Jump to content

Account been hacked? Help!


Recommended Posts

Hi all,

I just discovered on going to use Evernote on my phone that it was asking me to deactivate a device in order to use it. This led to the discovery that 18 hours ago my account was accessed by an Iphone with an IP address in Egypt. I'm in the UK and using android on a Sony phone. 

I've used Evernote for years with no problems and am now freaking out that I need to change my password for everything, and also that my whole life is on there and some of its pretty personal or a security risk. Never worried about it before and now I don't know where to start. So this is both a post just to vent and say ARGH! Why don't they send an email to say someone else has logged into your device? Or have more security when it's from another country?

And secondly, has anyone else had this happen? Do you think it is an individual and that they might have downloaded and be going through all my notes as we speak? Or is it some kind of bot that doesn't actually care to read this stuff? I don't know where to start - feel I need to look through all 647 notes to see where my security may have been compromised. GAH! I've emailed the support people but is there anything they can do? Damn the internet. Bring back notebooks. 

  • Like 1
  • Thanks 2
Link to comment
  • Level 5*
14 minutes ago, Swirley said:

And secondly, has anyone else had this happen? 

The weakest link is usually the password.  Users use the same password all over the place.
Hackers collect the passwords at some weakly protected website.

I have a password manager app (Bitwarden) and unique passwords for each service.
Two factor authorization is also a good idea.

I use encryption to protect sensitive data uploaded to the cloud.

  • Like 1
Link to comment

Ironically I never trusted a password manager! It's so hard these days with so many apps and sites to keep track of to use a different password each time. I use a variety of passwords but this one has been used before so it's all getting changed now...how do you know to trust a password manager?! 

 

Link to comment
  • Level 5*
6 minutes ago, Swirley said:

how do you know to trust a password manager?

In theory; I don't have to trust the password manager service.  They don't know any of my passwords; all they know is encrypted data.

Link to comment
  • Level 5*

Hmmn.  You're obviously doing the right thing in changing your password,  but how and why this mysterious Egyptian IP address had access to your account I have no idea. 

On a couple of previous occasions in the past several years,  Evernote (like many other firms) has successfully detected and hopefully resisted an attack,  but in both cases has contacted all users involved and advised them as a precaution to change their password.  You didn't get an email - it would appear - because nobody knew about this. 

Evernote security lead @Rich Tener should certainly be told about it.  (Hover your cursor over the green icon to message him direct).

I've used password apps - LastPass and BitDefender for about 10 years,  and never had any concerns about my - or their - security.  The passwords they generate are as long and as complicated as you like.  A 30-character random string like this syovw6te62ksVtaJap3SRJKN5NC6n2 is probably a little unwieldy,  but it's automatically generated and entered by the application whenever I need it. 

If you need memorable passwords and have a favourite poem,  one line - "I wandered lonely as a cloud" (for example) is probably as secure as the random one (same length!).

You can add some security to your account if you wish - go to the devices page and 'revoke access' on any device you don't use.  You can also add 2-factor authentication to your account,  and convert the content of any key individual notes into password-protected PDF files.

When you do get to the bottom of the Egyptian access,  please let us know what happened! - and if you have any questions in the meantime,  we're here pretty much 24/7...

  • Like 1
  • Thanks 1
Link to comment

Thank you so much for bringing it up! I have the same problem, I just discovered my account was accessed by an IPhone with an IP address in "Taegu-jikhalsi, Korea, Republic of" and "Zulia, Venezuela", and I use only Android and live in Ukraine. I have personal and very important information there too, so I was shocked. I really hope that it's just some kind of bot or at least someone who don't understand Russian ? But based on what I've seen on forum (that there was at least three similar "IPhone hacks" recently and these accounts are from different countries, and even text in there are in different languages (English and Russian) ) I can say it really gives me hope that it's just a bot, not a person who is reading our notes right now. But, of course, I'm just guessing.

It's really frustrating that there was no email and I could never know about this situation if I were a paid customer with no device limit.

And thanks to everyone for answers, it's really helpful!

  • Like 2
Link to comment
  • Level 5

Hey All,

I'm going to reach out to @Rich Tener to have him further investigate into possible issues, and wanted to assure you that someone is here listening!

We'll follow-up as soon as we can once we have more information.

Feel free to reach out to me directly if you have any other questions!

  • Thanks 1
Link to comment

Same type of hack as OP. Was notified by Evernote of login from foreign remote IP (below).

Get organized. Work smarter. Remember everything. | Evernote
We noticed a new login to Evernote and wanted to make sure it was you.

Where: South Korea
When: 2018-08-28 04:22 UTC

I did have a weak password, and did not have much in the way of docs at risk.  Easy fix to hack, but they are out there.....careful on your passwords.  Maybe multi-step authentication?

Link to comment
  • Level 5*
2 hours ago, dydx said:

did not have much in the way of docs at risk

That's the other point to protect your data.  I have sensitive information but I make sure it's encrypted.
Evernote has a text encryption feature and I use the native encryption in attachments; pdfs, office/iwork documents, ...

  • Like 2
Link to comment
On 9/6/2018 at 4:00 PM, Swirley said:

Hi all,

I just discovered on going to use Evernote on my phone that it was asking me to deactivate a device in order to use it. This led to the discovery that 18 hours ago my account was accessed by an Iphone with an IP address in Egypt. I'm in the UK and using android on a Sony phone. 

