Rich Tener

@jefito thank you for the suggestion; we will post more about this type of issue and how it relates to password reuse in broader forum. I wish I could say that this was a one-time event. We detect and respond to multiple groups of people testing stolen credential lists against our service. It's also not unique to us. It's constant activity hitting every major web service. For anyone that would like to see if they are affected by a public breach and have had their password stolen, check out https://haveibeenpwned.com/ It's not an exhaustive list, but shows the importance of using a unique password on every web site you use or setting up 2FA.

@Rogueblue, if you are using a unique password on your Evernote account that you've never used anywhere else, I'm happy to open a support case to look into your specific situation. It's unlikely anyone stole your Evernote password from us. We only store your password using a secure, irreversible hashing method. Even we don't know what your password is; we can only take the password you enter when you login and run it through the same one-way secure hashing method and compare the result. The unauthorized user isn't targeting you specifically. They are testing a list of stolen usernames and passwords and if they find one that works, they are logging in to search for things like cryptocurrency credentials and other passwords. If you are using your Evernote password on other web services, you might want to check out https://haveibeenpwned.com/ . It's not an exhaustive list, but will tell you some of the public breaches that affected you.

@nathanavish and @bklyngrrl, thank you for the feedback. I realize we aren't meeting your expectations regarding notification and we have both these feature requests filed. @DTLow's advice to post it as a feature request is good. I'll also send this discussion to our product management team. @FloBorge, our service is still secure, but a small percentage of our customers have had their passwords stolen from other sites. The unauthorized person is using a very large network of compromised computers to proxy through, which you and other affected customers see access from different countries. Please be sure to: change your Evernote password to one that you've never used or setup 2FA on your account revoke the rogue iPhone device from your account install an anti-malware app in case you have a password stealer installed on a computer that you use to login to Evernote This type of issue isn't unique to Evernote. Hackers have lists of stolen usernames and passwords and test them against many different online services. You should follow this same advice for any service you use to store important information. Another resource for you is https://haveibeenpwned.com/ . It's not an exhaustive list, but will tell you some of the public breaches that affected you.

Hi folks, I lead the security team at Evernote. The Evernote service and our apps are still secure; however, we discovered an unauthorized person testing a list of usernames and passwords that they stole from a site not associated with Evernote. If this person had the correct password for your account, they connected an iPhone app to it; and then used that app to search for cryptocurrency credentials. This isn’t a bug in our apps or service, it’s an unauthorized user connecting to your account. You need to take some actions to protect access to your account. Change your password to a unique one. Make it one that isn’t easy to guess. Make it one that you don’t use on another web site. Consider using a password manager to keep track of your passwords. Revoke any Authorized Applications that you are suspicious about or that accessed your account from an IP address you don’t know Install an anti-malware application on your computer and run it periodically to clean up any known malware. Setup two-factor authentication on your account, especially if you don’t want to use a unique password on your Evernote account. Then, even if someone learns your password, they won’t be able to access your account without also stealing your phone.

Hi @Rogueblue and @KazimZaidi, I lead the security team at Evernote. The Evernote service and our apps are still secure. I believe that an unauthorized person has learned your password, possibly because you used the same password on a different site, and that site experienced a security breach. This unauthorized person is using an iPhone app to connect to your account. If you revoked the device, but didn’t change your password, they were able to connect their iPhone app a second time. You need to take some actions to protect access to your account. Change your password to a unique one. Make it one that isn’t easy to guess. Make it one that you don’t use on another web site. Consider using a password manager to keep track of your passwords. Revoke any Authorized Applications that you are suspicious about or that accessed your account from an IP address you don’t know Install an anti-malware application on your computer and run it periodically to clean up any known malware. Setup two-factor authentication on your account, especially if you don’t want to use a unique password on your Evernote account. Even if someone learns your password, they won’t be able to access your account without also stealing your phone.

@nathanavish thanks for letting us know. The login anomaly feature we built last year needs some significant improvements. Until we can make those, we've shut it off. You need to make sure you don't use a password on your Evernote account that you've used on another site. If you do reuse a password, please setup two-factor authentication (2FA). That stops them from getting in. If you don't want the hassle of setting up 2FA, check out a password manager. 1password and Lastpass are two good ones and Lastpass is free.

Hi @EdH, I lead Evernote's security team. You are correct that we are letting facebook and other social networks place a cookie in your browser when you login to our web client. Please check out the "Social Media Features" section off this page for more information: https://evernote.com/privacy/cookies This cookie doesn't give Facebook or any other social network access to your account or notes. We are only setting the cookie on the login page. We never load any social media javascript or tracking pixels on pages inside the web client to protect the privacy of your note content. For changes to the login page, we have an internal review process that includes a member of my team approving any new javascript being loaded. Why do we load the cookie? Primarily to allow our marketing team to retarget you on social networks to let you know about new features, discounts, etc... Your Evernote web client experience should be the same whether you accept or reject these social media cookies.

Hi everyone, I lead the security team at Evernote. Our security team recently discovered a credential stuffing attack against our service. An unauthorized person has been testing a list of passwords stolen from a site not associated with Evernote. For the small percentage of our users that were affected, the unauthorized individual connected an iPhone to their Evernote account and ran multiple searches, most likely looking for cryptocurrency credentials. For many Basic-tier users, this pushed them over their device limit. We've been experiencing significant delays with delivering suspicious login notification emails. I'm sorry about that and are working on fixing that notification service. The Evernote service is still secure, and we are planning to act to protect the affected users. We will be notifying them, revoking the unauthorized iPhone, and expiring their password. The recommendations in this thread about using a complex password and setting up 2FA are good. You can also find some helpful tips here: https://evernote.com/security/tips If you have any additional questions, feel free to ask.

