• Announcements

    • Shane D.

      Evernote Business Beta - Spaces   12/20/2017

      We're very excited to announce the public beta of an upcoming rework for Evernote Business! To learn more, go Here
    • Shane D.

      2018 Evernote Webinars   01/04/2018

      To kick off the new year, we're excited to announce our  updated schedule for our series of webinars! Please check the events calendar to see which one works best for you!
Rich Tener

Security Update: Email regarding account security

Recommended Posts

Hi everyone, I lead Evernote's security team. We have received reports regarding what appears to be suspicious activity affecting a small percentage of our users. Our team is working with individual users to better secure their accounts and our security team believes that someone has learned these users’ passwords from a website or service not associated with Evernote.
 
If you, or the people in your network receive an email from Evernote mentioning that we’ve detected suspicious activity, please know that this is not a hoax or spam message; it’s from us. To more quickly notify our customers in the future, we will roll out a new feature that will notify customers when we detect a new login from a new location or device.

Share this post


Link to post

I received the email security warning about my account and immediately changed my p/w.  

I  went to my Evernote history however do not see anything  irregular and only my own logins and IP addresses.    

Nothing visible that was suspicious.

I contacted Chat and asked to be told the date and time of the suspicious activity.  I was told that there has been suspicious activity but could not

get when it happened from the chat agent.  I was then told that since I did not see anything suspicious then it was probably a precautionary email!!!

This brief communication did not answer any of my questions and took a lot of time.  I escalated the conversation and will wait to hear from someone

that hopefully can be helpful as to what all this means.  My question is:

If someone has breached my account why does it not show in my activity log and if it is precautionary, why alarm me?

Additionally, since no one has my IPad, IPhone or computer, how could someone else have my information for Everynote ?

Share this post


Link to post

I try to check my Access History a couple times a month to see if any strange locations are turning up.

From my Evernote account web client site

* Account (lower left corner)
* Settings
Security 
* Access History

The following apps have accessed your account since Saturday, June 24 2017
 

Share this post


Link to post

I'm one of those people who got this email earlier today.  I've been trying to reach someone to get some basic answers;

#1.  The email does NOT say my account was accessed.  It says "We believe someone has learned your password from a website or service not associated with Evernote. "  So I need to know whether & what was exactly accessed in my evernote account.  I checked the access history and everything there is legit from my devices.  No web access except when I logged in for pretty much first time today after resetting the password.

 

#2.  Where was this breach occurred?  how do you guys know?  Is this related to hack few years back?

 

Thanks!

Share this post


Link to post

@Artgirlofnm @xvisto: While it might not appear in your access history, your access history is correct. We only display 30 days of access history and in some cases, the unauthorized access happened before that. Once we learned about the the malicious activity pattern, we notified users. If you were notified, it was because we found evidence of this pattern on your account. Please change your password as soon as possible and be sure to revoke all connected applications. The person that accessed your account also created a personal developer token that may still be present under Settings -> Applications. Please make sure that is no longer present and revoke it if it is.

@xvisto: We don’t know how someone learned your password. This is not related to the password reset in 2013.

Share this post


Link to post

Hi Rich, I revoked my devices but now I cannot log in and EN is saying there is no account found and a new account has to be created.  Please let me know how to deal with this as soon as possible.

Also, what is a personal developer token and where is it under Settings.  I don't know what you are referring to...can you explain further please?

Thank you.

Share this post


Link to post

Hey Rich - Thanks for replying.  I've already reset the password and some other additional actions.  There was nothing in Applications other than the 2 devices I own.

I REALLY LIKE to know more specific details on what & when in terms of someone getting access to my account.  I, like many out there, has lots of stuff on evernote and lots and lots of personal info.  I need to know as much as possible of what happened here and what was accessed so I can take appropriate measure (some may takes DAYS to do).

Share this post


Link to post

Hi Rich,

 

I'm writing you again this evening.  I have been able to get into my old account.  So I have my information available to me.