I've used Evernote for years with no problems and am now freaking out that I need to change my password for everything, and also that my whole life is on there and some of its pretty personal or a security risk. Never worried about it before and now I don't know where to start. So this is both a post just to vent and say ARGH! Why don't they send an email to say someone else has logged into your device? Or have more security when it's from another country?

And secondly, has anyone else had this happen? Do you think it is an individual and that they might have downloaded and be going through all my notes as we speak? Or is it some kind of bot that doesn't actually care to read this stuff? I don't know where to start - feel I need to look through all 647 notes to see where my security may have been compromised. GAH! I've emailed the support people but is there anything they can do? Damn the internet. Bring back notebooks. 

Just change password, use two way authentication feature and if you have sensitive information start encryption with Evernote feature or saferoom app 

Link to comment
  • Level 5*
24 minutes ago, dydx said:

consider the weaknesses of 2FA  ...My vote would be for encryption

Use both; and strong unique  passwords

As a rule of thumb, never store unencrypted sensitive information in the cloud.

Link to comment

Hi, In response to an email notification from Evernote that my account had been accessed by someone using a site not associated with Evernote., I have changed my password and added a passcode. I tried to enable two factor authentication via text to my mobile phone and all was going well until I chose not to use google app for authentication. The intro said one could choose either text OR google app authentication so why does not allow me to complete the enabling of authentication via text message?

i have tried 3 times and it seems to insist I use the google app or not be allowed to set up the two factor authentication. 

I’m new to the forum and this is my first post so please forgive me if I’m posting in the wrong place, thank you :)

Link to comment
  • 2 months later...
On 9/8/2018 at 7:25 AM, Rich Tener said:

Hi everyone,

I lead the security team at Evernote. Our security team recently discovered a credential stuffing attack against our service. An unauthorized person has been testing a list of passwords stolen from a site not associated with Evernote. For the small percentage of our users that were affected, the unauthorized individual connected an iPhone to their Evernote account and ran multiple searches, most likely looking for cryptocurrency credentials. For many Basic-tier users, this pushed them over their device limit.

We've been experiencing significant delays with delivering suspicious login notification emails. I'm sorry about that and are working on fixing that notification service.

The Evernote service is still secure, and we are planning to act to protect the affected users. We will be notifying them, revoking the unauthorized iPhone, and expiring their password. The recommendations in this thread about using a complex password and setting up 2FA are good. You can also find some helpful tips here: https://evernote.com/security/tips 

If you have any additional questions, feel free to ask.

Hi @Rich Tener,

My account has been compromised as well. Would it be possible to verify if any changes were made, and what notes were accessed? Basically a way to evaluate the breach. Thank you!

Link to comment
  • 2 weeks later...

@nathanavish thanks for letting us know. The login anomaly feature we built last year needs some significant improvements. Until we can make those, we've shut it off. 

You need to make sure you don't use a password on your Evernote account that you've used on another site. If you do reuse a password, please setup two-factor authentication (2FA). That stops them from getting in. If you don't want the hassle of setting up 2FA, check out a password manager. 1password and Lastpass are two good ones and Lastpass is free.

Link to comment
  • Level 5*
20 minutes ago, FloBorge said:

my account was also accessed today with an iPhone in Peru. I'm assuming it was probably not iPhone and not in Peru (VPN) Evernote seems to have a serious data breach issue.

If your account was accessed, it iwould seem someone used your password.  A data breach isn't  required.

Are you  using the same password for other services?

Link to comment

My account was accessed 2 days ago - 

Evernote for iPhone

iPhone

  • 12/05/2018
186.91.215.113
(Lara, Venezuela)

 

Why wasn't an email to all users about this issue sent out when the instances of this were first noticed? I would have changed my password and set up 2 factor identification then.

Also, why isn't a notice sent when a new device is added to an account???

  • Like 1
Link to comment
  • Level 5*
5 minutes ago, bklyngrrl said:

Also, why isn't a notice sent when a new device is added to an account???

You should post that as a feature request.  It has my vote.

  • Like 1
Link to comment

@nathanavish and @bklyngrrl, thank you for the feedback. I realize we aren't meeting your expectations regarding notification and we have both these feature requests filed. @DTLow's advice to post it as a feature request is good. I'll also send this discussion to our product management team.

@FloBorge, our service is still secure, but a small percentage of our customers have had their passwords stolen from other sites. The unauthorized person is using a very large network of compromised computers to proxy through, which you and other affected customers see access from different countries.

Please be sure to:

  • change your Evernote password to one that you've never used or setup 2FA on your account
  • revoke the rogue iPhone device from your account
  • install an anti-malware app in case you have a password stealer installed on a computer that you use to login to Evernote

This type of issue isn't unique to Evernote. Hackers have lists of stolen usernames and passwords and test them against many different online services. You should follow this same advice for any service you use to store important information.

Another resource for you is https://haveibeenpwned.com/ . It's not an exhaustive list, but will tell you some of the public breaches that affected you.

Link to comment
  • 1 month later...

Hi,

I have same issue:

Evernote for iPhone

iPhone

  • 01/14/2019
175.194.112.86
(Kyonggi-do, Korea, Republic of)

Evernote for iPhone

iPhone

  • 12/29/2018
222.107.30.243
(Seoul-t'ukpyolsi, Korea, Republic of)

Evernote for iPhone

iPhone

  • 12/29/2018
95.78.75.93
(Tatarstan, Russian Federation)

 

I changed my password, set up two-factor authentication. But not sure how the encryption works... any links to a tutorial?

