VanessaW

Hi Gazumped and Rich Thank you for your quick and detailed response. And yes, Gazumped, I got those same "you've been filmed" emails with threats to expose me to my contacts. I also started using VPN when I first started getting the threats. And thanks to both of you for your recommendation of the https://haveibeenpwned.com site. That is very helpful indeed! Yes, I accept that account owners need to become more vigilant about their passwords and usernames – I've seen now first-hand the dangers of using the same password/username across multiple sites/apps. And what you say makes sense, namely that it only LOOKS like there are multiple people in different countries accessing the account. The point is that the Evernote system did warn me of suspicious activity - eventually. So clearly it is capable of doing so. My point is this: how many months does it take to define activity as 'suspicious'. Just two logins from different countries within the space of a couple of hours should be suspicion enough, simply because it's impossible. Many other platforms note suspicious activity straight away. For instance, Amazon will warn me of suspicious activity even on a second attempt at logging in from a different IP address (I have multiple devices and sometimes I may use my partner's computer). I am forced to undergo a security check as they deem that to be suspicious activity. Other services I use do the same. I understand that truly sensitive info should not be stored online (or in an app that syncs with a server online) and that there is an onus on users to ensure good security practices to keep their data safe, however, there is an even GREATER responsibility on software developers to set up the checks that detect suspicious activity a lot sooner than, for instance, Evernote's has done. After all, the integrity and usefulness of your service depend on it. We're not talking about an innocuous online graphics app or photo library site or some other relatively harmful app or site that's been hacked. We're talking about an app that could contain private or confidential information. And while you may not be able to prevent the initial entry of a hacker, suspicious activity such as a change in IP address or change in country should really be picked up immediately, and a simple check presented, like "click the robots/street signs in the picture", or something to prevent the automation tool from gaining entry again. A change in IP address or country login should also be emailed to the account owner immediately, as a security check. If the entry is unauthorized, the user is alerted and can at least more quickly change their password. Thanks again for your quick response – I'm off now to check out the site above (with much trepidation ....)

Hi, I received an email at the end of last week warning me of a security breach in my Evernote account. Rich Tener from Evernote posted a reply to other concerns of the same nature. He said that one person using an iPhone obtained the username/password from another site and was 'trying' out the details in an attempt to obtain cryptocurrency information. This is in fact not true. Firstly, I received my first notification from Evernote only last week, however, when logging into my Evernote account (prompted by the alert) and checking the activity report, hundreds of people have been gaining access to my account from various places around the globe for the past two months (this is as far back as my activity monitor appears to let me go – it has likely been going on for much longer than that). In just one day, my Evernote account was being accessed by a person in Indonesia, another in India, another in Jakarta, and so on. Multiple access from multiple countries in just one day! How is it that I only received a "suspicious activity" email now? How does this type of activity over a period of months not send red flags to the Evernote security team? I have also been receiving blackmail emails from multiple people – sometimes several a day – my "password" was mentioned in the subject line of the email. I started receiving blackmail emails last year using my Evernote password in the subject line, clearly to get my attention and force me to open the mail! On opening the email, the sender said that they had my password and had accessed my computer. As it happened, one of my computers did indeed use that password (yes, a bad security practice on my part, I know!). The blackmailer was trying to get me to cough up $6000 to keep quiet about some "online activity" that I'd supposedly been involved in – in fact, they said they had gained access to my computer and "recorded" me and unless I paid up, those recordings would be circulated to everyone in my contacts list. Fortunately, I was able to safely ignore the emails, but I'm sure there are many people who are not in such a position and who also don't understand technology well enough to know what is and is not possible, only to cough up insane amounts of money to protect their reputations. I was also lucky in that I had no information in Evernote because I never really got to use the app. But what about other users, Evernote clients who have highly sensitive information in their accounts? There were only two other websites I had used that particular password on and I immediately went onto those sites last year and changed the password. I had completely forgotten about Evernote because I never use it. But the emails kept coming. I continued to ignore them. Whether the breach originated in Evernote cannot be known for sure, but I can say that since I changed my Evernote password last week, I've not received another blackmail email. I understand that breaches happen to even the best of systems, but I am very concerned about the "security" of a system that allows hundreds of people to access an account over a period of months from multiple "vast" geographical destinations in the space of just a day, every day, and pick that up only now???? I have attached a screenshot of that activity ..... this kind of activity completely undermines the integrity of the Evernote system. I feel an obligation to warn other Evernote users of this severe breach, particularly those who store sensitive information in their Evernote apps - it's not just a case of one person using an iPhone as Evernote has made out (my hundreds of hackers have used Android phones).