 

I do not know what a personal developer token is or how to find it.  I did look under settings and went to applications.  i don't see what you are referring to.  Can you tell me what it is?

I recently was in NM and went into Evernote, could that be the difference in location of IP?

 

Share this post


Link to post

@Artgirlofnm: Personal developer tokens are access tokens we let customers create who want to develop an application that integrates with our service. These tokens are not created by Evernote or its employees and use a similar authorization mechanism to our own Evernote clients.  The tokens are being used by the unauthorized users because they provide direct access to our API and make it easier for them to search for sensitive information. Revoking all applications removes it, so you don't need to worry about it. You are correct about your IP address changing. It will change every time you connect to a new network.

@xvisto: Unfortunately, we don't have your access history readily available, but we do know that the access happened sometime in August and September. We believe that the unauthorized person accessing Evernote accounts was specifically looking for cryptocurrency credentials.

Share this post


Link to post

Rich - Thanks again for your reply but, as you can imagine, I don't want to peel the onion one layer at a time.

Again, I really need to know the following:

#1.  When was my account accessed?  How was that done? (I'm not talking about how they hacked it or got my pw, just from what device, what IP & so on)

#2. What did they do for each access?

#3.  Again, my access history does not show any applications or unusually "access" as of yesterday.  If it only shows last 30 days then hack into my account happened before that, is that correct or were they able to clean up after themselves, including messing with the access history?

#4.  Exactly how were they looking for stuff and how long?  If, after getting access to my account, maybe setting up some API based app, did a search against all my notes looking for specific keywords, I like to know what those keywords were and how long was the scan.

Basically, I really need to know what was done against my account since the original email I got from evernote was lacking any specific details. I'm trying to figure out for myself to what degree I need to take actions here.  Like I said, I already reset the pw.

 

I just need to know the facts that you guys only have access to.  I'm not asking for an opinion or anything like that.

It would be best for you or someone over there to send the answers to this to my email on the account.  I would prefer to talk to someone though to get to bottom of this as quickly as possible.

Thanks.

Share this post


Link to post

@xvisto thanks for submitting a support ticket. I've assigned it to one of our agents reviewing tickets on this incident and we'll get back to you with additional detail. Please note we're working through a high volume of tickets so may be a little delayed from our usual response times.

Share this post


Link to post

Thank you very much gbarry.  I now have less confidence in EN since I have not been able to speak with anyone directly to understand the situation.  I do not understand how someone could have accessed my site except thru EN which is another reason I would like to speak to a technical person for a reasonable explanation.  I have some questions also about securing my data such as is there a two step validation for encryption offered to users.  Thanks for helping me.  Cynthia

  • Like 1

Share this post


Link to post

@gbarry I got response from support last night that addressed my questions and concerns.  Really appreciate your and Rich's help with this.  I'm sure you guys are already doing this but really appreciate it if you can implement some basic security notifications (e.g. logged in from unknown device or IP, enable/disabling of applications/plug-ins, maybe authenticate any applications / API related enablements & so on).

@Artgirlofnm I'll send you message with some of support response details.

Share this post


Link to post

hi gbarry,  can you tell me if the hackers searched within my site while on EN?  If so, was that before EN had a chance to reset the password?

Also, if they did, can you tell me what they searched for so I can look at the information they may have seen?

Do you know how quickly EN reset my p/w ?

Can you tell me where the IP was located?  I was in NM during part of that time.

Do we know what they were looking for and your other clients that were hacked were hacked by the same person?

 

Share this post


Link to post

Hi everyone,

 

As the others posting here, I also received the email and was very alarmed by it.

As xvisto mentioned, I would like to find the same information. xvisto could you please share on private what you got from supports and you can share? 

In my case the history looked fine, but as Rich mentioned, this may not go very far back. Also, I am not sure it would cover API calls using my account... Would it?

I did have a toke issued on my account, which I now removed and was issued in 2018 if I remember correctly, not by me obviouslly.

