Jump to content

Security notice sent today to specific Evernote accounts


Recommended Posts

  • Evernote Staff
Allspecific Evernote users will be receiving an email today about a security issue regarding their Evernote account.

 

We’ve detected someone attempting to log in to Evernote using thousands of username and password combinations that we believe were either stolen from other services or just systematic guesses. The Evernote service has not been compromised or hacked, but we believe some accounts may have been accessed during these attempts.

 

To protect these accounts, we’ve expired their passwords. The next time they try to log into Evernote, they will be prompted to reset their password.

 


Unless you received an email with information regarding this incident, no further action is necessary.


 

However, if you would like to ensure your account is protected to the fullest, we recommend that you change your password to one that you use only for Evernote and nowhere else. The strongest passwords use a combination of letters, numbers, and special characters. For increased security, take advantage of Two-Step Verification—users with Two Step Verification activated on their accounts were protected from intrusion. For more security tips visit: https://evernote.com/security/tips/

Link to comment

chocohalic - I checked and don't see that account (chocohalic) on the list that was reset. My best guess is that there may be a different account with a different email address that also routes to you, and you got the notification for that other account.

If you open a Support ticket and identify the exact email address that received the notification email, we could confirm what that email corresponds to.

Link to comment

jakkuchan - 

 

We looked at the activity that was sent by the abusers with their stolen credentials. In virtually all cases, there was nothing beyond the login attempt. I.e. they just confirmed whether the stolen username+password pair worked against an Evernote account and then moved on within a second.

 

It's hard to guess the attackers' motivations, but it seems they were using extremely long lists of credentials stolen from another site (or phished from users of another service), and were only bothering to just confirm what other sites matched those credentials.

Link to comment

chocohalic - I checked and don't see that account (chocohalic) on the list that was reset. My best guess is that there may be a different account with a different email address that also routes to you, and you got the notification for that other account.

If you open a Support ticket and identify the exact email address that received the notification email, we could confirm what that email corresponds to.

 

You are right. I've taken care of the second account and enabled two step protection on both.

Link to comment

righteousdork -

 

That's a good point. We confirmed that 121 of the accounts which were attacked were successfully blocked because those users had two-step verification enabled.

I.e. the bad guys matched the stolen password against the accounts, but then they hit the second-factor code and were blocked. None of those accounts were fully accessed.

 

(We reset the passwords for those users anyway, and sent them an email, since it was likely their password was vulnerable elsewhere.)

Link to comment

flamingFusion -

The attackers did not appear to look at the contents of the vast majority of accounts they accessed. It appeared they were just confirming which passwords "worked" and which didn't.

 

But you should definitely think of any other Internet services that use the same password that you used on Evernote. Those are all vulnerable, and you should change them all. (For example, if you used the same password for a social network and your bank, then the password may have been stolen from one of those and could let the attackers into the other one.)

Link to comment

Ehrm... Why was my account password reset when I have two-factor authentication enabled? Were these the first hackers in the world to break the OTP protocol used by Evernote? Or did someone at Evernote not quite think this through?

Link to comment

Fuzzy76 -

 

We discussed this internally to try to decide the right solution for the people whose passwords were matched but protected by two-step verification.

 

 

Since we knew for sure that the bad guys had a copy of your password, we felt that we definitely needed to notify you (so you could change that password everywhere you've used it). Once your password was compromised, your account was basically in a state of ONE step verification for those attackers ... e.g. if they could get your phone company to switch your SMS delivery to them, they could get in the account.

 

So it seemed like the right thing to do for your security was to expire your password so that you'd get back into a real two-step security configuration as soon as possible.

 

We knew that would be a little annoying and inconvenient, but we felt like it was the right thing to do to protect your data.

Link to comment

Maybe I was a bit too harsh, but I wish you would have settled for notifying and not forcing a password change in cases like that. I actually knew my username/password combination was floating around, but hadn't bothered to change my password since I have two-step auth set up. And I use the Google Authenticator app, not SMS. So it should be even more secure. :)

Link to comment

No problem, sorry for the disruption!

 

We have to enable an SMS fallback option even for people who use Google Authenticator (like I do), since it's too common for the authenticator app to get lost or broken. So the SMS routing is the second line of defense. I know people who have had two-step attacked on other services by people who socially engineer a retail phone company employee, so I was worried about relying on that as the last line of defense.

 

I hope this doesn't happen again, but if it does, we'll consider whether there's a less disruptive option for our two-step users to stay safe.

Link to comment
  • 1 month later...

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...