Rich Tener

Hi everyone, I lead the security team at Evernote. Our security team recently discovered a credential stuffing attack against our service. An unauthorized person has been testing a list of passwords stolen from a site not associated with Evernote. For the small percentage of our users that were affected, the unauthorized individual connected an iPhone to their Evernote account and ran multiple searches, most likely looking for cryptocurrency credentials. For many Basic-tier users, this pushed them over their device limit. We've been experiencing significant delays with delivering suspicious login notification emails. I'm sorry about that and are working on fixing that notification service. The Evernote service is still secure, and we are planning to act to protect the affected users. We will be notifying them, revoking the unauthorized iPhone, and expiring their password. The recommendations in this thread about using a complex password and setting up 2FA are good. You can also find some helpful tips here: https://evernote.com/security/tips If you have any additional questions, feel free to ask.

Hi everyone, I lead Evernote's security team. I wanted to make you aware of a recent update to Evernote for Windows versions 6.4–6.7. All Evernote apps connect with our service over HTTPS, which ensures that the data you send between your devices and our service is encrypted. We recently discovered a security vulnerability in older versions of Evernote for Windows that caused affected clients to use HTTP when contacting certain portions of the Evernote Service. This means that if you used one of the vulnerable versions of our Windows client, our software was occasionally sending your authentication token across the Internet using HTTP without first encrypting it. To be clear, your note content, usernames, and passwords were, and continue to be, securely encrypted in transit. Your password is still safe, and you don’t need to change it. To protect customers, we have blocked access from older versions of Evernote for Windows and have done the same for a small number of third party applications. We have also revoked the authentication session tokens for anyone currently running a vulnerable version of our app. If you had previously blocked upgrades beyond version 6.7, we are providing a hotfix that you can download here: https://cdn1.evernote.com/win6/public/Evernote_6.7.6.7584.exe We strongly encourage all customers to update to the latest version of Evernote for Windows. As an additional precaution, you should log out and back in to refresh your authentication token. We have already notified customers that were affected by this directly via email.

@compromised if you discovered unauthorized access to your account, someone had access to everything in it. We don't know exactly what the malicious actors are looking for, but based on previous investigations, we believe they are searching for cryptocurrency wallet credentials. I suggest rotating any credentials you had stored in your notes and looking at a purpose-built password manager to store those moving forward.

@ballard there were a couple issues going on. The first is that Geeknote doesn't comply with our API license, which requires the developer to protect their consumer secrets. Geeknote is a standalone app, so the secret is in the source code (config.py). To properly protect it, the developer needs to remove it from the source code and set up a web service to authenticate users. In situations where someone is using an app to abuse our service, we work with the developer to stop new logins on their infrastructure. With Geeknote, we can't do that because there is no infrastructure. We also couldn't reach the original developer that registered the API key. There is a path forward. For standalone apps like Geeknote, we support a downloadable personal authentication token called a developer token (http://dev.evernote.com/doc/articles/dev_tokens.php). With some app modifications, you can use this personal developer token to authenticate Geeknote to your account. We've had abuse issues with dev tokens in the past, so we whitelist who can use them. Before we revoked Geeknote from our service, we enabled dev token downloads for everyone that had been using Geeknote. Jeff Kowalski, the maintainer of the forked version, has reached out to us and we are working with him on a path forward to get Geeknote working again.

@zingbretsen that's correct. The malicious actors were just using Geeknote.

Hi everyone, I lead Evernote's security team. We recently received reports from a small number of users that they had discovered unauthorized access on their account from a third-party app called "Geeknote". We believe that someone has learned these users’ passwords from a website or service not associated with Evernote. Our security team investigated these reports and found that Geeknote was being used by malicious actors to automate access to our service. We care about the security of Evernote customers, so we’ve revoked the app from our service to disrupt the abuse and protect customers. If you were previously a Geeknote user, we've emailed you directly to explain this change. If we detected unauthorized access on your account, we've also emailed you and reset your password. If you have not received either email notification from us, then you are likely not impacted. We recommend that you always use a unique password on your Evernote account and setup two-factor authentication to better protect it. See https://evernote.com/security/tips for more tips on how to secure your account. To understand more about Evernote and third-party applications visit: https://evernote.com/privacy/third-party-apps

@Oliver_ENf2013, you are correct that a lot of people enter the site through our marketing landing page at https://evernote.com. If you click login, you get taken to our web service at https://www.evernote.com, which doesn't load Hotjar. We don't have Hotjar loading on any page under www.evernote.com. It's a little confusing that evernote.com and www.evernote.com are different sites. We keep a very strict separation between the marketing pages on evernote.com and the Evernote service at www.evernote.com. They live in different infrastructures in Google's cloud platform and are completely isolated from each other. Part of my job is balancing confidence in a vendor with bounding risk. With the way that we've configured Hotjar (only loaded on our marketing site with very few places allow a visitor to enter any text) we've limited a lot of the risks associated with them. HTTP playback is a great example. It's not a good security position for them, but If the only thing coming across that stream is de-identified heat maps and mouse recordings, with redacted text fields, the privacy impact is almost non-existent. I don't think you are paranoid at all and you have a healthy level of scrutiny. My team and the other teams at Evernote welcome it. We appreciate you bringing potential security and privacy issues to our attention because you are helping make Evernote safer. Feel free to engage with us directly here in the future: https://evernote.com/security/report-issue @JMichaelTX, Hotjar is not recording keystrokes at https://www.evernote.com/Login.action either. @Metrodon, yep, we are using it for user journeys. We use the session recordings and heat maps to help us understand how visitors navigate the site. Our goal is to improve that and make navigation less confusing and more efficient.

