See my earlier post above. Credential stuffing to exploit simple passwords on a platform the size of Evernote should not be remotely possible with standard protocols in place, some examples being: Authentication triggers that dynamically increase security measures based on conditionals, such as 1) the number of failed attempts to authenticate for a given account over a given duration of time, and/or 2) authentication attempts coming from unrecognized browsers, operating systems, MAC addresses, IP addresses (exponentially bigger red flag if its a known VPN address), new geographic locations, etc. Either of those conditions being satisfied (or both in some combination) should at minimum trigger a CAPTCHA image test, a default 2FA by means of requiring an email verification link, and/or a password change. With some combination of those measures, credential stuffing passwords should be extremely impractical at best these days, with very little incentive for a hacker to overcome those hurdles.
BUT, that all said, again I'll direct you to my post above. I hadn't logged into Evernote from any device in years when I discovered this the other day. I had no personal data of any value whatsoever on the account (I mention this for what it may be worth in communicating that I don't have a passionate or biased take on this particular situation - I just get irritated seeing companies this size disregard security). But what's certainly most worthy of noticing in my previous post is that ~70%-80% (I since deleted my account entirely, but rough estimate) of the authentications were identified as being from my own device that I originally setup an Evernote account on many many years ago. That laptop is in my closet, where it's lived - broken and thoroughly off - for close to a year now. So that's a pretty strong indicator that this wasn't even a case of brute force / credential stuffing. Whoever was accessing the account apparently spoofed whatever pixel/tracking cookie Evernote uses.