Security notice sent today to specific Evernote accounts

[gbarry 2,658]

All—specific Evernote users will be receiving an email today about a security issue regarding their Evernote account.

 

We’ve detected someone attempting to log in to Evernote using thousands of username and password combinations that we believe were either stolen from other services or just systematic guesses. The Evernote service has not been compromised or hacked, but we believe some accounts may have been accessed during these attempts.

 

To protect these accounts, we’ve expired their passwords. The next time they try to log into Evernote, they will be prompted to reset their password.

 

Unless you received an email with information regarding this incident, no further action is necessary.

 

However, if you would like to ensure your account is protected to the fullest, we recommend that you change your password to one that you use only for Evernote and nowhere else. The strongest passwords use a combination of letters, numbers, and special characters. For increased security, take advantage of Two-Step Verification—users with Two Step Verification activated on their accounts were protected from intrusion. For more security tips visit: https://evernote.com/security/tips/

[chocohalic 0]

I received the email but was not asked to reset my password. Is there a problem with the expiration function or was the email sent erroneously to some accounts?

[engberg 89]

chocohalic - I checked and don't see that account (chocohalic) on the list that was reset. My best guess is that there may be a different account with a different email address that also routes to you, and you got the notification for that other account.

If you open a Support ticket and identify the exact email address that received the notification email, we could confirm what that email corresponds to.

[jakkuchan 0]

Hello,

 

I received this email today. I did change my password, but would like to know more about this...

What is the extent of the hack? Is it limited to "guessing" the account, or were any of my notes compromised?

 

Thank you

[engberg 89]

jakkuchan - 

 

We looked at the activity that was sent by the abusers with their stolen credentials. In virtually all cases, there was nothing beyond the login attempt. I.e. they just confirmed whether the stolen username+password pair worked against an Evernote account and then moved on within a second.

 

It's hard to guess the attackers' motivations, but it seems they were using extremely long lists of credentials stolen from another site (or phished from users of another service), and were only bothering to just confirm what other sites matched those credentials.

[David Harvey 0]

I received the email. I've changed my password and enabled 2 factor authentication. I looked at my access history, and all of the access (going back to December 4) looks legitimate. Does this mean my account was not accessed by the hackers?

 

Thanks,

[engberg 89]

David Harvey -

 

Your account was accessed from a web browser on December 30th from an IP address that attempted to log into a huge number of accounts on that date, failing on most attempts.

[chocohalic 0]

chocohalic - I checked and don't see that account (chocohalic) on the list that was reset. My best guess is that there may be a different account with a different email address that also routes to you, and you got the notification for that other account.

If you open a Support ticket and identify the exact email address that received the notification email, we could confirm what that email corresponds to.

 

You are right. I've taken care of the second account and enabled two step protection on both.

[righteousdork 203]

For what it's worth, I've been using two-factor for a while and it's very minimal hassle for the added security.

Also, I can't say enough good things about LastPass for password management.

Just throwing in my two cents.

[engberg 89]

righteousdork -

 

That's a good point. We confirmed that 121 of the accounts which were attacked were successfully blocked because those users had two-step verification enabled.

I.e. the bad guys matched the stolen password against the accounts, but then they hit the second-factor code and were blocked. None of those accounts were fully accessed.

 

(We reset the passwords for those users anyway, and sent them an email, since it was likely their password was vulnerable elsewhere.)

[flamingFusion 0]

Hi, I was one of the few who received an email. Do I need to be concerned about these people accessing my other accounts? I have successfully reset my password. Did they attempt to access any files?

Thanks

[engberg 89]

flamingFusion -

The attackers did not appear to look at the contents of the vast majority of accounts they accessed. It appeared they were just confirming which passwords "worked" and which didn't.

 

But you should definitely think of any other Internet services that use the same password that you used on Evernote. Those are all vulnerable, and you should change them all. (For example, if you used the same password for a social network and your bank, then the password may have been stolen from one of those and could let the attackers into the other one.)

[Fuzzy76 2]

Ehrm... Why was my account password reset when I have two-factor authentication enabled? Were these the first hackers in the world to break the OTP protocol used by Evernote? Or did someone at Evernote not quite think this through?

[engberg 89]

Fuzzy76 -

 

We discussed this internally to try to decide the right solution for the people whose passwords were matched but protected by two-step verification.

 

 

Since we knew for sure that the bad guys had a copy of your password, we felt that we definitely needed to notify you (so you could change that password everywhere you've used it). Once your password was compromised, your account was basically in a state of ONE step verification for those attackers ... e.g. if they could get your phone company to switch your SMS delivery to them, they could get in the account.

 

So it seemed like the right thing to do for your security was to expire your password so that you'd get back into a real two-step security configuration as soon as possible.

 

We knew that would be a little annoying and inconvenient, but we felt like it was the right thing to do to protect your data.

[Fuzzy76 2]

Maybe I was a bit too harsh, but I wish you would have settled for notifying and not forcing a password change in cases like that. I actually knew my username/password combination was floating around, but hadn't bothered to change my password since I have two-step auth set up. And I use the Google Authenticator app, not SMS. So it should be even more secure.

[engberg 89]

No problem, sorry for the disruption!

 

We have to enable an SMS fallback option even for people who use Google Authenticator (like I do), since it's too common for the authenticator app to get lost or broken. So the SMS routing is the second line of defense. I know people who have had two-step attacked on other services by people who socially engineer a retail phone company employee, so I was worried about relying on that as the last line of defense.

 

I hope this doesn't happen again, but if it does, we'll consider whether there's a less disruptive option for our two-step users to stay safe.

[ahmed younes 2]

nice keep your eyes open guys 

 

Thanks for this app