Thanks

Link to comment
  • 1 month later...

There have been a lot of data breaches with other software and services. if you use the same password and/or e-mailaddress also on Evernote, you´re - excuse my words - fucked. It doesn´t mean Evernote has been breached, it is just very likely that your password and e-mailaddress are also used somewhere else and that that service was hacked.

Check https://haveibeenpwned.com/ to see which services that you use have been breached and in which ones your details became known. Changing the Evernote password is not enough, you also have to change the password of your e-mail, since a) most people use the same password for that and b) password reset mails are being send to that address, which isn´t wise if someone also has access to your mail and can read where you updated your passwords.

This site uses lists of leaked accounts that are being shared between hackers.

So, change passwords everwhere, using the password generator of your password manager.Use long and unique ones everywhere. Setup two-factor authencation where you can.

  • Thanks 1
Link to comment

I find it very curious that in every case described here (as well as in my case that I was just alerted about) the access is from an iPhone. I think there is something else going on here, not account compromises, at least not in the form of your password being determined. I mean what are the chances that every single person whos had their account compromised has been accessed by an iPhone?

Link to comment
  • Ex Employees

@cloud9tn The hackers are not using actual physical iPhones to access your account. Once they are able to log into your account using a compromised password, they can authorize another service to have access to your account via our public APIs. This is the same as authorizing a service like IFTTT to access your account. The "iPhone" is just the name of the service they're authorizing as. I think they are using iPhone because it's common and will obfuscate what they are doing, confuse users, or lead them to blame Evernote (which has been happening).

The best thing you can do as a user is to follow good security practices, as noted in Rich's post above.

  • Like 2
Link to comment

Argh... me too! Evernote really needs to add the notification feature when the account is logged on from a new device - I've taken this for granted thus far with my Google account. Awful. I only discovered the issue after receiving an email today from Evernote bringing the problem to my attention and asking me to change my password. 

My account has been accessed many times from all over the world since January from "android" phones. I've set up 2FA authentication now but still pretty concerned.

The ihavebeenpwned website is an eye opener.

Link to comment

My account was also hacked. I'm an absolute novice when it comes to stuff like this, so pardon me if this ends up being an unintelligent question, but aside from the obvious risk of sensitive information being stolen, is there a possibility that something malicious had been injected into our accounts? For example, is it possible that the hacker(s) inserted a script into our notes that could harm our computer or phone?

Link to comment

Email regarding account security

Hi there, I received the email about suspicious activity and the request to change the password. I did so, and figured all will be well. Yesterday I received another email from Evernote saying suspicious activity. Not sure why I need to keep changing my password, seems its an issue on the Evernote side.

  • Like 1
Link to comment

We accidentally sent a second email to some of you. It was a mistake on our part and not because we detected suspicious activity on your account a second time. If you have already changed your password or setup 2FA, please ignore the second email we sent you.

Link to comment
14 hours ago, Rich Tener said:

we did not see any evidence of the hacker adding attachments or modifying content. They were only searching and reading the notes that were returned in the search results.

@Rich Tener In your Security Update message you mentioned this latest event was about searching for cryptocurrency credentials. How do you know this? Is there any reason to believe they were searching for credentials beyond cryptocurrency accounts (i.e. more of a general fishing expedition)?

I received your alert email (thank you, btw) and have since discovered my account was accessed multiple times on two separate days since January (screenshot attached). If it was specifically for cryptocurrency credentials then I'm relieved as I have no such information. However, I do have a lot of other sensitive content for which I'm now concerned is circulating across the internet.

Note, I've since changed my Evernote password and have checked all my other accounts that could have been compromised (along with changing their passwords). Thankfully, at this point nothing else appears to have been impacted. 

Screen Shot 2019-03-04 at 10.34.21 AM.png

Link to comment

Hi @tedwlm. To protect your privacy, we never look at what an individual searches for in their account. Instead, we have a process to de-identify and aggregate common search terms across our broader population. When we did this, we saw the same terms being searched consistently across a number of accounts that matched up with the number of affected customers. The search terms included a number of different cryptocurrency terms such as “Bitcoin” and “Ethereum”, but also more generic terms like “password”. We suspect that if they find passwords, they feed those into their automation to test against other services, much the same way they test usernames and passwords against Evernote.

Link to comment

Thanks for the reply @Rich Tener. Possible you can share information on other generic search terms that were included? Just trying to get a gauge on how much of my sensitive content may have been uncovered and fed into automation. 

Link to comment

My account accessed from this IP's 2 weeks ago. I just got the email. But I don't understand why I didn't get that email before. Because of if the location different you should get an email about activities. I never log in from Japan and Russia before and I never use an iPhone and Evernote didn't warn me about that. Is it about Evernote's iphone application's fault or API's?

image.png.301e93431c4007319180052fd9bb0340.png

Link to comment
  • Level 5*
5 hours ago, sfatih said:

My account accessed from this IP's 2 weeks ago. I just got the email. But I don't understand why I didn't get that email before. Because of if the location different you should get an email about activities. I never log in from Japan and Russia before and I never use an iPhone and Evernote didn't warn me about that. Is it about Evernote's iphone application's fault or API's?

