrible experience, with support ignoring your very important request to top it all of. This would certainly turn me away too. I hope the new product you are using doesn't end up putting you in the same position, and that it works well for your needs.

 

Just one note, it isn't so much that security isn't a priority for EN, I think it is. It is more that free users don't get support for anything other than billing and market purchases, which is why you got the dismissal email from support. I think this was a serious enough issue to offer support to a free user, but I guess its EN's prerogative, for better or worse... 

 

Thanks for keeping us all posted. 

[dnov 1]

No response from Jackolicious or gbarry on this? As an Evernote Premium customer, I'd sleep better at night knowing that my notes won't randomly start appearing in other people's Evernote accounts.

[Maj 0]

Very scary !!! I am glad that I only collect non sensitive information.

[JMichaelTX 4,117]

 

No. I don't think so (you knew I would disagree).

 

It should be recognized as a *potential* security breach and investigated without preconceived notions of what it is. I don't see the connection with Target (or any of the other tens of thousands of security breaches that have probably happened over the last few years) here because we simply don't have enough information. Let's wait and see before we rush to judgment.

 

In other words, I think it ought to be reported (I'm glad the OP did), it ought to be investigated, and I hope we will learn the results (either directly or via the OP). As you know, I am pretty sensitive about security, but I am also wary of drawing conclusions with insufficient data and / or knowledge about the issue. 

 

 

You're missing the point.  The point is to investigate it as if a security breach has happened.  I didn't say anything about drawing conclusions.  The connection to the Target security issue is direct.  An alarm was set off about a possible security breach, and reported by the Target IT dept to management.  But no action was taken for months.

 

There is no harm in starting a vigorous investigation now.  OTOH, Evernote will look very bad if they are slow to act and many more breaches like this occur.

[GrumpyMonkey 4,319]

Hi. It is possible for anyone to email an account, and that would probably be the most likely route in this case, but I don't know. Perhaps a screenshot of a note and its information would shed some light on it.

[Mark Carter 4]

Hi. It is possible for anyone to email an account, and that would probably be the most likely route in this case, but I don't know. Perhaps a screenshot of a note and its information would shed some light on it.

Thanks for the response. I have sent a screenshot of the first two notes to support. Have no idea how anyone would get the email address. I don't think that I have ever used it and the address is quite cryptic. 

[GrumpyMonkey 4,319]

Hi. Could you post the screenshots for us (in a shared note, for example)? As for support, would you mind putting your support ticket number? I'll flag it for other staff who can follow up on it.

[Mark Carter 4]

Thanks again. Ticket number is 511366. Attached are the offending notes (highlighted) but I'm not sure it helps much. I can't post the content publicly as the notes appear to contain personal and financial information. 

 

 

[GrumpyMonkey 4,319]

Thanks. Let us know how this gets resolved after support gets in touch with you.

[JMichaelTX 4,117]

 

Over the past week, several clippings have appeared in Evernote that I have not added. These appear to contain confidential personal information regarding someone I don't know, including photographs. 

 

I raised a ticket three days back but have had no response. Must admit, I would have thought a possible security breach would have been of concern. 

 

 

Mark, this indeed is a very serious breach of security, both for you and for the owner of the unknown clippings.

 

Have you by any chance used any 3rd party service (like in the EN Trunk Apps) that you gave your EN credentials to?

[GrumpyMonkey 4,319]

 

 

Over the past week, several clippings have appeared in Evernote that I have not added. These appear to contain confidential personal information regarding someone I don't know, including photographs. 

 

I raised a ticket three days back but have had no response. Must admit, I would have thought a possible security breach would have been of concern. 

 

 

Mark, this indeed is a very serious breach of security, both for you and for the owner of the unknown clippings.

 

Have you by any chance used any 3rd party service (like in the EN Trunk Apps) that you gave your EN credentials to?

 

 

The third-party services question is a good one, but I want to disagree with the claim that this is a breach of security. It is a very odd occurrence and it is something that Evernote needs to investigate, but until we find out what is happening, we cannot say for sure. As an example, I mentioned the email method above. I agree that it is unlikely in this case if the owner has an uncommon address, but it is entirely possible to email notes into anyone's account, and doing so wouldn't be a breach of security. Let's wait to hear what support has to say about it. 

[JMichaelTX 4,117]

 

 I want to disagree with the claim that this is a breach of security. It is a very odd occurrence and it is something that Evernote needs to investigate, but until we find out what is happening, we cannot say for sure. As an example, I mentioned the email method above. I agree that it is unlikely in this case if the owner has an uncommon address, but it is entirely possible to email notes into anyone's account, and doing so wouldn't be a breach of security. Let's wait to hear what support has to say about it. 

 

 

You're welcome to disagree, GM, but that's taking the wrong approach with respect to security issues.  Remember Target???

 

A credible report like the one the OP made must be taken seriously, and it must be assumed that there has been a security breach until proven otherwise.  This MUST be investigated immediately and vigorously as a security breach.

[GrumpyMonkey 4,319]

 

 

 I want to disagree with the claim that this is a breach of security. It is a very odd occurrence and it is something that Evernote needs to investigate, but until we find out what is happening, we cannot say for sure. As an example, I mentioned the email method above. I agree that it is unlikely in this case if the owner has an uncommon address, but it is entirely possible to email notes into anyone's account, and doing so wouldn't be a breach of security. Let's wait to hear what support has to say about it. 

