Jump to content

Rich Tener

Employee Alumni
  • Content Count

    52
  • Joined

  • Last visited

  • Days Won

    2

Posts posted by Rich Tener


  1. @k8h - as we mentioned in the email: "We believe someone has learned your password from a website or service not associated with Evernote." They didn't learn your password from us. The most likely way they learned it was by stealing it from another site that you used the same password on.

     

    @ChrisB009- Your memory serves you correctly, but the email you just received wasn't because Evernote was breached. This was someone learning your password from another site and opportunistically logging into your account. They are automating that process and logging in multiple times as they come up with new things to search for. I agree with you that nothing is 100% secure, but to anyone reading this, if you care about protecting the data in your account, you need to use a unique password or setup two-factor authentication.


  2. Hi @tedwlm. To protect your privacy, we never look at what an individual searches for in their account. Instead, we have a process to de-identify and aggregate common search terms across our broader population. When we did this, we saw the same terms being searched consistently across a number of accounts that matched up with the number of affected customers. The search terms included a number of different cryptocurrency terms such as “Bitcoin” and “Ethereum”, but also more generic terms like “password”. We suspect that if they find passwords, they feed those into their automation to test against other services, much the same way they test usernames and passwords against Evernote.


  3. Hi @VanessaW,

    We are always keeping an eye out for suspicious activity and once we start to see a pattern, we take action to protect the affected customers. I appreciate your feedback that we didn’t act as quickly as you expected us to. We are primarily focused on detecting breaches of our service, which this was not. This was someone that knew your password and logged into your account. The number of Evernote customers affected by this issue is a small percentage.

    While it looks like hundreds of hackers accessed your account from different countries, it is more likely that it was only one person or a small group. They are using an automation tool that makes it look like they are using an iPhone or Android phone. It isn’t a human logging in with a mobile device, just a machine pretending to be one. Once they discover a username and password that works, they use their automation tool to login over and over, probably as they expand their search for different things. It started as cryptocurrency but could have evolved to other sensitive information types. It looks like they are logging in from many different countries because they are proxying their tool through a large network of devices that spans almost every country.

    Protecting your account is a shared responsibility between us and you. If you reuse a password on Evernote that you use on other sites, you are putting your data at risk. We recommend that you either setup two-factor authentication or change your Evernote password to a unique one that you don’t use anywhere else. I suggest checking out https://haveibeenpwned.com/ to give you an idea of how many data breaches you might have been included in and change any password that you used on those sites.
     

    • Like 1

  4. Hi @Gamer0987. You are correct that we’ve seen an increase in this type of issue since 2017. And while we are always keeping an eye out for suspicious activity patterns, I appreciate your feedback that we didn’t act as quickly as you expected us to. We are primarily focused on detecting breaches of our service, which this was not.

    Regarding the second email, we accidentally sent a second email to some of you. It was a mistake on our part and not because we detected suspicious activity on your account a second time. If you have already changed your password or setup 2FA, please ignore the second email we sent you.

    What was compromised: The unauthorized user searched your account for passwords and cryptocurrency terms and downloaded the notes that we returned in the search results. They didn’t have access to your device; only your Evernote account, and only because they learned your password from somewhere other than us.

    If you changed your password to one that you don’t use on another site, your account should be secure.
     

    • Thanks 2

  5. Hi folks, I lead the security team at Evernote.

    If you, or the people in your network receive an email from Evernote mentioning that we’ve detected suspicious activity, please know that this is not a hoax or spam message; it’s from us.

    The Evernote service and our apps are still secure; however, we discovered an unauthorized person testing a list of usernames and passwords that they stole from a site not associated with Evernote. If this person had the correct password for your account, they connected an iPhone app to it; and then used that app to search for cryptocurrency credentials.

    You need to take some actions to protect access to your account. 

    1. Change your password to a unique one. Make it one that isn’t easy to guess. Make it one that you don’t use on another web site. Consider using a password manager to keep track of your passwords.
    2. Revoke any Authorized Applications that you are suspicious about or that accessed your account from an IP address you don’t know
    3. Install an anti-malware application on your computer and run it periodically to clean up any known malware.
    4. Setup two-factor authentication on your account, especially if you don’t want to use a unique password on your Evernote account. Then, even if someone learns your password, they won’t be able to access your account without also stealing your phone.
    • Like 4
    • Thanks 4

  6. @jefito thank you for the suggestion; we will post more about this type of issue and how it relates to password reuse in broader forum.

    I wish I could say that this was a one-time event. We detect and respond to multiple groups of people testing stolen credential lists against our service. It's also not unique to us. It's constant activity hitting every major web service.

    For anyone that would like to see if they are affected by a public breach and have had their password stolen, check out https://haveibeenpwned.com/ It's not an exhaustive list, but shows the importance of using a unique password on every web site you use or setting up 2FA.


  7. @Rogueblue, if you are using a unique password on your Evernote account that you've never used anywhere else, I'm happy to open a support case to look into your specific situation.

    It's unlikely anyone stole your Evernote password from us. We only store your password using a secure, irreversible hashing method. Even we don't know what your password is; we can only take the password you enter when you login and run it through the same one-way secure hashing method and compare the result. 

    The unauthorized user isn't targeting you specifically. They are testing a list of stolen usernames and passwords and if they find one that works, they are logging in to search for things like cryptocurrency credentials and other passwords.

    If you are using your Evernote password on other web services, you might want to check out https://haveibeenpwned.com/ . It's not an exhaustive list, but will tell you some of the public breaches that affected you.


  8. @nathanavish and @bklyngrrl, thank you for the feedback. I realize we aren't meeting your expectations regarding notification and we have both these feature requests filed. @DTLow's advice to post it as a feature request is good. I'll also send this discussion to our product management team.

    @FloBorge, our service is still secure, but a small percentage of our customers have had their passwords stolen from other sites. The unauthorized person is using a very large network of compromised computers to proxy through, which you and other affected customers see access from different countries.

    Please be sure to:

    • change your Evernote password to one that you've never used or setup 2FA on your account
    • revoke the rogue iPhone device from your account
    • install an anti-malware app in case you have a password stealer installed on a computer that you use to login to Evernote

    This type of issue isn't unique to Evernote. Hackers have lists of stolen usernames and passwords and test them against many different online services. You should follow this same advice for any service you use to store important information.

    Another resource for you is https://haveibeenpwned.com/ . It's not an exhaustive list, but will tell you some of the public breaches that affected you.


  9. Hi folks,

    I lead the security team at Evernote.  The Evernote service and our apps are still secure; however, we discovered an unauthorized person testing a list of usernames and passwords that they stole from a site not associated with Evernote. If this person had the correct password for your account, they connected an iPhone app to it; and then used that app to search for cryptocurrency credentials. This isn’t a bug in our apps or service, it’s an unauthorized user connecting to your account.

    You need to take some actions to protect access to your account. 

    1. Change your password to a unique one. Make it one that isn’t easy to guess. Make it one that you don’t use on another web site. Consider using a password manager to keep track of your passwords.
    2. Revoke any Authorized Applications that you are suspicious about or that accessed your account from an IP address you don’t know
    3. Install an anti-malware application on your computer and run it periodically to clean up any known malware.
    4. Setup two-factor authentication on your account, especially if you don’t want to use a unique password on your Evernote account. Then, even if someone learns your password, they won’t be able to access your account without also stealing your phone.
    • Like 3
    • Thanks 1

  10. Hi @Rogueblue and @KazimZaidi,

    I lead the security team at Evernote. The Evernote service and our apps are still secure. I believe that an unauthorized person has learned your password, possibly because you used the same password on a different site, and that site experienced a security breach. This unauthorized person is using an iPhone app to connect to your account. If you revoked the device, but didn’t change your password, they were able to connect their iPhone app a second time.

    You need to take some actions to protect access to your account. 

    1. Change your password to a unique one. Make it one that isn’t easy to guess. Make it one that you don’t use on another web site. Consider using a password manager to keep track of your passwords.
    2. Revoke any Authorized Applications that you are suspicious about or that accessed your account from an IP address you don’t know
    3. Install an anti-malware application on your computer and run it periodically to clean up any known malware.
    4. Setup two-factor authentication on your account, especially if you don’t want to use a unique password on your Evernote account. Even if someone learns your password, they won’t be able to access your account without also stealing your phone.

  11. @nathanavish thanks for letting us know. The login anomaly feature we built last year needs some significant improvements. Until we can make those, we've shut it off. 

    You need to make sure you don't use a password on your Evernote account that you've used on another site. If you do reuse a password, please setup two-factor authentication (2FA). That stops them from getting in. If you don't want the hassle of setting up 2FA, check out a password manager. 1password and Lastpass are two good ones and Lastpass is free.


  12. Hi @EdH, I lead Evernote's security team. You are correct that we are letting facebook and other social networks place a cookie in your browser when you login to our web client. Please check out the "Social Media Features" section off this page for more information: https://evernote.com/privacy/cookies

    This cookie doesn't give Facebook or any other social network access to your account or notes. We are only setting the cookie on the login page. We never load any social media javascript or tracking pixels on pages inside the web client to protect the privacy of your note content. For changes to the login page, we have an internal review process that includes a member of my team approving any new javascript being loaded.

    Why do we load the cookie? Primarily to allow our marketing team to retarget you on social networks to let you know about new features, discounts, etc...

    Your Evernote web client experience should be the same whether you accept or reject these social media cookies.


  13. Hi everyone,

    I lead the security team at Evernote. Our security team recently discovered a credential stuffing attack against our service. An unauthorized person has been testing a list of passwords stolen from a site not associated with Evernote. For the small percentage of our users that were affected, the unauthorized individual connected an iPhone to their Evernote account and ran multiple searches, most likely looking for cryptocurrency credentials. For many Basic-tier users, this pushed them over their device limit.

    We've been experiencing significant delays with delivering suspicious login notification emails. I'm sorry about that and are working on fixing that notification service.

    The Evernote service is still secure, and we are planning to act to protect the affected users. We will be notifying them, revoking the unauthorized iPhone, and expiring their password. The recommendations in this thread about using a complex password and setting up 2FA are good. You can also find some helpful tips here: https://evernote.com/security/tips 

    If you have any additional questions, feel free to ask.

    • Like 3
    • Thanks 2

  14. @compromised if you discovered unauthorized access to your account, someone had access to everything in it. We don't know exactly what the malicious actors are looking for, but based on previous investigations, we believe they are searching for cryptocurrency wallet credentials. I suggest rotating any credentials you had stored in your notes and looking at a purpose-built password manager to store those moving forward.


  15. @ballard there were a couple issues going on. The first is that Geeknote doesn't comply with our API license, which requires the developer to protect their consumer secrets. Geeknote is a standalone app, so the secret is in the source code (config.py). To properly protect it, the developer needs to remove it from the source code and set up a web service to authenticate users. In situations where someone is using an app to abuse our service, we work with the developer to stop new logins on their infrastructure. With Geeknote, we can't do that because there is no infrastructure. We also couldn't reach the original developer that registered the API key.

    There is a path forward. For standalone apps like Geeknote, we support a downloadable personal authentication token called a developer token (http://dev.evernote.com/doc/articles/dev_tokens.php). With some app modifications, you can use this personal developer token to authenticate Geeknote to your account.

    We've had abuse issues with dev tokens in the past, so we whitelist who can use them. Before we revoked Geeknote from our service, we enabled dev token downloads for everyone that had been using Geeknote. 

    Jeff Kowalski, the maintainer of the forked version, has reached out to us and we are working with him on a path forward to get Geeknote working again.

    • Like 2

  16. Hi everyone, I lead Evernote's security team. We recently received reports from a small number of users that they had discovered unauthorized access on their account from a third-party app called "Geeknote". We believe that someone has learned these users’ passwords from a website or service not associated with Evernote.