I suggest that you read the above posts from @Rich Tener and @Scott T. in this topic.

Link to comment

@sfatih, we don't have an automatic notification system to notify you when someone logs in from a new country or a new device. I understand that this is a common expectation and I'm working with our engineering teams to prioritize getting those capabilities built into our service.

Link to comment

@jefito I have already done the necessary actions. It's okay now. @Rich Tener Thank you for your response. In addition to email notification, Google also locks the account temporarily if someone tries to access account in other countries. 

I hope everything goes well in that situation. 

Link to comment
  • 2 weeks later...

If you keep a list of passwords in Evernote (which is something that you should never do) change the passwords of all your accounts. Keep an eye on your creditcard and Paypal for weird transactions.

Probably the hackers used a password from you that was found in hack of? also used on an other service. Check the website https://haveibeenpwned.com/

Also: use a password manager, and use unique and strong passwords everywhere.

  • Like 1
Link to comment

I've been hacked too, sadly.  My password is listed on the pwned website. 😶 I'm now in the process of changing all the passwords and implementing the security measures that I should have done a long time ago.

Unlike others, my account was accessed from California only, with various IPs via Evernote Web.

Would you say that it looks more like one person has been repeatedly accessing the account (to snoop!) rather than random hackers checking out potential cryptocurrencies or whatnot?

Surely it's impossible to tell, but I'm just wondering how much damage could it potentially be? 

Thanks.

Link to comment
  • Level 5

Just to sum it up:

The IP does not tell much. Using a VPN (which includes the TOR network) you can leave the tunnel at any place where servers of the VPN provider are located. It seems the access came from California when the guy really was sitting in a nice Internet cafe somewhere in Europe, a coworking space in SEasia or wherever.

It makes no sense to think about the „where from“. Who is accessing other peoples accounts rarely does this for meaning well.

Because the huge database of E-Mail & PW-data was offered in the net quite open and for amazingly cheap money, there is no way telling who might be accessing your account, and what for. 

If a pro will do it, he will most likely use an automatic process for the initial try to enter. Maybe even for the first search in the Database after entering an account. If this draws a blank (for example when searching for cryptocurrency), he may not even bother and move on.

But this can be as well desaster kid, IQ 140, EQ 70, bored and thinking about whom he should make life a little more exiting this afternoon. Then the damage depends only on what content you might have in your EN data. So if the IRS, a SWAT team or your wife’s attorney comes knocking on your door, open it quickly and with a smile. This will at least save the door.

I would very quickly change all my passwords, starting with the E-Mail accounts and the accounts of mobile phone services. Both are used when resetting web accounts, so who is controlling these can counter any resetting of web accesses by simply controlling the PW-reset mails flowing in.

And it would be a good day to start to use a password manager to recreate the access PWs. First the PWmanager will create good, strong passwords, individual for each account. And secondly it helps to know which accesses you have, and keep them in line.

Important accounts (again, E-Mail first, then cloud services, bank and brokerage accounts etc.) should be set to 2-factor-authorization, if possible.

If there were access data to your home network in the EN account (WLAN, Router or remote access), these must be changed ASAP as well. PW-managers are better places to keep this data too.

Link to comment

@PinkElephant

the thing is that Google keeps track and notifies users whenever login to one of their services comes  from a new device. Windows machines have unique fingerprints and so do Android devices. Microsoft logs and acts in the same fashion (OneDrive and OneNote) as Google. That's what data security is all about. 

So regardless from where and when an account is accessed  Evernote should also fully monitor access by device (hardware print) and instanteously follow up with mail notifying a registered paid user about the unusual access to the account. 

One can very well assume that Evernote accounts were not searched by a single person or a group looking for passwords that might not have any real use  to them or which could backfire  if used. Bots searching for Crypto Mining seems a very plausible thing 

Too bad for the individuals affected and of course, they have the job of changing passwords and! depending on what other confidential data they stored. notifying banks, business partners, etc.

*not-nice-at-all* says JohnL

 

 

 

 

Link to comment
  • Level 5

It is allways nice if the service provider of choice supports better security. Some do more, some less.

EN is IMHO somewhere in the middle: Maybe less secure than the TOP bunch, but with a sufficient set of options to make things pretty locked up.

In fact 2-factor-authorization works exactly as you wish: If somebody with an unknown device tries to log in, the account owner receives a message on a known (=safe) device and can decide about granting access. When it is a hacking attempt, with 2-F-A I can not only refuse the access - I am warned as well that somebody tried to enter.

For me, this serves the purpose of receiving a head-up when a new device shows up. That I have to do something myself (activate 2-F-A) to get it activated is o.k.

From my side, I have 3 other aspects I would like EN to improve in terms of security :

- pick a Username / Account name other than an E-Mail-adress (creates another random factor in the access)

- Create public links that do not contain account information openly, like they do today

- Full encryption of the database, especially on the local devices that hold a copy of the data, using a good encryption algorithm linked with account security. Decryption only and as long as the EN app is active and not idle (timeout setup).

Link to comment

@PinkElephant Thank you for advice!

 

A question - since resetting the password, email and implementing 2FA, Evernote started crashing constantly.

Could it possibly be because someone might have injected some virus or something into one of the notes? 😵

 

Link to comment

Quite an experience today! I haven't opened my Evernote account since 2015. Got an email from the security team today (Mar 26 2019) about suspicious activity.

Unauthorized activity has been going on since January 2 to March 16 2019 from different parts of the world. Person has been using a Samsung phone exclusive only to Australia.

Already changed my password, revoked access to the device and deleted any notes containing sensitive information (names, old numbers/addresses). Had to log off my account and use the new password to confirm that the device has been revoked.

Hope this helps the Security Team and anyone going through a similar ordeal. Better caught late than never.

evernote_device_breach_list.jpg

Link to comment
  • Level 5*
On 3/26/2019 at 1:17 AM, Rxx said:

Could it possibly be because someone might have injected some virus or something into one of the notes?

Hi.  Highly unlikely - I believe there have been some posts about crashes possibly related to 2FA.  As you're a subscriber I recommend you report this to Support and see what they say.

 

Link to comment
  • 2 months later...

Would it be possible for Evernote to send an automatic email once the account was accessed from a different device or IP?

I implemented all advised security measures including 2FA, but I found out that my account was accessed yet again from a device from the United States.

How is it even possible??

Link to comment
  • Level 5

It is not possible if all security measures were properly (!) applied (option 1), or you are the first in a row of breaches to come (option 2).

Pick your choice !

If you are not sure whether you applied the measures properly, the best thing would be to get some help by a person that knows how (personal contact or paid professional).

If I would have had an intruder, I would rather rebuild account security from scratch, than just changing my PW.

Link to comment
  • Level 5*
23 hours ago, Rxx said:

Would it be possible for Evernote to send an automatic email once the account was accessed from a different device or IP?

I implemented all advised security measures including 2FA, but I found out that my account was accessed yet again from a device from the United States.

How is it even possible??

I don't think it seems possible either assuming everything was done correctly.  I would suggest opening a help ticket with Evernote so you can discuss the specifics of your account with them.

Link to comment
  • Level 5*
On 5/28/2019 at 3:41 PM, Rxx said:

How is it even possible??

Another thought, did you by chance connect in through a VPN?  That will change the location reported.

Link to comment

Thank you for replying, PinkElephant and s2sailor.

I'm not sure what could I have done wrong with implementing security measures.

I changed my email, password and set up 2FA. Apart from this, I changed most of my passwords and emails, I'm now using a password manager; even the router was changed.

There was no malware on the laptop (as far as I can tell).

 

How is it possible, even if someone learned the new password, they were able to access the account without having the codes from 2FA?

Unless all my devices, including the mobile phone, are infested with some malware?

 

4 minutes ago, s2sailor said:

Another thought, did you by chance connect in through a VPN?  That will change the location reported.

No, I didn't use a VPN.  😧

Screenshot_2019-05-30 Access History.png

Link to comment
  • Level 5

To set up some order:

Yes, it would be nice if EN notifies a trusted device whenever there is a new account login. Dropbox is doing so, and I feel safer by this.

For me, if you say there was a third party login there was a third party login - period. You will know when you entered your account, and if it was not you, it was somebody else. Via VPN, Proxie or TOR does not play a role - however it is well known that the „bad guys“ use these tools to cloak their real location and setup.

The foreign Android device entering form the US may well be an automatic data retrieval server running Linux working down a huge account/PW-database with stolen passwords situated in Mongolia, or wherever. They will connect to a network of computers that muddle up the location and hide who is behind it.

It is highly unlikely that all of your devices are infected. But if you have malware on your laptop, everything you do there can be reproduced. There is malware that will take a picture of your screen every X seconds while your PC is active. Then even one-time-Code-lists are no longer safe.

To exclude this, I would make the security setup from a completely different machine, possibly with another OS and with a browser set to „private mode“ before starting Evernote.

Link to comment
  • Ex Employees

@Rxx, I would suggest reaching out to our support team. They should be able to help track down what is going on and make sure you have 2FA setup correctly. It will also be helpful for our security team to have the additional information to understand if this is a different attack beyond the one we have been tracking for several months.

  • Thanks 1
Link to comment
  • 3 weeks later...

Just an update - it turns out I wasn't hacked after all. It was something related to using Web Clipper.

It really helped me with improving my online security measures, though! :-)

  • Like 1
Link to comment
  • 2 weeks later...
  • Level 5*
On 6/19/2019 at 12:25 AM, WesleiRodrigues said:

Hello, my account was also accessed by an iphone in Russia. Does this mean that my notes are in danger? sensitive information, including passwords, may have leaked?

Hi.  See the advice posted above.  Evernote is not the place to keep passwords.  If you didn't get an individual email from Evernote,  they probably don't think you are at risk,  but anything stored online is always at risk - if you can access your data,  then so could someone else...

Link to comment
  • Level 5*
On 6/18/2019 at 4:25 PM, WesleiRodrigues said:

Hello, my account was also accessed by an iphone in Russia. Does this mean that my notes are in danger? sensitive information, including passwords, may have leaked?

Your account was accessed by someone who knew your userid/password.

Yes, they may have accessed your notes, ...

You should change your passwords; don't use your Evernote password on other services

I protect my sensitive information using encryption

Link to comment
  • Level 5*
On 6/18/2019 at 7:25 PM, WesleiRodrigues said:

Hello, my account was also accessed by an iphone in Russia. Does this mean that my notes are in danger? sensitive information, including passwords, may have leaked?