 

I would like to know from Evernote, more information behind this statement from the email "We believe someone has learned your password from a website or service not associated with Evernote". Are you saying here you suppose someone learned my password by some means on the web (which would be very generic), or do you have some actual websites or services that you think were breached and where my password could have been stolen? In any case I would like to get more information. Could you please let me know how I can get this? 

 

Thank you!

 

 

 

 

 

 

Share this post


Link to post

@Artgirlofnm: checked up on your open case today and it looks like Jason is taking care of you. Glad we were able to get you that additional info!

@voicnick: please submit a ticket here: https://www.evernote.com/SupportLogin.action and feel free to private message me or provide the ticket number you receive in this thread. We'll have an agent reach out to you with additional details.

Share this post


Link to post

I am unable to access my account of many years. When I do reset the password to my account email it never arrives. Could an evernote employee please help? None of the channels for fixing the problem have worked. Thanks

Share this post


Link to post

Hi.  Please be aware that this is a (mainly) user-supported forum where you'll get the benefit(!) of my,  and other experienced users' suggestions.   Evernote staff do read these posts,  but they're (usually) not support - just developers looking for new ideas and generic issues with various applications . 

The Support team is available on https://www.evernote.com/SupportLogin.action if you're a paying customer,  Twitter - https://twitter.com/evernotehelps if not   

Share this post


Link to post
On 9/23/2017 at 2:05 PM, Rich Tener said:

@Artgirlofnm: Personal developer tokens are access tokens we let customers create who want to develop an application that integrates with our service. These tokens are not created by Evernote or its employees and use a similar authorization mechanism to our own Evernote clients.  The tokens are being used by the unauthorized users because they provide direct access to our API and make it easier for them to search for sensitive information. Revoking all applications removes it, so you don't need to worry about it. You are correct about your IP address changing. It will change every time you connect to a new network.

@xvisto: Unfortunately, we don't have your access history readily available, but we do know that the access happened sometime in August and September. We believe that the unauthorized person accessing Evernote accounts was specifically looking for cryptocurrency credentials.

that's really bad news for me.

I stored all my cryptocurrency credentials on Evernote and now i find that all my coins (worth 10k+ dollars) are stolen around September, 7th
I know it is my fault to fully trust Evernote to even store secret keys online
Now it is a really big lost for me.

What should I do/Any suggestions? my coins are mainly Ripple & Stellar

Share this post


Link to post
5 hours ago, marstone said:

I know it is my fault to fully trust Evernote to even store secret keys online

I find it a good practice to encrypt my sensitive data.

Regardless, do you have any evidence your data has been compromised.  Evernote data is secured by an account  password

Share this post


Link to post
1 hour ago, DTLow said:

I find it a good practice to encrypt my sensitive data.

Regardless, do you have any evidence your data has been compromised.  Evernote data is secured by an account  password

There is no direct evidence to prove my password is compromise by Evernote.

my surmises are based on:
1) Evernote is the only place i stored my cryptocurrency credentials
2) Multiple coin accounts(>= 5) of different type cryptocurrencies(3) are stolen in the same day, they are stored in a single note in Evernote. So I'm sure my Evernote data is compromised, but not sure it is from my password(a), or my devices(b), or direct server side database(c) hacking?
a. For password: I don't find suspicious "Access History" from Evernote settings. but because it is only show the last 3 months logins, from Sep 7th (just the same day my coins were stolen), so maybe the hacker logged in before that day. My password is not weak but also used in some others sites, so there is a small risk that it is leaked from other sites without a password salt
b. For devices: The notes are synchronized between my mac & pixel phone with carefully use, they look fine.
c. For Evernote server side security, I'm not sure. could hackers obtain my plain text data without my password? I see Tener said only a small percentage users affected, are some earlier notes not encrypted?

Share this post


Link to post

There's been a growing trend in coin thefts this year,  given the rapid and continuing escalation in value.  Ripple has a few headlines of its own.  Can't imagine all these victims stored their details in Evernote...  

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now