Also hacked. I don't use public computers and access almost exclusively from my phone. Thankfully no sensitive information in EN, but since I *did* reuse a password across what I felt was a low-risk block of accounts, about 1 month after the EN hack they did get into Spotify which triggered me that this was systemic and I changed all my login info that used that password. The issue I have with 2FA, is EN is asking for my phone number to enable it, which seems like just one more opportunity for these people to collect more information about me through EN. My EN password that was hacked was 10 characters long, mix of symbols, capitals, numbers fairly randomized... not words or anything else guessable. I struggle with the premise presented on most of these threads that *I'm* the problem here, and don't want to give EN any more of my information that may later have to be changed to protect security on my other accounts, or against identity theft. Maybe I'll keep my EN account to continue to store recipes and gift ideas for my sister in law (whomever in Bali is welcome to that info if they really want it), or maybe I'll drop it because I have l trouble supporting a company that doesn't seem to be taking this systemic issue seriously.
I appreciate the others that took time to comment here, and also created a profile to comment, though my story is not unique.
And yes, it would be more secure with 2FA on, and I will/can keep a unique password for this account. But I'm reading of people that are getting pings w/codes that they're not requesting...meaning new passwords getting compromised. AND, of all of the online accounts I have, I've never had an issue on a single other platform besides the Spotify issue secondary to an EN hack...it seems to be EN that this hackers are targeting repeatedly and ground zero for issues. When there's reasonable alternatives to EN out there not plagued by these issues... why would I volunteer for this nonsense?! I have too many other things to do.
Also, the idea that there are only XX reports of an issue amongst a larger user base means it's not a systemic problem seems flawed to me. I see several cases above where EN didn't flag the user to many of the initial incidences by email. How many poor folks out there that DO put things in more important than a recipe for spicy chili have had this happen and simply don't know, or didn't escalate it publicly or to EN. Or in my case got the email (I currently have about 400 unread non-promotional emails so it was lucky I saw it in the first place), thought "that was weird," and went on with their busy lives, that is until some ...ahem...person... started fighting me every 4 seconds for the rights to play my own spotify stream.
If I'm at Evernote, I'd figure this out before it becomes a PR nightmare.