In addition to the other comments I would highly suggest you activate 2FA on your account.

Link to comment

 

9 hours ago, DTLow said:

Your account was accessed by someone who knew your userid/password.

Yes, they may have accessed your notes, ...

You should change your passwords; don't use your Evernote password on other services

I protect my sensitive information using encryption

 

Since Evernote does not provide encryption, securing or protecting sensitive information is useless that way. Local notebooks on Mac can be protected by encryption provided by MacOs, but doesn´t help public notebooks and web/windows users.

The only things that benefit everyones Evernote-account.

* Don´t store passwords in Evernote, use a password manager for that.
* Don´t reuse passwords, unique and long passwords for every service you use
* Enable 2FA where you can

Check also this wonderful guide on protecting yourself: https://watchyourhack.com/

Link to comment
  • Level 5*
36 minutes ago, Historynerd said:

Since Evernote does not provide encryption, securing or protecting sensitive information is useless that way.

I make use of Evernote's text encryption feature,

and the native encryption in attachments;  pdfs, office documents, ...

Link to comment
  • 3 weeks later...
  • Level 5*
6 hours ago, Marty Avalos said:

Acct. hacked.   

I can access my account on my new Samsung S8, but on my PC, only 2 files show.

IP address showes different than mine.

 

Hi.  How do you know the account was hacked?  Where and how are you seeing the IP address??

Link to comment
  • Level 5*
6 hours ago, Marty Avalos said:

I can access my account on my new Samsung S8, but on my PC, only 2 files show.

The master version of our data is stored on the Evernote servers.

You can check your data using the web platform at www.evernote.com

Link to comment
  • Level 5

... and you can check for unknown devices there as well, under your account information.

- No unknown access, nobody hacked into the account.

Probably you use the new or the beta version of the web client, or another EN client. There are known issues when these do not show all existing notes. Solution: Downgrade to a stable version.

- Unknown device + IP, probable unknown access. Then somebody got your account credentials (not from EN !), and used them to enter your account.

Change your PW immediatedly (to a good one, not used on any other account), withdraw autorisation for  the unknown device, and enable 2-FA. This is possible for Basic accounts as well, but only with limited options for the generation of the second factor.

Link to comment

Thanks for the responses.  I think it may have been pilot error mostly.  However,  I'm not understanding why only 2 files show on my PC.  Sooo I started poking around and noticed that there's a choice for using the older version / layout.  I tried that, and bingo, all my files miraculasly appeared.  I'm not well versed on techy stuff.  

My IP address shows it's located in Montana, but my pysical location is CO.  I poked around and found that my server is based in MT, but on a map of where it is,  it's showing my location in CO.  That's where my confussion came in. 

Also, I don't know why the new version of Evernote only showes up on my S8 and not on my PC.

Anyway, thanks for your responses!

Link to comment
  • 1 year later...

Hello, I've used Evernote for years. I beleive my account may have been hacked as I'm missing a really important Evernote page that I use fairly regularly. It's just gone this morning like it never existed. It always came up right away with a search. What do I do and is there anyway to recover my data from this missing page?

If I suspect a hack what should I do to safe guard my information now? That page had some sensitive information on it.

 

Link to comment
  • Level 5*
5 hours ago, estein7 said:

Hello, I've used Evernote for years. I beleive my account may have been hacked as I'm missing a really important Evernote page that I use fairly regularly. It's just gone this morning like it never existed. It always came up right away with a search. What do I do and is there anyway to recover my data from this missing page?

If I suspect a hack what should I do to safe guard my information now? That page had some sensitive information on it.

Hi.  Where and hw exactly are you looking for this important information?  What makes you think that the account was hacked?  Do you use 2-factor log ins?

Link to comment
  • Level 5
6 hours ago, estein7 said:

If I suspect a hack what should I do to safe guard my information now? That page had some sensitive information on it.

Go to the web client. Log in, and check the login history in your account. You can see which device logged in recently, and from where. Since you are on basic, the number of devices is restricted anyhow (the web client never counts as a device). If there is a device in the list you do not know, maybe there was an attack. In this case, change your PW immediately (to a new one, a strong one and most important one that was never used on any other account you have - and no little changes, like switch a number only. A new, rock solid PW please ! ).

If there is no foreign device in the access list, the note may have been deleted by accident. Deleted notes go to the trash, and stay there indefinitely - unless you have emptied the trash, or selected this specific note and deleted it again. You can recover a note from the trash, if it is still there.

Link to comment

i received this tonight in my email:

This is not me and I followed the instructions below to better protect my account.  What I do not understand is was this hacker able to get into my evernote account? or is this an alert that says someone tried to but was not successful?

I do not know how to get this answer as the evernote help options seems worthless

 

thanks

 
Evernote
 

We noticed a new login to Evernote and wanted to make sure it was you.

When: September 16, 2020 06:21:17 PM MDT
Where: Moscow City, Russian Federation
IP Address: 188.246.181.50
Device/Browser: Android/other

If you recognize this activity, no further action is required.

