(Archived) Password Reset Discussion Thread

Chuck in Houston · March 3, 2013

Given it costs me nothing to use this valuable service, I do not feel any need to fuss about the overall incident. I am just glad things are up and running so quickly. An annoyance, but not a problem.

glennmcq · March 3, 2013

This is the first time that I can remember that they've had any sort of breach, although I'm not overwhelmed with joy at how I found out about it, I think you have to give them a chance and let them learn a little as they go along. Hopefully there won't ever be another breach (of course there will be), but if there is then our expectation of how they handle notifications will be justifiably higher.

Understandable to a point... but as someone with clients I strive to be transparent with them. While I'm sure lots of folks at Evernote are scrambling to fix the hole, Evernote is large enough to spare someone for a few moments to email all its users and post the notice on the PW reset screen.

This is a DNA/instinct kind of thing - a sincere desire to put oneself in the shoes of its clients. I hope (and don't believe it was) the minimized user direct communication was not an attempt to ride under the radar on the breach.

I don't know about riding under radars, but a blog post, reaching out to tech blog sites, emails to 50 million users (I haven't gotten mine yet -- it may take some time to get everyone), and a post on this site seems pretty public to me! There are certainly some things that could have been done better (I have suggested some ideas myself), but overall, I think they are handling it well. They detected the breach, investigated, and took action within a relatively short time frame.

"... emails to 50 million users..."? Did they do that? If so, I take back my concerns above. I did not get one.

I don't understand the desire to be so apologetic for Evernote. I too love Evernote and want it to be better. This event was apparently discovered two days ago - It shouldn't take that long to email users. BTW, the first tweet I from EN I can find on this was two hours ago.

Posting to the forum is hardly going public when I'd be surprised if 5% of Evernote users have ever been to the Forum. And I suspect Tech Crunch reached out to Evernote, not the other way around.

I only got my email today, March 3. I had to find out about this like many others, by not being able to log in, and then reading about the breach from a tech article on my Twitter feed. Where was Evernote during this time?

I love the service and think Evernote does well, but this was a serious misstep. Not just the security breach, but not being the first to let its customers know about it. Face it, you guys blew it. I just hope you don't botch it again.

jefito · March 3, 2013

I only got my email today, March 3. I had to find out about this like many others, by not being able to log in, and then reading about the breach from a tech article on my Twitter feed. Where was Evernote during this time?

It took time to get 40-50 million emails out, apparently. Not sure why that is; I just got my email this morning too. But Evernote was there (they had tech support running over the weekend, which is not their usual practice).

gazumped · March 3, 2013

From a former life at an ISP I seem to recall that to prevent spam a variety of protections were being built into mail servers, including restrictions on the number of emails that can be sent at one time. Too much activity gets servers closed down for fear they've been compromised - and possibly listed as a threat which is worse than being hacked! I doubt anyone has a regular need to send out millions of emails in multiple languages, and even if the possibility had been planned for I doubt it would be easy to get the necessary team together and the protocols in place within 48 hours. Evernote have done fantastically well to get things together over the weekend. Just be glad it wasn't Christmas too...

jfnjr · March 3, 2013

Hi jfnjr,

You need to go through the process on your other devices. But once you have a new password, it should just be a case of inputting it.

Have you gone onto the web and made sure you can log in that way? It might be worth changing your password on the web then trying again.

Best regards

Chris

Thank you, I changed the password to a very simple string and it worked, the first one was 12 characters long, worked on the web but would not work on the I phone or ipad, Might be a length limit on the 2 devices?

eebrubaker · March 3, 2013

After following the prompts for this password reset, all my offline notes which were not yet synced were completely gone from my notebook. Did anyone else experience this, and are the files recoverable?

Laura A · March 3, 2013

I'm now starting to think that 2-step verification might be the way to go in the future. And I'm glad to hear that Evernote might be giving users that option. It just seems like having login credentials and something physical (like your cell phone) are much harder for a hacker to have all at the same time.

I tried to log into my Google account using a VPN last week and I received a text message within 1 minute saying that Google had observed suspicious activity on my account. I couldn't log in, but I was glad that they at least caught it because even though it was me, it could have been anybody. Evernote wouldn't let me access my notes when suspicious activity was detected, just like Google, so I wasn't put off by that. And seeing as how major companies like CBS and Apple have gotten hacked recently, I think that innovative ways to protect our information will be ever changing. I just wonder what is to become of the standard "security question" if people voluntarily provide the names of their schools, their anniversary date, and the names of their pets on Facebook? I was going to suggest implementing security questions on Evernote, but it might be a wash if people are heavy Facebook and social media users.

BlueOak · March 3, 2013

From a former life at an ISP I seem to recall that to prevent spam a variety of protections were being built into mail servers, including restrictions on the number of emails that can be sent at one time. Too much activity gets servers closed down for fear they've been compromised - and possibly listed as a threat which is worse than being hacked! I doubt anyone has a regular need to send out millions of emails in multiple languages, and even if the possibility had been planned for I doubt it would be easy to get the necessary team together and the protocols in place within 48 hours. Evernote have done fantastically well to get things together over the weekend. Just be glad it wasn't Christmas too...

