I'm not shocked about the PW reset--this seems that's par for the course these days, but Evernote botched this change by missing some easy but important details: If there is a global password change required, put that in big bold letters at the top of every page on the ***MAIN SITE***. Not everyone follows you on Twitter! If you are trying to keep things from looking bad on your main sales site, that's silly. Not, only was there no message on the main site, but the forced change password page had no explanation. If I login to a site as normal and I just get a change password prompt, uninitiated, I start to think something is broken. At that point, the last thing I want to do is change my password. Lastly, all the 3rd-party stuff should return a "password change required" message, not "invalid password". Companies getting hacked seems to be the new reality. I suggest your engineering team build-in a proper *global password change* feature so you aren't scrambling to hack something in when/if this happens again. ...something that does a better job of letting users know *what is happening*.