Rich Tener

@sfatih, we don't have an automatic notification system to notify you when someone logs in from a new country or a new device. I understand that this is a common expectation and I'm working with our engineering teams to prioritize getting those capabilities built into our service.

Hi @tedwlm. To protect your privacy, we never look at what an individual searches for in their account. Instead, we have a process to de-identify and aggregate common search terms across our broader population. When we did this, we saw the same terms being searched consistently across a number of accounts that matched up with the number of affected customers. The search terms included a number of different cryptocurrency terms such as “Bitcoin” and “Ethereum”, but also more generic terms like “password”. We suspect that if they find passwords, they feed those into their automation to test against other services, much the same way they test usernames and passwords against Evernote.

Hi @VanessaW, We are always keeping an eye out for suspicious activity and once we start to see a pattern, we take action to protect the affected customers. I appreciate your feedback that we didn’t act as quickly as you expected us to. We are primarily focused on detecting breaches of our service, which this was not. This was someone that knew your password and logged into your account. The number of Evernote customers affected by this issue is a small percentage. While it looks like hundreds of hackers accessed your account from different countries, it is more likely that it was only one person or a small group. They are using an automation tool that makes it look like they are using an iPhone or Android phone. It isn’t a human logging in with a mobile device, just a machine pretending to be one. Once they discover a username and password that works, they use their automation tool to login over and over, probably as they expand their search for different things. It started as cryptocurrency but could have evolved to other sensitive information types. It looks like they are logging in from many different countries because they are proxying their tool through a large network of devices that spans almost every country. Protecting your account is a shared responsibility between us and you. If you reuse a password on Evernote that you use on other sites, you are putting your data at risk. We recommend that you either setup two-factor authentication or change your Evernote password to a unique one that you don’t use anywhere else. I suggest checking out https://haveibeenpwned.com/ to give you an idea of how many data breaches you might have been included in and change any password that you used on those sites.

Hi @Gamer0987. You are correct that we’ve seen an increase in this type of issue since 2017. And while we are always keeping an eye out for suspicious activity patterns, I appreciate your feedback that we didn’t act as quickly as you expected us to. We are primarily focused on detecting breaches of our service, which this was not. Regarding the second email, we accidentally sent a second email to some of you. It was a mistake on our part and not because we detected suspicious activity on your account a second time. If you have already changed your password or setup 2FA, please ignore the second email we sent you. What was compromised: The unauthorized user searched your account for passwords and cryptocurrency terms and downloaded the notes that we returned in the search results. They didn’t have access to your device; only your Evernote account, and only because they learned your password from somewhere other than us. If you changed your password to one that you don’t use on another site, your account should be secure.

We accidentally sent a second email to some of you. It was a mistake on our part and not because we detected suspicious activity on your account a second time. If you have already changed your password or setup 2FA, please ignore the second email we sent you.

@airflight, we did not see any evidence of the hacker adding attachments or modifying content. They were only searching and reading the notes that were returned in the search results.

@sam_beh we are starting to get reports from people that found an Android phone instead of an iPhone. These incidents are related, and a lot of the same users are affected.

Hi folks, I lead the security team at Evernote. If you, or the people in your network receive an email from Evernote mentioning that we’ve detected suspicious activity, please know that this is not a hoax or spam message; it’s from us. The Evernote service and our apps are still secure; however, we discovered an unauthorized person testing a list of usernames and passwords that they stole from a site not associated with Evernote. If this person had the correct password for your account, they connected an iPhone app to it; and then used that app to search for cryptocurrency credentials. You need to take some actions to protect access to your account. Change your password to a unique one. Make it one that isn’t easy to guess. Make it one that you don’t use on another web site. Consider using a password manager to keep track of your passwords. Revoke any Authorized Applications that you are suspicious about or that accessed your account from an IP address you don’t know Install an anti-malware application on your computer and run it periodically to clean up any known malware. Setup two-factor authentication on your account, especially if you don’t want to use a unique password on your Evernote account. Then, even if someone learns your password, they won’t be able to access your account without also stealing your phone.