 

 

You're welcome to disagree, GM, but that's taking the wrong approach with respect to security issues.  Remember Target???

 

A credible report like the one the OP made must be taken seriously, and it must be assumed that there has been a security breach until proven otherwise.  This MUST be investigated immediately and vigorously as a security breach.

 

 

No. I don't think so (you knew I would disagree).

 

It should be recognized as a *potential* security breach and investigated without preconceived notions of what it is. I don't see the connection with Target (or any of the other tens of thousands of security breaches that have probably happened over the last few years) here because we simply don't have enough information. Let's wait and see before we rush to judgment.

 

In other words, I think it ought to be reported (I'm glad the OP did), it ought to be investigated, and I hope we will learn the results (either directly or via the OP). As you know, I am pretty sensitive about security, but I am also wary of drawing conclusions with insufficient data and / or knowledge about the issue. 

[Mark Carter 4]

Technical support have been investigating and the only explanation they can offer is that the notes must be being emailed accidentally to my (rather obscure) email address. They have now set up a seriously obscure email address for the account and we are waiting to see if this fixes the problem. I'll report back in a couple of weeks (or earlier if the problem reoccurs). 

[jefito 5,589]

*sigh*

OP Mark Carter did the right thing and reported it.

GM did the right thing and has flagged it and presumably some higher power will look at it. Evernote does take security seriously.

Not sure what all the chest-beating is all about...

[JMichaelTX 4,117]

Not sure what your worthless, non-value-added post is all about.  You seem to be the one beating your own chest, as usual.

But I dont want to engage in another of your off-topic senseless debates.  Carry on. 

[GrumpyMonkey 4,319]

No. I don't think so (you knew I would disagree).

It should be recognized as a *potential* security breach and investigated without preconceived notions of what it is. I don't see the connection with Target (or any of the other tens of thousands of security breaches that have probably happened over the last few years) here because we simply don't have enough information. Let's wait and see before we rush to judgment.

In other words, I think it ought to be reported (I'm glad the OP did), it ought to be investigated, and I hope we will learn the results (either directly or via the OP). As you know, I am pretty sensitive about security, but I am also wary of drawing conclusions with insufficient data and / or knowledge about the issue.

You're missing the point. The point is to investigate it as if a security breach has happened. I didn't say anything about drawing conclusions. The connection to the Target security issue is direct. An alarm was set off about a possible security breach, and reported by the Target IT dept to management. But no action was taken for months.

There is no harm in starting a vigorous investigation now. OTOH, Evernote will look very bad if they are slow to act and many more breaches like this occur.

The point is to stay vigilant, but not to assume anything is a breach (or not), in my opinion. By calling it a breach, you drew an unwarranted (in my opinion) conclusion.

I do not know about this IT department report at Target. Who authored the report? My understanding is that there were automated warnings that were ignored and poor practices regarding the use of third-party vendors. Neither of these elements appear to exist here. We certainly have no evidence of anyone ignoring anything or being slow to act, do we? This also doesn't appear to be the largest data breach in history, does it? I'd refrain from comparing it to Target until we know more.

Again, I recommend waiting until we hear more before calling it a breach. I would like to see the information about the notes. That might tell us if they were emailed into the account. I'd also like to see the OP's logs. Until then, I plan to reserve judgment.

[BurgersNFries 2,407]

Not sure what your worthless, non-value-added post is all about.  You seem to be the one beating your own chest, as usual.

But I dont want to engage in another of your off-topic senseless debates.  Carry on. 

 

 

Nice.  Real nice. 

[jefito 5,589]

The point being that the original poster and GM did the right thing *before* you stepped in. All of finger-wagging and lecturing about how serious this is is just after-the-fact noise to prove a point that was already clearly made.

[JMichaelTX 4,117]

 

The point is to stay vigilant, but not to assume anything is a breach (or not), in my opinion. By calling it a breach, you drew an unwarranted (in my opinion) conclusion.

I do not know about this IT department report at Target. Who authored the report? My understanding is that there were automated warnings that were ignored and poor practices regarding the use of third-party vendors. Neither of these elements appear to exist here. We certainly have no evidence of anyone ignoring anything or being slow to act, do we?

Again, I recommend waiting until we hear more before calling it a breach. I would like to see the information about the notes. That might tell us if they were emailed into the account. I'd also like to see the OP's logs. Until then, I plan to reserve judgment.

 

 

GM, careful, the forum police will be accusing you of "beating your chest".   LOL

 

Personally, I think we are having a great important discussion about how to handle "reports" of security breaches.

 

You seem to be more worried about what is called than what action to take.  Is this one of those political correctness things?

I am not saying Evernote should announce it as a "security breach".  I'm just saying they should investigate it as if it is a "security breach". 

 

All that means is to put on the front burner, and get to the bottom of the issue ASAP.

[gbarry 2,658]

We take all possible security issues seriously and have flagged internally for a higher level tech to take a look. The first thing we'll likely take a look at is the "author" email in your note information pane--if your address has reached someone who is inadvertently emailing into your account, that "author" info will show who's generating the content.

[Mark Carter 4]

Thanks for the feedback. In response to the questions raised: (1) I can't remember every using any third party services. (2) I am listed as the author of the notes.

[gbarry 2,658]

Thanks for the additional info--checking into your ticket, looks like we have this with a L2 support tech and we're requesting additional info to research. Thanks again for reporting.