Rich Tener

Evernote Employee
  • Content count

  • Joined

  • Last visited

Community Reputation

40 Good


About Rich Tener

Recent Profile Visitors

2,177 profile views
  1. @Oliver_ENf2013, you are correct that a lot of people enter the site through our marketing landing page at If you click login, you get taken to our web service at, which doesn't load Hotjar. We don't have Hotjar loading on any page under It's a little confusing that and are different sites. We keep a very strict separation between the marketing pages on and the Evernote service at They live in different infrastructures in Google's cloud platform and are completely isolated from each other. Part of my job is balancing confidence in a vendor with bounding risk. With the way that we've configured Hotjar (only loaded on our marketing site with very few places allow a visitor to enter any text) we've limited a lot of the risks associated with them. HTTP playback is a great example. It's not a good security position for them, but If the only thing coming across that stream is de-identified heat maps and mouse recordings, with redacted text fields, the privacy impact is almost non-existent. I don't think you are paranoid at all and you have a healthy level of scrutiny. My team and the other teams at Evernote welcome it. We appreciate you bringing potential security and privacy issues to our attention because you are helping make Evernote safer. Feel free to engage with us directly here in the future: @JMichaelTX, Hotjar is not recording keystrokes at either. @Metrodon, yep, we are using it for user journeys. We use the session recordings and heat maps to help us understand how visitors navigate the site. Our goal is to improve that and make navigation less confusing and more efficient.
  2. Hi everyone, I'm Evernote's head of security. @Oliver_ENf2013, thank you (and the others in this thread) for voicing your concerns. We had similar concerns when we evaluated the security and privacy impact of using Hotjar. Reviewing the security and privacy impact of a new vendor is a standard part of our vendor review process. We are using Hotjar, but we are using it in a way that minimizes the impact to your privacy: We only use Hotjar on our marketing website ( We don’t use it in our web client (, so words you type in a note are not being sent to Hotjar. We make sure the data we send to Hotjar is anonymized and de-identified. We do this by configuring the Hotjar javascript to redact anything you type into a form field. For example, if you enter contact information on our business contact page (, all Hotjar receives is a random string of asterisks for each field. We aren't in the business of selling or renting your information. That's been one of our guiding principles since we published our three laws of data protection and our mindset on that topic has not changed.
  3. @Artgirlofnm: Personal developer tokens are access tokens we let customers create who want to develop an application that integrates with our service. These tokens are not created by Evernote or its employees and use a similar authorization mechanism to our own Evernote clients. The tokens are being used by the unauthorized users because they provide direct access to our API and make it easier for them to search for sensitive information. Revoking all applications removes it, so you don't need to worry about it. You are correct about your IP address changing. It will change every time you connect to a new network. @xvisto: Unfortunately, we don't have your access history readily available, but we do know that the access happened sometime in August and September. We believe that the unauthorized person accessing Evernote accounts was specifically looking for cryptocurrency credentials.
  4. @Artgirlofnm @xvisto: While it might not appear in your access history, your access history is correct. We only display 30 days of access history and in some cases, the unauthorized access happened before that. Once we learned about the the malicious activity pattern, we notified users. If you were notified, it was because we found evidence of this pattern on your account. Please change your password as soon as possible and be sure to revoke all connected applications. The person that accessed your account also created a personal developer token that may still be present under Settings -> Applications. Please make sure that is no longer present and revoke it if it is. @xvisto: We don’t know how someone learned your password. This is not related to the password reset in 2013.
  5. Hi everyone, I lead Evernote's security team. We have received reports regarding what appears to be suspicious activity affecting a small percentage of our users. Our team is working with individual users to better secure their accounts and our security team believes that someone has learned these users’ passwords from a website or service not associated with Evernote. If you, or the people in your network receive an email from Evernote mentioning that we’ve detected suspicious activity, please know that this is not a hoax or spam message; it’s from us. To more quickly notify our customers in the future, we will roll out a new feature that will notify customers when we detect a new login from a new location or device.
  6. Hi @happycheese, I lead the security team here at Evernote and am happy to discuss how we are thinking about this attack vector. We do support TOTP codes with Google Authenticator, but don't give you a way to disable SMS delivery. Internally, we've discussed U2F support with our product teams and it is in our backlog, but we don't have any plans to implement support right now. We don't have any plans to let you disable SMS authentication as a backup to your code generator, but will consider it. We probably wouldn't do that by default, but would make it an option for users that want to protect their account against the type of mobile number takeover attacks described in the article. We still think that using SMS for delivering 2-factor codes is an improvement over not having 2-factor enabled at all. It also strikes a good balance between securing your account and not locking you out of it. Most code generator apps don't back up the secret keys, so if you lose or wipe your phone and didn't print out your backup codes, you are stuck. I suggest following the recommendations in the Forbes article. Even if we address this specific threat model, there will always be another service that doesn't and protecting your mobile number better secures all of them.
