Unauthorized Access identified in my account

[Bivil Jacob 0]

Hi, Its shocking that a new device got added to my evernote devices, an Iphone with an IP being shown up as from Ukraine. Its definitely not me, the access to my account was a breach. My password was confidential, and I don't understand how this breach happened. You have to act on this, I have seen many people reporting this similar security on evernote breach even before.

I have changed the passwords, added 2FA and revoked the hacker device.

I need an explanation of how this happened and a detailed logs of the activity during the unauthorized access. You cannot just blame on the possibility of a shared password or reused password. This is being repeated for multiple customers and you respond to them like its the customers fault. You should have the intelligence to identify hackers/customers based on the geo info, usage pattern etc. In these cases the geo itself can raise the question of a valid access. I didn't even get a notification email on this new ip, new devise, new geo from which the breach happened. Its pure negligence from your side

Am attaching the access history, Hoping for a log of what and how ASAP.

 

[kempster 8]

Hey Bevil... same thing happened to me. I see no evidence of a breach, but it's got me on edge.

Have you heard anymore? My alert also came from UKRAINE.

What's up with that??

Ken

[jadair 0]

Same thing just happened to me. Mine was from Indonesia. Doesn't appear to be any response on this issue?

Jeff

[Fung 11 0]

Same here and so many times already, wait for more then a year still no response from Evernote at all, seems they don't give a damn of our account security issue, I am moving all my data and cancel my subscription.

[darthmarko 0]

Same here. Its happening very often. Now i cant access using my devices because i cant unsync more that 2 devices per month. How do they want me to be premium if the site is not even secure. Please do something this is very dangerous and im considering leave the site.

[PinkElephant 8,117]

Guys, maybe there is something to learn about 3rd party access here:

The bad guys usually use VPN to change their geolocation. They may be in Ukraine or Indonesia, but they may as well be sitting in the basement down the street, connected to a server in one of these remote countries. Since many people use VPN services, this is no criteria to identify the black sheep.

If your account was accessed, you usually will have used the same or a similar password for several services. Not a good idea. First step to lock strangers out is to change your password NOW. Use a unique (not reused) and strong (long enough, difficult, symbols etc.) new password. If you do, and your account is compromised again, you may have a security issue on your computer allowing a hacker to copy every keystroke you make. In this case try using a mobile device.

Next step is to set up 2FA. How to is described in the EN help base.

Because usually EN will not be the only account with bad passwords, think about setting them all up anew, by using a password manager that helps you to to generate new passwords and keep track of them.

More is here:

https://help.evernote.com/hc/en-us/articles/115004395487-What-to-do-if-you-suspect-unauthorized-access-to-your-Evernote-account
 

Check if your login shows in one of the many security breaches of the past:

 

https://haveibeenpwned.com/

[Fung 11 0]

The point is I am already using 2FA login, I should receive a sms password on every login, but is it helps? No, they still keep login my account without any sms sending to me.

It is a very serious security problem but Evernote don't give a damn.

[PinkElephant 8,117]

Then contact support.

https://help.evernote.com/hc/en-us/requests/new
 

Choose „Account“ as ticket type - this should work for all users.

[Fung 11 0]

Hi there,

 

My name is Brittany, and I manage the support team here at Evernote. I wanted to let you know we received your support request, and you should be hearing from an agent soon. While we are reviewing the information you provided, I wanted to also share a few quick resources to help you in the meantime:

 

1. Ensure you are on the most up-to-date version of Evernote on your device [www.evernote.com/download].

2. Speak with other active users about Evernote on the Discussion Forums [discussion.evernote.com].

3. Search Evernote Help & Learning for feature updates and troubleshooting steps for any Evernote issues [help.evernote.com].

4. If you are experiencing an issue that is preventing you from using your Evernote application, you can still use Evernote on a desktop web browser at [evernote.com/login].

 

Should you still need some help from our support team, it is imperative to have your applications updated to the most recent version. In order to expedite support, please also reply to this email with an activity log from the device on which you are experiencing the issue. https://help.evernote.com/hc/articles/208314078

 

Thank you for your patience while we process your request.

 

 

See? That's the response.

[PinkElephant 8,117]

No, that is just a standard email send by a demon. It confirms they received your email, and will work on it when the office opens. You get a real response then, by one of the guys working support.

Support works US west coast office hours, more or less.

[Sepa 0]

Hello All

same here, I see two accesses from Brazil and Indonesia yesterday (I live in Italy and they are definitely not me). I am in the same situation of Bivil. I need to understand if this is a breach and if my data are shared somewhere.

I am not able to open a ticket here under "Account" since, once selected "Account", no text box or other place to write appears.

 

[PinkElephant 8,117]

Here in the forum we are other users. We can share general information, but we have no insight into a specific case. EN has a security team, that can be reached through support.

If you need to know, and need support to help you, you need to upgrade to the Personal plan. You can subscribe for a single month.

In general:

The geolocation of the access is just *****. Hackers use VPN services to show a bogus location - they could sit in the apartment next door to you, but show an access from Australia. It was not you, that is all you know. The same for the type of device - it often shows as an iPhone, but it more likely is a miniserver running a script to try millions of passwords on as many accounts. 

Check if it wasn’t you - from the access time for example. It can happen that your IP points to another place on the globe, but the access in fact was from yourself. The best indicator is the time stamp of the access, not the location.

Hope you first secured your account against further access, before starting to worry. Because most likely you reuse your access data (same or similar password for different services), you have to secure them ALL, not only EN. Better get yourself a password manager before you start. For the EN account, change your account password, and revoke access for all devices unknown to you.

If anything was taken, probably nobody knows. Which notes were accessed, the same. Maybe EN keeps some logs on it, see above. In former breaches search words that were used point to the search for data about cryptocurrency wallets stored in EN. If somebody is stupid enough to store data of that quality in EN, maybe he asked for it to happen. But of course somebody can see and copy all type of data once he has access.

[Sepa 0]

Thank you PinkElephant. Yes, I am sure it wasn't me since I was not using my phone or computer in that range of time.

I discovered it since EN was showing messages continuously about about my reached maxinmum number of devices, which is fur, but actually I'm using just two devices.

I know that hackers use VPN so they could be near me even if they appear to be in another part of the world, and I secured my account immediately.

However, IMO it is not so fair that, in order to receive help after a DATA BREACH we would need to pay to know something.

[Fung 11 0]

I am a paid user for 4 years, trust me, they don't give a fuxk.

I have this issue for 2 years, every month got one or two login by someone else,I email them few times, they just ask me to see their Q&A. 

The point is I am using two step login, still no use at all, they still don't understand how serious security problem they are in.

I will cancel subscription after finished this year service.

[PinkElephant 8,117]

What type of 2FA are you using ?

Messaging or authenticator app ?

[Fung 11 0]

MOBILE SMS

[PinkElephant 8,117]

You will receive the SMS when the access is tried - not when it succeeded. Without of the code an access is not possible.

So receiving a SMS just means that your userID is known, and your password may be compromised.

In this case change your password (use a strong and unique one), and check whether a foreign device is noted in the devices list. In this case revoke it.

You can check your userID on these pages. They will show if it was exposed in any of the multiple breaches of the past (not EN, but other services - the best known was maybe the loss of all Yahoo account login data).

https://sec.hpi.de/ilc/?lang=en

https://haveibeenpwned.com/

https://cybernews.com/personal-data-leak-check/

[Fung 11 0]

They can login to my account without sending me a SMS, so you should able to understand how serious security problem evernote team are in.

I am a programmer myself, so trust me I know how login works. I guess evernote has another way to login, that's why other ppl can login my account without sending me a SMS for confirmation, But you know what? I myself need SMS to confirm it is me when I am logging in,  so funny.

I know my computer very well and I checked my computer is as clean as a white paper.

Really hope they will check their code one day.

 

[PinkElephant 8,117]

Beside the usual login there is the access through the API.

This is use for scanners and the like. These accesses are showing in the access history as well.

For me that is it, end of user2user support. If you need further assistance, please ask support.