Jump to content
Swirley

Account been hacked? Help!

Recommended Posts

Hi all,

I just discovered on going to use Evernote on my phone that it was asking me to deactivate a device in order to use it. This led to the discovery that 18 hours ago my account was accessed by an Iphone with an IP address in Egypt. I'm in the UK and using android on a Sony phone. 

I've used Evernote for years with no problems and am now freaking out that I need to change my password for everything, and also that my whole life is on there and some of its pretty personal or a security risk. Never worried about it before and now I don't know where to start. So this is both a post just to vent and say ARGH! Why don't they send an email to say someone else has logged into your device? Or have more security when it's from another country?

And secondly, has anyone else had this happen? Do you think it is an individual and that they might have downloaded and be going through all my notes as we speak? Or is it some kind of bot that doesn't actually care to read this stuff? I don't know where to start - feel I need to look through all 647 notes to see where my security may have been compromised. GAH! I've emailed the support people but is there anything they can do? Damn the internet. Bring back notebooks. 

  • Thanks 2

Share this post


Link to post
14 minutes ago, Swirley said:

And secondly, has anyone else had this happen? 

The weakest link is usually the password.  Users use the same password all over the place.
Hackers collect the passwords at some weakly protected website.

I have a password manager app (Bitwarden) and unique passwords for each service.
Two factor authorization is also a good idea.

I use encryption to protect sensitive data uploaded to the cloud.

Share this post


Link to post

Ironically I never trusted a password manager! It's so hard these days with so many apps and sites to keep track of to use a different password each time. I use a variety of passwords but this one has been used before so it's all getting changed now...how do you know to trust a password manager?! 

 

Share this post


Link to post
6 minutes ago, Swirley said:

how do you know to trust a password manager?

In theory; I don't have to trust the password manager service.  They don't know any of my passwords; all they know is encrypted data.

Share this post


Link to post

Hmmn.  You're obviously doing the right thing in changing your password,  but how and why this mysterious Egyptian IP address had access to your account I have no idea. 

On a couple of previous occasions in the past several years,  Evernote (like many other firms) has successfully detected and hopefully resisted an attack,  but in both cases has contacted all users involved and advised them as a precaution to change their password.  You didn't get an email - it would appear - because nobody knew about this. 

Evernote security lead @Rich Tener should certainly be told about it.  (Hover your cursor over the green icon to message him direct).

I've used password apps - LastPass and BitDefender for about 10 years,  and never had any concerns about my - or their - security.  The passwords they generate are as long and as complicated as you like.  A 30-character random string like this syovw6te62ksVtaJap3SRJKN5NC6n2 is probably a little unwieldy,  but it's automatically generated and entered by the application whenever I need it. 

If you need memorable passwords and have a favourite poem,  one line - "I wandered lonely as a cloud" (for example) is probably as secure as the random one (same length!).

You can add some security to your account if you wish - go to the devices page and 'revoke access' on any device you don't use.  You can also add 2-factor authentication to your account,  and convert the content of any key individual notes into password-protected PDF files.

When you do get to the bottom of the Egyptian access,  please let us know what happened! - and if you have any questions in the meantime,  we're here pretty much 24/7...

  • Like 1
  • Thanks 1

Share this post


Link to post

Thank you both, this is very helpful. I will post back if I get any more answers on this. And maybe time to employ the password manager! Thank you :)

  • Like 1

Share this post


Link to post

Thank you so much for bringing it up! I have the same problem, I just discovered my account was accessed by an IPhone with an IP address in "Taegu-jikhalsi, Korea, Republic of" and "Zulia, Venezuela", and I use only Android and live in Ukraine. I have personal and very important information there too, so I was shocked. I really hope that it's just some kind of bot or at least someone who don't understand Russian ? But based on what I've seen on forum (that there was at least three similar "IPhone hacks" recently and these accounts are from different countries, and even text in there are in different languages (English and Russian) ) I can say it really gives me hope that it's just a bot, not a person who is reading our notes right now. But, of course, I'm just guessing.

It's really frustrating that there was no email and I could never know about this situation if I were a paid customer with no device limit.

And thanks to everyone for answers, it's really helpful!

  • Like 2

Share this post


Link to post

Hey All,

I'm going to reach out to @Rich Tener to have him further investigate into possible issues, and wanted to assure you that someone is here listening!

We'll follow-up as soon as we can once we have more information.

Feel free to reach out to me directly if you have any other questions!

  • Thanks 1

Share this post


Link to post

Same type of hack as OP. Was notified by Evernote of login from foreign remote IP (below).

Get organized. Work smarter. Remember everything. | Evernote
We noticed a new login to Evernote and wanted to make sure it was you.

Where: South Korea
When: 2018-08-28 04:22 UTC

I did have a weak password, and did not have much in the way of docs at risk.  Easy fix to hack, but they are out there.....careful on your passwords.  Maybe multi-step authentication?

Share this post


Link to post
2 hours ago, dydx said:

did not have much in the way of docs at risk

That's the other point to protect your data.  I have sensitive information but I make sure it's encrypted.
Evernote has a text encryption feature and I use the native encryption in attachments; pdfs, office/iwork documents, ...

  • Like 1

Share this post


Link to post
On 9/6/2018 at 4:00 PM, Swirley said:

Hi all,

I just discovered on going to use Evernote on my phone that it was asking me to deactivate a device in order to use it. This led to the discovery that 18 hours ago my account was accessed by an Iphone with an IP address in Egypt. I'm in the UK and using android on a Sony phone. 

I've used Evernote for years with no problems and am now freaking out that I need to change my password for everything, and also that my whole life is on there and some of its pretty personal or a security risk. Never worried about it before and now I don't know where to start. So this is both a post just to vent and say ARGH! Why don't they send an email to say someone else has logged into your device? Or have more security when it's from another country?

And secondly, has anyone else had this happen? Do you think it is an individual and that they might have downloaded and be going through all my notes as we speak? Or is it some kind of bot that doesn't actually care to read this stuff? I don't know where to start - feel I need to look through all 647 notes to see where my security may have been compromised. GAH! I've emailed the support people but is there anything they can do? Damn the internet. Bring back notebooks. 

Just change password, use two way authentication feature and if you have sensitive information start encryption with Evernote feature or saferoom app 

Share this post


Link to post
24 minutes ago, dydx said:

consider the weaknesses of 2FA  ...My vote would be for encryption

Use both; and strong unique  passwords

As a rule of thumb, never store unencrypted sensitive information in the cloud.

Share this post


Link to post

Hi, In response to an email notification from Evernote that my account had been accessed by someone using a site not associated with Evernote., I have changed my password and added a passcode. I tried to enable two factor authentication via text to my mobile phone and all was going well until I chose not to use google app for authentication. The intro said one could choose either text OR google app authentication so why does not allow me to complete the enabling of authentication via text message?

i have tried 3 times and it seems to insist I use the google app or not be allowed to set up the two factor authentication. 

I’m new to the forum and this is my first post so please forgive me if I’m posting in the wrong place, thank you :)

Share this post


Link to post
On 9/8/2018 at 7:25 AM, Rich Tener said:

Hi everyone,

I lead the security team at Evernote. Our security team recently discovered a credential stuffing attack against our service. An unauthorized person has been testing a list of passwords stolen from a site not associated with Evernote. For the small percentage of our users that were affected, the unauthorized individual connected an iPhone to their Evernote account and ran multiple searches, most likely looking for cryptocurrency credentials. For many Basic-tier users, this pushed them over their device limit.

We've been experiencing significant delays with delivering suspicious login notification emails. I'm sorry about that and are working on fixing that notification service.

The Evernote service is still secure, and we are planning to act to protect the affected users. We will be notifying them, revoking the unauthorized iPhone, and expiring their password. The recommendations in this thread about using a complex password and setting up 2FA are good. You can also find some helpful tips here: https://evernote.com/security/tips 

If you have any additional questions, feel free to ask.

Hi @Rich Tener,

My account has been compromised as well. Would it be possible to verify if any changes were made, and what notes were accessed? Basically a way to evaluate the breach. Thank you!

Share this post


Link to post

Mine has been compromised also. There was a third device (iPhone) logged in from Egypt and from Indonesia on 2 separate days over the past month. I have changed the password but this is quite bad that we werent notified. 

  • Like 1

Share this post


Link to post

@nathanavish thanks for letting us know. The login anomaly feature we built last year needs some significant improvements. Until we can make those, we've shut it off. 

You need to make sure you don't use a password on your Evernote account that you've used on another site. If you do reuse a password, please setup two-factor authentication (2FA). That stops them from getting in. If you don't want the hassle of setting up 2FA, check out a password manager. 1password and Lastpass are two good ones and Lastpass is free.

Share this post


Link to post

my account was also accessed today with an iPhone in Peru. I'm assuming it was probably not iPhone and not in Peru (VPN) Evernote seems to have a serious data breach issue.

Share this post


Link to post
20 minutes ago, FloBorge said:

my account was also accessed today with an iPhone in Peru. I'm assuming it was probably not iPhone and not in Peru (VPN) Evernote seems to have a serious data breach issue.

If your account was accessed, it iwould seem someone used your password.  A data breach isn't  required.

Are you  using the same password for other services?

Share this post


Link to post

My account was accessed 2 days ago - 

Evernote for iPhone

iPhone

  • 12/05/2018
186.91.215.113
(Lara, Venezuela)

 

Why wasn't an email to all users about this issue sent out when the instances of this were first noticed? I would have changed my password and set up 2 factor identification then.

Also, why isn't a notice sent when a new device is added to an account???

  • Like 1

Share this post


Link to post
5 minutes ago, bklyngrrl said:

Also, why isn't a notice sent when a new device is added to an account???

You should post that as a feature request.  It has my vote.

  • Like 1

Share this post


Link to post

@nathanavish and @bklyngrrl, thank you for the feedback. I realize we aren't meeting your expectations regarding notification and we have both these feature requests filed. @DTLow's advice to post it as a feature request is good. I'll also send this discussion to our product management team.

@FloBorge, our service is still secure, but a small percentage of our customers have had their passwords stolen from other sites. The unauthorized person is using a very large network of compromised computers to proxy through, which you and other affected customers see access from different countries.

Please be sure to:

  • change your Evernote password to one that you've never used or setup 2FA on your account
  • revoke the rogue iPhone device from your account
  • install an anti-malware app in case you have a password stealer installed on a computer that you use to login to Evernote

This type of issue isn't unique to Evernote. Hackers have lists of stolen usernames and passwords and test them against many different online services. You should follow this same advice for any service you use to store important information.

Another resource for you is https://haveibeenpwned.com/ . It's not an exhaustive list, but will tell you some of the public breaches that affected you.

Share this post


Link to post

Hi,

I have same issue:

Evernote for iPhone

iPhone

  • 01/14/2019
175.194.112.86
(Kyonggi-do, Korea, Republic of)

Evernote for iPhone

iPhone

  • 12/29/2018
222.107.30.243
(Seoul-t'ukpyolsi, Korea, Republic of)

Evernote for iPhone

iPhone

  • 12/29/2018
95.78.75.93
(Tatarstan, Russian Federation)

 

I changed my password, set up two-factor authentication. But not sure how the encryption works... any links to a tutorial?

Thanks

Share this post


Link to post

My Evernote account was also compromised in February about 5 days ago from an iPhone in Vietnam. And the worse thing is that I didn't even get an email saying that I had logged into a new device.

What's going on?

Share this post


Link to post

There have been a lot of data breaches with other software and services. if you use the same password and/or e-mailaddress also on Evernote, you´re - excuse my words - fucked. It doesn´t mean Evernote has been breached, it is just very likely that your password and e-mailaddress are also used somewhere else and that that service was hacked.

Check https://haveibeenpwned.com/ to see which services that you use have been breached and in which ones your details became known. Changing the Evernote password is not enough, you also have to change the password of your e-mail, since a) most people use the same password for that and b) password reset mails are being send to that address, which isn´t wise if someone also has access to your mail and can read where you updated your passwords.

This site uses lists of leaked accounts that are being shared between hackers.

So, change passwords everwhere, using the password generator of your password manager.Use long and unique ones everywhere. Setup two-factor authencation where you can.

Share this post


Link to post

I find it very curious that in every case described here (as well as in my case that I was just alerted about) the access is from an iPhone. I think there is something else going on here, not account compromises, at least not in the form of your password being determined. I mean what are the chances that every single person whos had their account compromised has been accessed by an iPhone?

Share this post


Link to post

@cloud9tn The hackers are not using actual physical iPhones to access your account. Once they are able to log into your account using a compromised password, they can authorize another service to have access to your account via our public APIs. This is the same as authorizing a service like IFTTT to access your account. The "iPhone" is just the name of the service they're authorizing as. I think they are using iPhone because it's common and will obfuscate what they are doing, confuse users, or lead them to blame Evernote (which has been happening).

The best thing you can do as a user is to follow good security practices, as noted in Rich's post above.

  • Like 2

Share this post


Link to post

I've just found out that my account has been hacked, very similar to cases described here but with a samsung? Is this a related incident?

Share this post


Link to post

@sam_beh we are starting to get reports from people that found an Android phone instead of an iPhone. These incidents are related, and a lot of the same users are affected.

Share this post


Link to post

This same thing happened to me.  My account has been logged into from all over the world multiple times since January. 

Share this post


Link to post

Argh... me too! Evernote really needs to add the notification feature when the account is logged on from a new device - I've taken this for granted thus far with my Google account. Awful. I only discovered the issue after receiving an email today from Evernote bringing the problem to my attention and asking me to change my password. 

My account has been accessed many times from all over the world since January from "android" phones. I've set up 2FA authentication now but still pretty concerned.

The ihavebeenpwned website is an eye opener.

Share this post


Link to post

My account was also hacked. I'm an absolute novice when it comes to stuff like this, so pardon me if this ends up being an unintelligent question, but aside from the obvious risk of sensitive information being stolen, is there a possibility that something malicious had been injected into our accounts? For example, is it possible that the hacker(s) inserted a script into our notes that could harm our computer or phone?

Share this post


Link to post

Hi, My Account was also hacked. 

I have revoke access but any way to delete the note that the hacker has accessed or are we able to see which note information has been compromised ?

Share this post


Link to post

@airflight, we did not see any evidence of the hacker adding attachments or modifying content. They were only searching and reading the notes that were returned in the search results.

Share this post


Link to post

Email regarding account security

Hi there, I received the email about suspicious activity and the request to change the password. I did so, and figured all will be well. Yesterday I received another email from Evernote saying suspicious activity. Not sure why I need to keep changing my password, seems its an issue on the Evernote side.

Share this post


Link to post

We accidentally sent a second email to some of you. It was a mistake on our part and not because we detected suspicious activity on your account a second time. If you have already changed your password or setup 2FA, please ignore the second email we sent you.

Share this post


Link to post
14 hours ago, Rich Tener said:

we did not see any evidence of the hacker adding attachments or modifying content. They were only searching and reading the notes that were returned in the search results.

@Rich Tener In your Security Update message you mentioned this latest event was about searching for cryptocurrency credentials. How do you know this? Is there any reason to believe they were searching for credentials beyond cryptocurrency accounts (i.e. more of a general fishing expedition)?

I received your alert email (thank you, btw) and have since discovered my account was accessed multiple times on two separate days since January (screenshot attached). If it was specifically for cryptocurrency credentials then I'm relieved as I have no such information. However, I do have a lot of other sensitive content for which I'm now concerned is circulating across the internet.

Note, I've since changed my Evernote password and have checked all my other accounts that could have been compromised (along with changing their passwords). Thankfully, at this point nothing else appears to have been impacted. 

Screen Shot 2019-03-04 at 10.34.21 AM.png

Share this post


Link to post

Hi @tedwlm. To protect your privacy, we never look at what an individual searches for in their account. Instead, we have a process to de-identify and aggregate common search terms across our broader population. When we did this, we saw the same terms being searched consistently across a number of accounts that matched up with the number of affected customers. The search terms included a number of different cryptocurrency terms such as “Bitcoin” and “Ethereum”, but also more generic terms like “password”. We suspect that if they find passwords, they feed those into their automation to test against other services, much the same way they test usernames and passwords against Evernote.

Share this post


Link to post

Thanks for the reply @Rich Tener. Possible you can share information on other generic search terms that were included? Just trying to get a gauge on how much of my sensitive content may have been uncovered and fed into automation. 

Share this post


Link to post

My account accessed from this IP's 2 weeks ago. I just got the email. But I don't understand why I didn't get that email before. Because of if the location different you should get an email about activities. I never log in from Japan and Russia before and I never use an iPhone and Evernote didn't warn me about that. Is it about Evernote's iphone application's fault or API's?

image.png.301e93431c4007319180052fd9bb0340.png

Share this post


Link to post
5 hours ago, sfatih said:

My account accessed from this IP's 2 weeks ago. I just got the email. But I don't understand why I didn't get that email before. Because of if the location different you should get an email about activities. I never log in from Japan and Russia before and I never use an iPhone and Evernote didn't warn me about that. Is it about Evernote's iphone application's fault or API's?

I suggest that you read the above posts from @Rich Tener and @Scott T. in this topic.

Share this post


Link to post

@sfatih, we don't have an automatic notification system to notify you when someone logs in from a new country or a new device. I understand that this is a common expectation and I'm working with our engineering teams to prioritize getting those capabilities built into our service.

Share this post


Link to post

@jefito I have already done the necessary actions. It's okay now. @Rich Tener Thank you for your response. In addition to email notification, Google also locks the account temporarily if someone tries to access account in other countries. 

I hope everything goes well in that situation. 

Share this post


Link to post

If you keep a list of passwords in Evernote (which is something that you should never do) change the passwords of all your accounts. Keep an eye on your creditcard and Paypal for weird transactions.

Probably the hackers used a password from you that was found in hack of? also used on an other service. Check the website https://haveibeenpwned.com/

Also: use a password manager, and use unique and strong passwords everywhere.

  • Like 1

Share this post


Link to post

I've been hacked too, sadly.  My password is listed on the pwned website. 😶 I'm now in the process of changing all the passwords and implementing the security measures that I should have done a long time ago.

Unlike others, my account was accessed from California only, with various IPs via Evernote Web.

Would you say that it looks more like one person has been repeatedly accessing the account (to snoop!) rather than random hackers checking out potential cryptocurrencies or whatnot?

Surely it's impossible to tell, but I'm just wondering how much damage could it potentially be? 

Thanks.

Share this post


Link to post

Just to sum it up:

The IP does not tell much. Using a VPN (which includes the TOR network) you can leave the tunnel at any place where servers of the VPN provider are located. It seems the access came from California when the guy really was sitting in a nice Internet cafe somewhere in Europe, a coworking space in SEasia or wherever.

It makes no sense to think about the „where from“. Who is accessing other peoples accounts rarely does this for meaning well.

Because the huge database of E-Mail & PW-data was offered in the net quite open and for amazingly cheap money, there is no way telling who might be accessing your account, and what for. 

If a pro will do it, he will most likely use an automatic process for the initial try to enter. Maybe even for the first search in the Database after entering an account. If this draws a blank (for example when searching for cryptocurrency), he may not even bother and move on.

