Jump to content


Level 1
  • Posts

  • Joined

  • Last visited

About someguy12345

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

someguy12345's Achievements



  1. See my earlier post above. Credential stuffing to exploit simple passwords on a platform the size of Evernote should not be remotely possible with standard protocols in place, some examples being: Authentication triggers that dynamically increase security measures based on conditionals, such as 1) the number of failed attempts to authenticate for a given account over a given duration of time, and/or 2) authentication attempts coming from unrecognized browsers, operating systems, MAC addresses, IP addresses (exponentially bigger red flag if its a known VPN address), new geographic locations, etc. Either of those conditions being satisfied (or both in some combination) should at minimum trigger a CAPTCHA image test, a default 2FA by means of requiring an email verification link, and/or a password change. With some combination of those measures, credential stuffing passwords should be extremely impractical at best these days, with very little incentive for a hacker to overcome those hurdles. BUT, that all said, again I'll direct you to my post above. I hadn't logged into Evernote from any device in years when I discovered this the other day. I had no personal data of any value whatsoever on the account (I mention this for what it may be worth in communicating that I don't have a passionate or biased take on this particular situation - I just get irritated seeing companies this size disregard security). But what's certainly most worthy of noticing in my previous post is that ~70%-80% (I since deleted my account entirely, but rough estimate) of the authentications were identified as being from my own device that I originally setup an Evernote account on many many years ago. That laptop is in my closet, where it's lived - broken and thoroughly off - for close to a year now. So that's a pretty strong indicator that this wasn't even a case of brute force / credential stuffing. Whoever was accessing the account apparently spoofed whatever pixel/tracking cookie Evernote uses.
  2. Hey Evernote - when are you going to disclose to the public? You're stacking up some serious liability by delaying - especially in the EU. Is your CTO being forthcoming to the Board? This isn't rocket science. Salt your passwords if they're unsalted, use a properly configured CDN if you don't already, triple check API access logs, end to end encryption if not already implemented.. and if you're stumped, there's no shame, just hire a third party forensic. Your loyal users deserve better than not even being made aware. And your extremely late-to-the-game emails advising users to double check account access history does NOT count as disclosure.
  3. Just made an account to say the same thing happened to me. This can not be a matter of a couple of isolated incidents - this is (hopefully "was") a security vulnerability of Evernote. Fortunately, I did not have anything sensitive stored on Evernote - I had like 3 links saved because I tried Evernote years ago but settled on other solutions for my needs. I personally haven't legitimately logged into Evernote for years, but received an email this evening alerting me to check if a login from Jakarta, Indonesia was legitimate. I live in the US, and my VPN only connects through specified US servers. So I logged into Evernote and looked at the access history on the account and I've got the same exact situation as the users above - for as far back as the history shows (early September) it's an endless stream of logins from seemingly every country on the planet. (Obviously spoofed locations) At first I was thinking "Was this a scripted brute force? Could it be possible that a platform like Evernote would somehow not be routing their API through Cloudflare or similar CDN?" But then I noticed.. what's really disturbing is that the logins show as being from my own (decommissioned about a year ago) Macbook Pro. Evernote thinks it's my device that's been logging in all this time. This indicates to me that there's been a serious breach on the backend of Evernote, because it's hard enough to build a Hackintosh, let alone clone an existing machine. If someone had managed to do that to me, it would be a nation-state calibre threat and Evernote would be the least of my concerns. So - and I am ultimately speculating here - I'm thinking whoever is behind this must have gained access to the Evernote auth DB, and somehow cloned or otherwise figured out how to spoof the cookies/pixels that indicate whether the device is known, and if so, which device it is. This is very concerning, especially as googling around isn't turning up any notable posts or articles. Perhaps this situation is still slowly emerging. So I came on here in hope this helps others recognize and take seriously what's happened, including Evernote.
  • Create New...