  7. Hi @murrain, we've been having trouble getting password reset emails delivered to some email providers. While we work on fixing that, we do have a way to help you. We don't offer phone support yet, but one of our customer support representatives can help if you create a customer support ticket here:
  8. @addmoo The notification emails you received after you changed your password are just delayed. Our email systems queue the outbound emails and may try to deliver for a couple of days before they give up and let you know. If you don't see any unexpected access in your Access History, you successfully kicked out whoever was using your account to send the emails.
  9. Our email system may continue to retry sending an email, even after you change your password and revoke any connected devices and sessions. The notifications are just delayed and not an indication that someone is still using your account to email notes. When we received reports about the bounced emails, I reviewed the activity patterns and saw similar behavior across most of our affected users. Not always though. In many cases, it wasn't clear whether the account login was suspicious until the account started sending emails. I agree that this type of activity is something that our users want to be notified about. We are working on adding a feature to our service that will notify you whenever someone logs into your account from a new device or network location. For the users that received bounce notification emails from our service, we haven't found any evidence that the person that accessed your account read any of your notes. They only seem to be using Evernote accounts to deliver spam by creating a new note, emailing that note, and then deleting that note.
  10. Hi, I lead Evernote's security team and can help answer some of your questions. Someone could have learned the password to your account in a variety of ways. The most common situation is when you use your Evernote password on another web site and that other web site gets hacked. Another possibility is that you entered your Evernote password on a computer that was infected with malware and the malware sent it to someone who collects and then uses or sells those collected usernames and passwords. To keep your data safe, change your password to a strong one that you only use on Evernote and setup two-step verification. That will make it very difficult for someone to break into your account.
  11. A number of you have asked questions about Google’s ability to analyze the content of your notes and what metadata they collect through our use of Google Cloud APIs. As we note in our Privacy Policy, Evernote may analyze your data to improve the service we provide to you. We may use Google Cloud Services to help us, but different Google Cloud APIs interact with Evernote data in somewhat different ways, which doesn’t lend itself to providing one simple description of all use cases. We are in close contact with the Google team to ensure that the Evernote data is processed in ways that are consistent with our Privacy Policy, and Google is not allowed to process your data for its own use or in ways that deviate from our instructions. Before we start to use any new Google service, we will review it to understand if any user data is collected and how it might be processed. In the event we need to update our Privacy Policy to communicate such use to you, we will do so.
  12. We will be using Google’s built-in encryption-at-rest features, which they describe here and here. This only addresses the risks associated with physically stealing a storage device or a failure in their drive disposal process. We did discuss key management practices with Google and had no concerns about their ability to address those risks. We are relying on the strength of our contract with Google and not introducing any new encryption methods to enforce it. We are not developing any new end-to-end encryption features at this time. I appreciate that some of our users want this in the form of password protected notes, notebooks, and entire accounts. We have a fairly long-running thread on that topic. We are going to use Google as IaaS and PaaS on the backend. Our clients will continue to interact with our service using the Evernote API. We don't have any plans to change that as part of this migration. We have an application security program and dedicated staff that focus on securing our API, web client, and native clients. Addressing browser attacks is one part of that program. That's great to hear. We appreciate feedback from the security community. People like you help us to make Evernote more secure and if you find a security issue, don't hesitate to engage with our security team:
  13. Hi @DCDawg, happy to respond. 1. We aren’t FedRAMP compliant today, so meeting all the requirements for a FedRAMP certification wasn’t a requirement for us. As part of our security review process, we reviewed their audit reports and asked a lot of questions. My goal is to protect your data (and mine) and ensure that our service providers have reasonable security protections in place. Google does. We aren’t planning to pursue any additional certifications for ourselves right now, but moving into Google Cloud Platform does help with built-in capabilities like encryption at rest. 2. Do you have a specific threat scenario you are concerned about? We have protective capabilities in our data centers that we are implementing in GCP using their native features, plus some additional ones we are engineering. I’d like to save a lot of the detail for a future blog post, but happy to let you know how we address a particular risk that you are concerned about.
  14. Hi @Cherice B, If you move a note into a local notebook, it makes a copy of the note to that notebook and moves the original note to your Trash. If you want to delete that note, you'll need to empty your trash. See this link for more information on how to do that:!/article/23176542. As @gazumped mentioned, we do maintain backups, so you should refer to section IV of our privacy policy for more information about that:
  15. We are not changing our refund policy for this announcement. Please visit this page for information on refunds: