Joost7

On 12/24/2020 at 10:56 AM, Medbee3 said:

The same thing happened to me. Starting end of November, about 15 new devices not recognizable to me (iPhone and android) accessed my account from all around the world. I only got my first email tonight and found this out. 
 

i have everything on there...from receipts to income tax info and all my kids identity documents are scanned into there.

 

i can’t believe I have trusted this company for 10 years. 
 

Obviously turned on 2 step authentication (after literally 10 attempts at this) and changed my password and removed all the authorized devices. 
 

How can I save this data, cancel my account and transfer to another company? Is there a similar competitor? 
 

Thanks for any advice on what to now to protect myself and my family. 

I've been quite happy with Notes from Apple. If you're a Windows user, supposedly OneNote is a good alternative, too. 

7 hours ago, someguy12345 said:

 

See my earlier post above.  Credential stuffing to exploit simple passwords on a platform the size of Evernote should not be remotely possible with standard protocols in place, some examples being:  Authentication triggers that dynamically increase security measures based on conditionals, such as 1) the number of failed attempts to authenticate for a given account over a given duration of time, and/or 2) authentication attempts coming from unrecognized browsers, operating systems, MAC addresses, IP addresses (exponentially bigger red flag if its a known VPN address), new geographic locations, etc.  Either of those conditions being satisfied (or both in some combination) should at minimum trigger a CAPTCHA image test, a default 2FA by means of requiring an email verification link, and/or a password change.  With some combination of those measures, credential stuffing passwords should be extremely impractical at best these days, with very little incentive for a hacker to overcome those hurdles.

BUT, that all said, again I'll direct you to my post above.  I hadn't logged into Evernote from any device in years when I discovered this the other day.  I had no personal data of any value whatsoever on the account (I mention this for what it may be worth in communicating that I don't have a passionate or biased take on this particular situation - I just get irritated seeing companies this size disregard security).  But what's certainly most worthy of noticing in my previous post is that ~70%-80% (I since deleted my account entirely, but rough estimate) of the authentications were identified as being from my own device that I originally setup an Evernote account on many many years ago.  That laptop is in my closet, where it's lived - broken and thoroughly off - for close to a year now.  So that's a pretty strong indicator that this wasn't even a case of brute force / credential stuffing.  Whoever was accessing the account apparently spoofed whatever pixel/tracking cookie Evernote uses.  

This is dead on. 

E.g., even if I don't use my Twitter account for a couple of months, I've got to login through an email verification. This is an attempted login from the same IP address and device, mind you.

So @PinkElephant, with all due respect, I think you're completely missing the point here. YES, people should use 2FA and unique & secure passwords. In fact, I had beefed up pretty much all of my accounts' security. But due to a blind spot, I missed out on Evernote (ironically my most important account). Stupid? Sure. But if companies have simple tools at their disposal to protect users against their own negligence, then shouldn't you think they oughta apply those? Evernote did notice someone made a suspicious log in attempt and made me aware of that. They could've easily taken it up a notch by sending an email verification. Like any reputable tech company does. 

I've cancelled my Evernote Premium subscription and am moving my notes over to a competitor who shall not be named...

I like supporting independent software companies, but Evernote can't be among them anymore for me.

I hope you as company will be able to get your ***** together. It's good you guys got rid of your weekly sushi lunches, line of polyurethane socks and other extravaganzas. Hope it isn't too little too late. Good luck getting out of your death spiral. 

18 minutes ago, PinkElephant said:

@Joost7 Well the train wreck is called EN version 10, and the inundated support is collateral damage.

This is sort of exceptional, although self inflicted by releasing a very immature piece of software to the whole user base.

Anything urgent you want to get support on ?

Hi PinkElephant, you make fair points. And I on my end, am for a large degree blowing off steam to be fair. 

But my thinking is.... new location PLUS new device (Android). That oughta set off some alarm bells, right? If it's just one of the 2, it's a different story of course. 

The support I'm expecting, is basically just the ability the get in touch with someone from Evernote. Within a reasonable timeframe. Just know there's someone there for you in this company who's product I've (mostly) been happily using for years and years.

The fact that my data is out there, somewhere, fills me with dread, disgust and anxiety. No ability to get in touch with Evernote just throws salt in the wounds. 

(Btw, the 2FA is broken... the code sent to my phone is "invalid." so now I can't even access evernote - except for my browser. The current version of evernote is indeed a hot piece of garbage, something I kind of overlooked due to nostalgia. But this reddit topic seems to hit the nail on the hit.)

"We are currently experiencing longer than normal wait times. It may take 10 or more days to receive an email reply. For faster help, check out the articles in Help & Learning or get assistance from other Evernote users in our discussion forums."

Really Evernote? 

Are there any employees on this forum at all?

And... anybody that can recommend an Evernote alternative that does have a semblance of professionalism? 

I'm honestly shocked that, as a loyal and paying customer who right now has a decade of highly personal data probably floating around on the dark web... that this it. This is the level of customer service from a company worth 100s of millions?

The unflattering reports on the company were unfortunately true. What a train wreck.  

Sure. That point is clear.

What about checking if the person getting access did an instant database download , used the account etc.? Knowing that would be super helpful.  

Alright, so I just read an evernote email about a login from Ukraine. It's from 2 hrs back. 

I pretty much dumped my life in evernote so am less than thrilled. Clearly I changed my password, put on 2FA etc. 

(Although, the authentication sms code does not work... so I can't login my desktop / phone app now. This on top of this hack AND the fact that there's no Evernote hotline or easy way to reach them REALLY makes me consider dumping the service after almost a decade.)

OK, now I'm after the following:

Can I see what this hacker has done in my account? Have they downloaded all notes, browsed thru them etc? Is there any way to check this?

As we speak I'm changing all my passwords for literally everything - but this would be good to know. 

And this is for a mod / evernote employee:

Why the hell would you make it possible for people from a completely different country to login via new device, instead of blocking them and require a confirmation thru email? This is insane. Why would you allow this?