    Our security team investigated these reports and found that Geeknote was being used by malicious actors to automate access to our service. We care about the security of Evernote customers, so we’ve revoked the app from our service to disrupt the abuse and protect customers.

    If you were previously a Geeknote user, we've emailed you directly to explain this change.

    If we detected unauthorized access on your account, we've also emailed you and reset your password.  

    If you have not received either email notification from us, then you are likely not impacted.

    We recommend that you always use a unique password on your Evernote account and setup two-factor authentication to better protect it. See https://evernote.com/security/tips for more tips on how to secure your account.

    To understand more about Evernote and third-party applications visit: https://evernote.com/privacy/third-party-apps
     

    • Like 2
    • Sad 1

  17. @Oliver_ENf2013, you are correct that a lot of people enter the site through our marketing landing page at https://evernote.com. If you click login, you get taken to our web service at https://www.evernote.com, which doesn't load Hotjar. We don't have Hotjar loading on any page under www.evernote.com. It's a little confusing that evernote.com and www.evernote.com are different sites. We keep a very strict separation between the marketing pages on evernote.com and the Evernote service at www.evernote.com. They live in different infrastructures in Google's cloud platform and are completely isolated from each other. 

    Part of my job is balancing confidence in a vendor with bounding risk. With the way that we've configured Hotjar (only loaded on our marketing site with very few places allow a visitor to enter any text) we've limited a lot of the risks associated with them. HTTP playback is a great example. It's not a good security position for them, but If the only thing coming across that stream is de-identified heat maps and mouse recordings, with redacted text fields, the privacy impact is almost non-existent.

    I don't think you are paranoid at all and you have a healthy level of scrutiny. My team and the other teams at Evernote welcome it. We appreciate you bringing potential security and privacy issues to our attention because you are helping make Evernote safer. Feel free to engage with us directly here in the future: https://evernote.com/security/report-issue

    @JMichaelTX, Hotjar is not recording keystrokes at https://www.evernote.com/Login.action either.  

    @Metrodon, yep, we are using it for user journeys. We use the session recordings and heat maps to help us understand how visitors navigate the site. Our goal is to improve that and make navigation less confusing and more efficient.


  18. Hi everyone, I'm Evernote's head of security. @Oliver_ENf2013, thank you (and the others in this thread) for voicing your concerns. We had similar concerns when we evaluated the security and privacy impact of using Hotjar. Reviewing the security and privacy impact of a new vendor is a standard part of our vendor review process.

    We are using Hotjar, but we are using it in a way that minimizes the impact to your privacy:

    • We only use Hotjar on our marketing website (https://evernote.com).
    • We don’t use it in our web client (https://www.evernote.com/Home.action), so words you type in a note are not being sent to Hotjar.
    • We make sure the data we send to Hotjar is anonymized and de-identified. We do this by configuring the Hotjar javascript to redact anything you type into a form field. For example, if you enter contact information on our business contact page (https://evernote.com/business/contact/), all Hotjar receives is a random string of asterisks for each field. 

    We aren't in the business of selling or renting your information. That's been one of our guiding principles since we published our three laws of data protection and our mindset on that topic has not changed.
     

    • Like 4
    • Thanks 1

  19. @Artgirlofnm: Personal developer tokens are access tokens we let customers create who want to develop an application that integrates with our service. These tokens are not created by Evernote or its employees and use a similar authorization mechanism to our own Evernote clients.  The tokens are being used by the unauthorized users because they provide direct access to our API and make it easier for them to search for sensitive information. Revoking all applications removes it, so you don't need to worry about it. You are correct about your IP address changing. It will change every time you connect to a new network.

    @xvisto: Unfortunately, we don't have your access history readily available, but we do know that the access happened sometime in August and September. We believe that the unauthorized person accessing Evernote accounts was specifically looking for cryptocurrency credentials.

×
×
  • Create New...