@jefito thank you for the suggestion; we will post more about this type of issue and how it relates to password reuse in broader forum. I wish I could say that this was a one-time event. We detect and respond to multiple groups of people testing stolen credential lists against our service. It's also not unique to us. It's constant activity hitting every major web service. For anyone that would like to see if they are affected by a public breach and have had their password stolen, check out https://haveibeenpwned.com/ It's not an exhaustive list, but shows the importance of using a unique password on every web site you use or setting up 2FA.

@Rogueblue, if you are using a unique password on your Evernote account that you've never used anywhere else, I'm happy to open a support case to look into your specific situation. It's unlikely anyone stole your Evernote password from us. We only store your password using a secure, irreversible hashing method. Even we don't know what your password is; we can only take the password you enter when you login and run it through the same one-way secure hashing method and compare the result. The unauthorized user isn't targeting you specifically. They are testing a list of stolen usernames and passwords and if they find one that works, they are logging in to search for things like cryptocurrency credentials and other passwords. If you are using your Evernote password on other web services, you might want to check out https://haveibeenpwned.com/ . It's not an exhaustive list, but will tell you some of the public breaches that affected you.

@nathanavish and @bklyngrrl, thank you for the feedback. I realize we aren't meeting your expectations regarding notification and we have both these feature requests filed. @DTLow's advice to post it as a feature request is good. I'll also send this discussion to our product management team. @FloBorge, our service is still secure, but a small percentage of our customers have had their passwords stolen from other sites. The unauthorized person is using a very large network of compromised computers to proxy through, which you and other affected customers see access from different countries. Please be sure to: change your Evernote password to one that you've never used or setup 2FA on your account revoke the rogue iPhone device from your account install an anti-malware app in case you have a password stealer installed on a computer that you use to login to Evernote This type of issue isn't unique to Evernote. Hackers have lists of stolen usernames and passwords and test them against many different online services. You should follow this same advice for any service you use to store important information. Another resource for you is https://haveibeenpwned.com/ . It's not an exhaustive list, but will tell you some of the public breaches that affected you.

Hi folks, I lead the security team at Evernote. The Evernote service and our apps are still secure; however, we discovered an unauthorized person testing a list of usernames and passwords that they stole from a site not associated with Evernote. If this person had the correct password for your account, they connected an iPhone app to it; and then used that app to search for cryptocurrency credentials. This isn’t a bug in our apps or service, it’s an unauthorized user connecting to your account. You need to take some actions to protect access to your account. Change your password to a unique one. Make it one that isn’t easy to guess. Make it one that you don’t use on another web site. Consider using a password manager to keep track of your passwords. Revoke any Authorized Applications that you are suspicious about or that accessed your account from an IP address you don’t know Install an anti-malware application on your computer and run it periodically to clean up any known malware. Setup two-factor authentication on your account, especially if you don’t want to use a unique password on your Evernote account. Then, even if someone learns your password, they won’t be able to access your account without also stealing your phone.

Hi @Rogueblue and @KazimZaidi, I lead the security team at Evernote. The Evernote service and our apps are still secure. I believe that an unauthorized person has learned your password, possibly because you used the same password on a different site, and that site experienced a security breach. This unauthorized person is using an iPhone app to connect to your account. If you revoked the device, but didn’t change your password, they were able to connect their iPhone app a second time. You need to take some actions to protect access to your account. Change your password to a unique one. Make it one that isn’t easy to guess. Make it one that you don’t use on another web site. Consider using a password manager to keep track of your passwords. Revoke any Authorized Applications that you are suspicious about or that accessed your account from an IP address you don’t know Install an anti-malware application on your computer and run it periodically to clean up any known malware. Setup two-factor authentication on your account, especially if you don’t want to use a unique password on your Evernote account. Even if someone learns your password, they won’t be able to access your account without also stealing your phone.

@nathanavish thanks for letting us know. The login anomaly feature we built last year needs some significant improvements. Until we can make those, we've shut it off. You need to make sure you don't use a password on your Evernote account that you've used on another site. If you do reuse a password, please setup two-factor authentication (2FA). That stops them from getting in. If you don't want the hassle of setting up 2FA, check out a password manager. 1password and Lastpass are two good ones and Lastpass is free.