Hi everyone, I lead Evernote's security team. I wanted to make you aware of a recent update to Evernote for Windows versions 6.4–6.7. All Evernote apps connect with our service over HTTPS, which ensures that the data you send between your devices and our service is encrypted. We recently discovered a security vulnerability in older versions of Evernote for Windows that caused affected clients to use HTTP when contacting certain portions of the Evernote Service. This means that if you used one of the vulnerable versions of our Windows client, our software was occasionally sending your authentication token across the Internet using HTTP without first encrypting it. To be clear, your note content, usernames, and passwords were, and continue to be, securely encrypted in transit. Your password is still safe, and you don’t need to change it. To protect customers, we have blocked access from older versions of Evernote for Windows and have done the same for a small number of third party applications. We have also revoked the authentication session tokens for anyone currently running a vulnerable version of our app. If you had previously blocked upgrades beyond version 6.7, we are providing a hotfix that you can download here: https://cdn1.evernote.com/win6/public/Evernote_6.7.6.7584.exe We strongly encourage all customers to update to the latest version of Evernote for Windows. As an additional precaution, you should log out and back in to refresh your authentication token. We have already notified customers that were affected by this directly via email.

@compromised if you discovered unauthorized access to your account, someone had access to everything in it. We don't know exactly what the malicious actors are looking for, but based on previous investigations, we believe they are searching for cryptocurrency wallet credentials. I suggest rotating any credentials you had stored in your notes and looking at a purpose-built password manager to store those moving forward.

@ballard there were a couple issues going on. The first is that Geeknote doesn't comply with our API license, which requires the developer to protect their consumer secrets. Geeknote is a standalone app, so the secret is in the source code (config.py). To properly protect it, the developer needs to remove it from the source code and set up a web service to authenticate users. In situations where someone is using an app to abuse our service, we work with the developer to stop new logins on their infrastructure. With Geeknote, we can't do that because there is no infrastructure. We also couldn't reach the original developer that registered the API key. There is a path forward. For standalone apps like Geeknote, we support a downloadable personal authentication token called a developer token (http://dev.evernote.com/doc/articles/dev_tokens.php). With some app modifications, you can use this personal developer token to authenticate Geeknote to your account. We've had abuse issues with dev tokens in the past, so we whitelist who can use them. Before we revoked Geeknote from our service, we enabled dev token downloads for everyone that had been using Geeknote. Jeff Kowalski, the maintainer of the forked version, has reached out to us and we are working with him on a path forward to get Geeknote working again.

@zingbretsen that's correct. The malicious actors were just using Geeknote.

Hi everyone, I lead Evernote's security team. We recently received reports from a small number of users that they had discovered unauthorized access on their account from a third-party app called "Geeknote". We believe that someone has learned these users’ passwords from a website or service not associated with Evernote. Our security team investigated these reports and found that Geeknote was being used by malicious actors to automate access to our service. We care about the security of Evernote customers, so we’ve revoked the app from our service to disrupt the abuse and protect customers. If you were previously a Geeknote user, we've emailed you directly to explain this change. If we detected unauthorized access on your account, we've also emailed you and reset your password. If you have not received either email notification from us, then you are likely not impacted. We recommend that you always use a unique password on your Evernote account and setup two-factor authentication to better protect it. See https://evernote.com/security/tips for more tips on how to secure your account. To understand more about Evernote and third-party applications visit: https://evernote.com/privacy/third-party-apps

@Oliver_ENf2013, you are correct that a lot of people enter the site through our marketing landing page at https://evernote.com. If you click login, you get taken to our web service at https://www.evernote.com, which doesn't load Hotjar. We don't have Hotjar loading on any page under www.evernote.com. It's a little confusing that evernote.com and www.evernote.com are different sites. We keep a very strict separation between the marketing pages on evernote.com and the Evernote service at www.evernote.com. They live in different infrastructures in Google's cloud platform and are completely isolated from each other. Part of my job is balancing confidence in a vendor with bounding risk. With the way that we've configured Hotjar (only loaded on our marketing site with very few places allow a visitor to enter any text) we've limited a lot of the risks associated with them. HTTP playback is a great example. It's not a good security position for them, but If the only thing coming across that stream is de-identified heat maps and mouse recordings, with redacted text fields, the privacy impact is almost non-existent. I don't think you are paranoid at all and you have a healthy level of scrutiny. My team and the other teams at Evernote welcome it. We appreciate you bringing potential security and privacy issues to our attention because you are helping make Evernote safer. Feel free to engage with us directly here in the future: https://evernote.com/security/report-issue @JMichaelTX, Hotjar is not recording keystrokes at https://www.evernote.com/Login.action either. @Metrodon, yep, we are using it for user journeys. We use the session recordings and heat maps to help us understand how visitors navigate the site. Our goal is to improve that and make navigation less confusing and more efficient.

Hi everyone, I'm Evernote's head of security. @Oliver_ENf2013, thank you (and the others in this thread) for voicing your concerns. We had similar concerns when we evaluated the security and privacy impact of using Hotjar. Reviewing the security and privacy impact of a new vendor is a standard part of our vendor review process. We are using Hotjar, but we are using it in a way that minimizes the impact to your privacy: We only use Hotjar on our marketing website (https://evernote.com). We don’t use it in our web client (https://www.evernote.com/Home.action), so words you type in a note are not being sent to Hotjar. We make sure the data we send to Hotjar is anonymized and de-identified. We do this by configuring the Hotjar javascript to redact anything you type into a form field. For example, if you enter contact information on our business contact page (https://evernote.com/business/contact/), all Hotjar receives is a random string of asterisks for each field. We aren't in the business of selling or renting your information. That's been one of our guiding principles since we published our three laws of data protection and our mindset on that topic has not changed.