If this was not you, we recommend the following steps:

1. Change your password:
https://www.evernote.com/secure/SecuritySettings.action

2. Review and revoke access for any devices that you don’t recognize:
https://www.evernote.com/Devices.action

3. To further improve the security of your account, set up two-step verification:
https://www.evernote.com/secure/SecuritySettings.action

Learn more about dealing with suspicious activity here:
https://help.evernote.com/hc/articles/115004395487

Find additional tips for keeping your account secure on our security page:
https://evernote.com/security/tips/

Why are you seeing this?
Here at Evernote, protecting your account is a priority. You may receive emails like this when you log in from a new device, app, or location.

 

Link to comment

have no idea how this works and never been on a board.  not even sure if you can help.  I received the email below from Evernote and need to know if this was a warning o if someone actually got into my account.  when I look at the access history this IP address does not show and everything looks normal.  I followed the steps below and set up the increased security.  If someone got into my account and copied all my files I am toast as everything have is in there.  

Question again, does this mean they got in or does it mean they tried and were not successful...please help.. thanks

 

 

 

i received this tonight in my email:

This is not me and I followed the instructions below to better protect my account.  What I do not understand is was this hacker able to get into my evernote account? or is this an alert that says someone tried to but was not successful?

I do not know how to get this answer as the evernote help options seems worthless

 

thanks

 
Evernote
 
We noticed a new login to Evernote and wanted to make sure it was you.

When: September 16, 2020 06:21:17 PM MDT
Where: Moscow City, Russian Federation
IP Address: 188.246.181.50
Device/Browser: Android/other

If you recognize this activity, no further action is required.

If this was not you, we recommend the following steps:

1. Change your password:
https://www.evernote.com/secure/SecuritySettings.action

2. Review and revoke access for any devices that you don’t recognize:
https://www.evernote.com/Devices.action

3. To further improve the security of your account, set up two-step verification:
https://www.evernote.com/secure/SecuritySettings.action

Learn more about dealing with suspicious activity here:
https://help.evernote.com/hc/articles/115004395487

Find additional tips for keeping your account secure on our security page:
https://evernote.com/security/tips/

Why are you seeing this?
Here at Evernote, protecting your account is a priority. You may receive emails like this when you log in from a new device, app, or location.
Link to comment
  • Level 5*
On 9/17/2020 at 6:55 AM, britreich@gmail.com said:

does this mean they got in or does it mean they tried and were not successful...please help.. thanks

Hi - the important thing is to follow the advice in this thread and Evernote's email. If you changed and hardened your passwords,  then no-one apart from you will have access to your notes in future. We've already said in this thread that it's impossible to know if there actually was any meaningful access - a automatic process may have been logging into accounts to find out which passwords actually work,  so may have just connected for less than a second.  But if you had any secret plans for World Domination in there,  I'd change the dates if I were you...

Link to comment
  • Level 5*
On 9/16/2020 at 10:55 PM, britreich@gmail.com said:

What I do not understand is was this hacker able to get into my evernote account?

It wasn't much of a hack   
To access your account, they knew your userid/password; probably retrieved from a less secure site

An important practice is to not use your Evernote password for other sites

Link to comment
  • 2 weeks later...

Today when I openned evernote I was told to upgrade to premium because I had too many devices. I took a look and I see a new accesss from a very distant location:

Evernote Web

  • 30/09/2020
203.189.141.186
(Mondulkiri, Cambodia)

I checked the devices and see an Android device and I revoked it inmmediately. I only use iOS or Mac and here comes my question. My account is linked with Google account and I don't see any access on google but mine. I quickly changed my Google's password so, How can someone access to my account without my Google account ?

I've tried to enable the two step authentication but I enter in a loop when I try to access to the security menu on the left asking to log with my google account

 

Link to comment
  • Level 5

If someone has the logon details for your Google account, and you used it for your EN account, you can answer this to yourself.

Maybe you were phished (means somebody send you an official looking mail asking to log into your account for security reasons). Maybe you use the same or easy to guess variations of login credentials for several accounts. Maybe on a device you used (could be a computer somewhere, and you just logged in once) malware like a keylogger recorded what you typed. Maybe ...

  • Frist thing is to change passwords on everything that might be compromised.
  • Second I would rethink this „login by Google/Facebook/whatever“ thing. It just means who gets one access hits the jackpot in your case. Better get yourself a password manager and generate good passwords for each account yourself. Get one, and make all of your accounts safe again. Open one after one, and change the PW. Most important are all email-accounts, because they are used to reset the others. Will be a busy weekend ...
  • Third after changing passwords revoke access of all unknown devices, and set up 2FA.
Link to comment

No, my google account has not been compromised, there are no accesses there. I suspect that first I created the evernote account with a password , this was about 2014 or 2015. In some manner then the account could be accessed with google without using the original pass. I think that this is the password that has been compromised. 

I've seen that under security resume (on Friday was not working) that the password has not been changed since the original creation. Now I have changed it and I have enabled the two-step factor.

I had some passwords there that I have changed and moved to a non-cloud storage like keepassx to avoid these problems in the future

 

 

  • Like 2
Link to comment
  • Level 5*
15 hours ago, rmacian said:

my google account has not been compromised

It can be instructive to check your email address(es) on one of the security websites that tracks public releases of data.  I mentioned one already - 

Quote

Another resource for you is https://haveibeenpwned.com/ . It's not an exhaustive list, but will tell you some of the public breaches that affected you.

 

Link to comment
On 10/3/2020 at 5:37 PM, rmacian said:

No, my google account has not been compromised, there are no accesses there. I suspect that first I created the evernote account with a password , this was about 2014 or 2015. In some manner then the account could be accessed with google without using the original pass. I think that this is the password that has been compromised. 

