On my way out....

Hi @PinkElephant... I have to say, despite what seems a fundamental difference of opinion around EN's responsibility in this space, I do appreciate how informed you are and that you take your time to share that info with folks having these issues! I'm curious, question for you or anyone else on here... 2FA would have helped me earlier identify the breach, but lack of it doesn't explain how someone obtained my email/password combo in the first place. In my specific case, I don't have malware, I don't use public computers, I don't click on links from emails or web without checking them out first (eg. mistrustful even of your pwned link without checking it first... interesting story/site), and my password that was hacked met all your recommendations. Sharing passwords between EN, Spotify, and the GAP, lol seems to be my greatest risk factor... but what is the scenario under which sharing passwords between the three leaked my info externally? Sure, a data breach at any of the three would compromise all three... in my case EN was logged into first, spotify second, and no suspicious activity on the third...but then we're still talking about a data breach at one of these three sites, not *me* giving my info away to someone nefarious. What else am I missing?

Here's where I agree, and thank you for stating my key point in a more concise and understandable fashion. And corporate responsibility is an interesting/debatable topic itself, I understand... but hey in some cases you do see the market encourage some basic level of this when users stop supporting companies that do not have their interests as core priority. I am only interested in Evernote or any other online tool/application in it's value for assisting me in living a rich "in person" life. I'm not saying that you can't love the ins and outs of all of this security stuff and still do that... but there are only so many hours in the day, and I would rather invest those hours in things other than researching all the ways I can get hacked and monitoring the safety of my online accounts beyond the bare minimum. EN has lost my blind trust, and I'm not willing to invest the ongoing time to actively maintain "safety" in this single account when there are more inherently secure (with less direct effort/research required from me) or less targeted alternatives. This experience has demonstrated that EN is a bad fit for me. Maybe a fine fit for someone more naturally interested and informed in this space. Since EN is putting the responsibility on my for my own "safety"...could I find, try to confirm security of, install, and run a secondary authenticator, so I don't need to give them my phone? Sure. Same for password managers. Do I want to spend my time on that? Not really. (oh, and forcing 2FA aside, did EN do anything to at least educate me about the importance of investing time in those things for their service? Nope, just PinkElephant after the problem had already occurred.) At this point for me, it's easier to just stop using EN, since per PinkElephant, "Waiting for EN to "fix" anything is a bad strategy, when [their](sic) own data is at risk." (BTW I don't delude myself that this is some threat to EN I'm making, with hundreds of millions of users.)

Also hacked. I don't use public computers and access almost exclusively from my phone. Thankfully no sensitive information in EN, but since I *did* reuse a password across what I felt was a low-risk block of accounts, about 1 month after the EN hack they did get into Spotify which triggered me that this was systemic and I changed all my login info that used that password. The issue I have with 2FA, is EN is asking for my phone number to enable it, which seems like just one more opportunity for these people to collect more information about me through EN. My EN password that was hacked was 10 characters long, mix of symbols, capitals, numbers fairly randomized... not words or anything else guessable. I struggle with the premise presented on most of these threads that *I'm* the problem here, and don't want to give EN any more of my information that may later have to be changed to protect security on my other accounts, or against identity theft. Maybe I'll keep my EN account to continue to store recipes and gift ideas for my sister in law (whomever in Bali is welcome to that info if they really want it), or maybe I'll drop it because I have l trouble supporting a company that doesn't seem to be taking this systemic issue seriously. I appreciate the others that took time to comment here, and also created a profile to comment, though my story is not unique. And yes, it would be more secure with 2FA on, and I will/can keep a unique password for this account. But I'm reading of people that are getting pings w/codes that they're not requesting...meaning new passwords getting compromised. AND, of all of the online accounts I have, I've never had an issue on a single other platform besides the Spotify issue secondary to an EN hack...it seems to be EN that this hackers are targeting repeatedly and ground zero for issues. When there's reasonable alternatives to EN out there not plagued by these issues... why would I volunteer for this nonsense?! I have too many other things to do. Also, the idea that there are only XX reports of an issue amongst a larger user base means it's not a systemic problem seems flawed to me. I see several cases above where EN didn't flag the user to many of the initial incidences by email. How many poor folks out there that DO put things in more important than a recipe for spicy chili have had this happen and simply don't know, or didn't escalate it publicly or to EN. Or in my case got the email (I currently have about 400 unread non-promotional emails so it was lucky I saw it in the first place), thought "that was weird," and went on with their busy lives, that is until some ...ahem...person... started fighting me every 4 seconds for the rights to play my own spotify stream. If I'm at Evernote, I'd figure this out before it becomes a PR nightmare.

Also hacked. I don't use public computers and access almost exclusively from my phone. Thankfully no sensitive information in EN, but since I *did* reuse a password across what I felt was a low-risk block of accounts, about 1 month after the EN hack they did get into Spotify which triggered me that this was systemic and I changed all my login info that used that password. The issue I have with 2FA, is EN is asking for my phone number to enable it, which seems like just one more opportunity for these people to collect more information about me through EN. My EN password that was hacked was 10 characters long, mix of symbols, capitals, numbers fairly randomized... not words or anything else guessable. I struggle with the premise presented on most of these threads that *I'm* the problem here, and don't want to give EN any more of my information that may later have to be changed to protect security on my other accounts, or against identity theft. Maybe I'll keep the account to continue to store recipes and gift ideas for my sister in law (whomever in Bali is welcome to that info if they really want it), or maybe I'll drop it because I have l trouble supporting a company that doesn't seem to be taking this systemic issue seriously.