Hi everyone, I'm Evernote's head of security. @Oliver_ENf2013, thank you (and the others in this thread) for voicing your concerns. We had similar concerns when we evaluated the security and privacy impact of using Hotjar. Reviewing the security and privacy impact of a new vendor is a standard part of our vendor review process. We are using Hotjar, but we are using it in a way that minimizes the impact to your privacy: We only use Hotjar on our marketing website (https://evernote.com). We don’t use it in our web client (https://www.evernote.com/Home.action), so words you type in a note are not being sent to Hotjar. We make sure the data we send to Hotjar is anonymized and de-identified. We do this by configuring the Hotjar javascript to redact anything you type into a form field. For example, if you enter contact information on our business contact page (https://evernote.com/business/contact/), all Hotjar receives is a random string of asterisks for each field. We aren't in the business of selling or renting your information. That's been one of our guiding principles since we published our three laws of data protection and our mindset on that topic has not changed.

@Artgirlofnm: Personal developer tokens are access tokens we let customers create who want to develop an application that integrates with our service. These tokens are not created by Evernote or its employees and use a similar authorization mechanism to our own Evernote clients. The tokens are being used by the unauthorized users because they provide direct access to our API and make it easier for them to search for sensitive information. Revoking all applications removes it, so you don't need to worry about it. You are correct about your IP address changing. It will change every time you connect to a new network. @xvisto: Unfortunately, we don't have your access history readily available, but we do know that the access happened sometime in August and September. We believe that the unauthorized person accessing Evernote accounts was specifically looking for cryptocurrency credentials.

@Artgirlofnm @xvisto: While it might not appear in your access history, your access history is correct. We only display 30 days of access history and in some cases, the unauthorized access happened before that. Once we learned about the the malicious activity pattern, we notified users. If you were notified, it was because we found evidence of this pattern on your account. Please change your password as soon as possible and be sure to revoke all connected applications. The person that accessed your account also created a personal developer token that may still be present under Settings -> Applications. Please make sure that is no longer present and revoke it if it is. @xvisto: We don’t know how someone learned your password. This is not related to the password reset in 2013.

Hi everyone, I lead Evernote's security team. We have received reports regarding what appears to be suspicious activity affecting a small percentage of our users. Our team is working with individual users to better secure their accounts and our security team believes that someone has learned these users’ passwords from a website or service not associated with Evernote. If you, or the people in your network receive an email from Evernote mentioning that we’ve detected suspicious activity, please know that this is not a hoax or spam message; it’s from us. To more quickly notify our customers in the future, we will roll out a new feature that will notify customers when we detect a new login from a new location or device.

Hi @happycheese, I lead the security team here at Evernote and am happy to discuss how we are thinking about this attack vector. We do support TOTP codes with Google Authenticator, but don't give you a way to disable SMS delivery. Internally, we've discussed U2F support with our product teams and it is in our backlog, but we don't have any plans to implement support right now. We don't have any plans to let you disable SMS authentication as a backup to your code generator, but will consider it. We probably wouldn't do that by default, but would make it an option for users that want to protect their account against the type of mobile number takeover attacks described in the article. We still think that using SMS for delivering 2-factor codes is an improvement over not having 2-factor enabled at all. It also strikes a good balance between securing your account and not locking you out of it. Most code generator apps don't back up the secret keys, so if you lose or wipe your phone and didn't print out your backup codes, you are stuck. I suggest following the recommendations in the Forbes article. Even if we address this specific threat model, there will always be another service that doesn't and protecting your mobile number better secures all of them.

Hi @murrain, we've been having trouble getting password reset emails delivered to some email providers. While we work on fixing that, we do have a way to help you. We don't offer phone support yet, but one of our customer support representatives can help if you create a customer support ticket here: https://help.evernote.com/hc/en-us/requests/new

@addmoo The notification emails you received after you changed your password are just delayed. Our email systems queue the outbound emails and may try to deliver for a couple of days before they give up and let you know. If you don't see any unexpected access in your Access History, you successfully kicked out whoever was using your account to send the emails.

Our email system may continue to retry sending an email, even after you change your password and revoke any connected devices and sessions. The notifications are just delayed and not an indication that someone is still using your account to email notes. When we received reports about the bounced emails, I reviewed the activity patterns and saw similar behavior across most of our affected users. Not always though. In many cases, it wasn't clear whether the account login was suspicious until the account started sending emails. I agree that this type of activity is something that our users want to be notified about. We are working on adding a feature to our service that will notify you whenever someone logs into your account from a new device or network location. For the users that received bounce notification emails from our service, we haven't found any evidence that the person that accessed your account read any of your notes. They only seem to be using Evernote accounts to deliver spam by creating a new note, emailing that note, and then deleting that note.