I'm sure you're right about this. Your posts prompted me to perform my own test. I previously had an Evernote-specific user ID and password, and some time ago switched to using Google Auth. I just tested my old username/password, and it does work to log me in to my Evernote account. So this is something to keep in mind for all of us - even when using Google auth our "old" passwords still work and we need to make sure we use a unique, complex password with two-factor auth activated in order to protect our accounts.

  • Thanks 2
Link to comment
  • Level 5

Thanks for following up on this - this is something we should not forget about, probably at other services as well.

I am pretty sure it is similar when using sign in with Facebook, or Apple. So either close the back door by removing this access, or change the password to something that will not be cracked.

Using a PW manager helps to generate strong and unique passwords for each service, and keep track.

  • Like 2
Link to comment
  • 1 month later...

I received the email that my account was accessed by someone else. I looked at the devices signed on and revoked access to ones I didn't know. When I searched my access history, I don't see the one listed from today. Why is that one not listed in the history?

I did activate 2 step verification and changed my password. 

Luckily I don't store my passwords but do have employee information stored. If they are using bots to search the notes, have you heard of searches for SSN?

Link to comment

Me too! I discovered from email notification an unauthorised access from IP address in Belarus. I login, revoked access for that device and then activated 2 step verification. That history was gone from access history and to my shock, I discovered numerous such access from 12 Sep ranging from locations like Shanghai, Thailand, Vietnam, India, Tanzania, Oman, Brazi, Russia, Brunei and Mexico! 

Those were all Evernote Web accesses and I have no idea what was their purpose to login to my account? All these were never notified to me except for the one emailed to notify yesterday (Belarus).

Please, someone tell what else can we do aside from the steps I have taken. Can I report them? Won't the culprits be punished in anyway? Can we do something to stop them? I have been trying to check how to contact Evernote Support but I kept being led to Help and Learning. Frustrating.

Link to comment

I received one email a few days ago, "we noticed a new login and wanted to make sure it was you". Sure enough, it was for a device I don't own, in another part of the US. Then I looked at my access history and was SHOCKED to see logins from all over the world in the last two months. Why did I not see emails when my account was accessed from IP addresses in all these countries? I've attached a screenshot of my Access History, with the legitimate IP addresses and device names redacted.

As other users mentioned above, the device I revoked (for the unauthorized login I was emailed about) no longer appears in Access History. Why is that? 

Evernote access.png

Link to comment

Yesterday night my account also got unauthorised access. Thanks to Evernote team for an email prompt.
Withing 3 minute of email prompt I revoke unauthorised device. But still 3 minutes are more than enough for getting info.
I have no idea if my notes got compromised by hacker or not.
My account contained personal sensitive information.
I change my password and deactivated my account after taking some important notes backup.

image.png.69950deaf6384fb646ab04e9856d6598.png
 

Link to comment

My Evernote account was compromised yesterday. There are 2 logins reported in audit history:

image.png.e5437271cb3e983bb4866a4b6ae8ba64.png

Can anyone from evernote team please take note of this and investigate how my account got compromised and how and what they can do to identify and find such offenders. What is the official process to report such incidents to evernote team?

I've already setup 2 step verification and changed password but the hackers can use the documents within my evernote and now I need to look at all I have in evernote and take appropriate corrective action. It is really frustrating :(  

Link to comment

Hey, the same things happened to me just now. I was using only iPhone. Suddenly, a notification about unrecognized device popped up on my email. When I checked the Evernote device, I found the android device had logged in from Thailand. I had revoked the device a few minutes after, changed my password immediately, and made two steps verification as mentioned above. It's a frustrating because my note contains personal and security things. Anything to know whether it was okay? 
Can the Evernote security team do something about this? It really gets me anxious and makes me think to use another app as more safer alternative.

Thanks heaps

cc: @Rich Tener
 

WhatsApp Image 2020-11-17 at 00.20.09.jpeg

Capture evernote.JPG

Link to comment
  • Level 5*
On 11/12/2020 at 9:55 PM, kmp8 said:

Why did I not see emails when my account was accessed from IP addresses in all these countries?

If someone accesses your account using your valid ID details,  Evernote has no idea whether this is actually you,  or someone who has obtained your log-in from elsewhere. Given the number of users who log in from multiple devices around the world I have no idea how they identify 'unusual activity',  and I doubt they'd be willing to explain that themselves to avoid giving hackers tips on how to do it more effectively.  They have provided easy access to the page you copied so that users can check for themselves,  and if and when then have reason to suspect a problem they will always let you know;  but most of the corrective action is in our own hands - changed passwords, 2 factor logins and occasional checks.

On 11/11/2020 at 3:46 PM, gazumped said:

 

Link to comment
  • 6 months later...

Hello, the account of my friend has been hacked without any notice they have logged in from Indonesia and stole all his codes to steal all his crypto! This is a lot of money he has worked for all his life. What to do! It is really sad.

Link to comment
  • Level 5*
18 hours ago, Meaer said:

Hello, the account of my friend has been hacked without any notice they have logged in from Indonesia and stole all his codes to steal all his crypto! This is a lot of money he has worked for all his life. What to do! It is really sad.

Hi.  Your friend should report this theft to the police.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...