But this can be as well desaster kid, IQ 140, EQ 70, bored and thinking about whom he should make life a little more exiting this afternoon. Then the damage depends only on what content you might have in your EN data. So if the IRS, a SWAT team or your wife’s attorney comes knocking on your door, open it quickly and with a smile. This will at least save the door.

I would very quickly change all my passwords, starting with the E-Mail accounts and the accounts of mobile phone services. Both are used when resetting web accounts, so who is controlling these can counter any resetting of web accesses by simply controlling the PW-reset mails flowing in.

And it would be a good day to start to use a password manager to recreate the access PWs. First the PWmanager will create good, strong passwords, individual for each account. And secondly it helps to know which accesses you have, and keep them in line.

Important accounts (again, E-Mail first, then cloud services, bank and brokerage accounts etc.) should be set to 2-factor-authorization, if possible.

If there were access data to your home network in the EN account (WLAN, Router or remote access), these must be changed ASAP as well. PW-managers are better places to keep this data too.

Share this post


Link to post

@PinkElephant

the thing is that Google keeps track and notifies users whenever login to one of their services comes  from a new device. Windows machines have unique fingerprints and so do Android devices. Microsoft logs and acts in the same fashion (OneDrive and OneNote) as Google. That's what data security is all about. 

So regardless from where and when an account is accessed  Evernote should also fully monitor access by device (hardware print) and instanteously follow up with mail notifying a registered paid user about the unusual access to the account. 

One can very well assume that Evernote accounts were not searched by a single person or a group looking for passwords that might not have any real use  to them or which could backfire  if used. Bots searching for Crypto Mining seems a very plausible thing 

Too bad for the individuals affected and of course, they have the job of changing passwords and! depending on what other confidential data they stored. notifying banks, business partners, etc.

*not-nice-at-all* says JohnL

 

 

 

 

Share this post


Link to post

It is allways nice if the service provider of choice supports better security. Some do more, some less.

EN is IMHO somewhere in the middle: Maybe less secure than the TOP bunch, but with a sufficient set of options to make things pretty locked up.

In fact 2-factor-authorization works exactly as you wish: If somebody with an unknown device tries to log in, the account owner receives a message on a known (=safe) device and can decide about granting access. When it is a hacking attempt, with 2-F-A I can not only refuse the access - I am warned as well that somebody tried to enter.

For me, this serves the purpose of receiving a head-up when a new device shows up. That I have to do something myself (activate 2-F-A) to get it activated is o.k.

From my side, I have 3 other aspects I would like EN to improve in terms of security :

- pick a Username / Account name other than an E-Mail-adress (creates another random factor in the access)

- Create public links that do not contain account information openly, like they do today

- Full encryption of the database, especially on the local devices that hold a copy of the data, using a good encryption algorithm linked with account security. Decryption only and as long as the EN app is active and not idle (timeout setup).

Share this post


Link to post

@PinkElephant Thank you for advice!

 

A question - since resetting the password, email and implementing 2FA, Evernote started crashing constantly.

Could it possibly be because someone might have injected some virus or something into one of the notes? 😵

 

Share this post


Link to post

Quite an experience today! I haven't opened my Evernote account since 2015. Got an email from the security team today (Mar 26 2019) about suspicious activity.

Unauthorized activity has been going on since January 2 to March 16 2019 from different parts of the world. Person has been using a Samsung phone exclusive only to Australia.

Already changed my password, revoked access to the device and deleted any notes containing sensitive information (names, old numbers/addresses). Had to log off my account and use the new password to confirm that the device has been revoked.

Hope this helps the Security Team and anyone going through a similar ordeal. Better caught late than never.

evernote_device_breach_list.jpg

Share this post


Link to post
On 3/26/2019 at 1:17 AM, Rxx said:

Could it possibly be because someone might have injected some virus or something into one of the notes?

Hi.  Highly unlikely - I believe there have been some posts about crashes possibly related to 2FA.  As you're a subscriber I recommend you report this to Support and see what they say.

 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...