Ummm.... businesses, marketing services, and political organizations do regularly send out "millions of emails". And they do it on a moment's notice - such as when there is a pending vote on a bill and they solicit citizen action. Evernote also regularly sends out its monthly newsletter to millions of recipients.

It would not be surprising if Evernote chose not to waste internal resources on bulk email capability - but that would lead to a relationship with services that do have on request bulk emailing activity .

BlueOak · March 3, 2013

Apparently the high level timeline went something like the following: (GMT -5:00 / Eastern US)
Thursday, 28-February: suspicious behavior uncovered.
Friday, 1-March: internal decisions & actions followed that night by posting of the alert on this forum and initiation of the bulk reset-your-password email.
Saturday, 2-March: Tech sites start getting wind of issue in morning, Evernote tweets it around noon.
Sunday, 3-March: Users continue to receive the Friday night initiated password reset email.

Edit (Monday, 4-March @ 3:45pm): Evernote tweeted about an hour after I originally wrote this post on Sunday: "Password reset emails were sent to all Evernote users. Please go to http://evernote.com to reset your password."

'Not sure when exactly the forced password reset was implemented, but it appears to have been sometime Friday night.

As with lots of other folks I discovered the issue when, inexplicably, I was forced to reset my password, followed by seeing a 3rd party Tech site tweet on Saturday morning. Also like others I did not receive the Evernote bulk email on a timely basis - it finally arrived early Sunday morning.

While I'm confident Evernote acted quickly and in the best interests of users (Thank you for that Evernote!), clearly there are lessons to be learned to move up the professionally managed scale... at least from this loyal user's perspective: (a lot of this may have happened behind the scenes)

1. Anticipate this happening again and have a plan on the self, even if you are highly confident it will not repeat.
2. At the first sign of serious breach, lock down the environment until the issue is understood - even if it might interrupt service for a 'short' period. (1-3 hour duration?)
3. Once it is clear something nefarious has occurred, share updates as things are learned on the forum and tweet the same info at the same time.
4. Establish on demand, higher capacity simultaneous bulk email capability. (Seems like 24+ hours to reach all users from the time of initiation makes for unhappy customers.)
4. Make the go/no go decision to share info via email earlier in the process.

5. Specific to this event - once the forced password reset decision was made, immediately add text to that screen explaining why. (This was a big and obvious miss that would have helped a lot of confused users who had not yet received the email.)

Please do not misunderstand - this was a nasty event but it appears Evernote hustled to do right by its users. I love the Evernote functionality and will happily continue to recommend it to friends and colleagues.

C6REW · March 3, 2013

After following the prompts for this password reset, all my offline notes which were not yet synced were completely gone from my notebook. Did anyone else experience this, and are the files recoverable?

Log into your account on the web and make sure you are using your correct account. Probably better to use your account name rather than email, just in case you have logged in on more than one email address?

Best regards

Chris

mehuge · March 4, 2013

Password reset is also insecure. We have to assume the passwords were compromised, if they got the passwords they probably got the salts too. Therefore allowing us to log in with the compromised password and set a new password, without first verifying who we were by email, is totally insecure. Yes its sends a confirmation with option to override the password reset but that email expires in 2 hours, so if the real user doesn't happen to read their emails in that 2 hour window, that's it, account hijacked.

Julian McNally · March 4, 2013

Help!

I can't reset my password because:

I can't login to evernote because neither of my browsers (Safari and Chrome on OSX) can find the server. This IS isolated to EN servers as I'm having no problems with any other sites.

Also, don't know if it's related, but my iPhone EN crashed on loading several times and the iPad version appears to be working - from what I can tell the activity log is saying it logged in okay and the sync wheel rolls. But I don't know how to reset the password from the iPad version. Does anybody?

Also when click on "My Profile" from this forum and use my regular password it says that password is incorrect. Should I assume this means my account has been hacked? If so, what should I do next?

dlu · March 4, 2013

Help!

I can't reset my password because:

I can't login to evernote because neither of my browsers (Safari and Chrome on OSX) can find the server. This IS isolated to EN servers as I'm having no problems with any other sites.

Also, don't know if it's related, but my iPhone EN crashed on loading several times and the iPad version appears to be working - from what I can tell the activity log is saying it logged in okay and the sync wheel rolls. But I don't know how to reset the password from the iPad version. Does anybody?

Also when click on "My Profile" from this forum and use my regular password it says that password is incorrect. Should I assume this means my account has been hacked? If so, what should I do next?

I'd try contacting support. It could be that our site is under heavy traffic. Password resets have to be done on the web.

A.Nefkens · March 4, 2013

I do not know if this already mentioned. But did you guys think about two-factor passwords as an extra service?

As a premium user and network engineer, I'm more worried about the data gained by the attackers, the reset wen successfully.

C6REW · March 4, 2013

I do not know if this already mentioned. But did you guys think about two-factor passwords as an extra service?

As a premium user and network engineer, I'm more worried about the data gained by the attackers, the reset wen successfully.

Lots of discussions going on about this at the moment.

Best regards

Chris

ddiaz · March 4, 2013

Hi,

About reset password process , I'm amazed to can put my last password.

I know that i must to choose new one but the system must be able to control it .

It give me food for thought.

Thanks.

Leastonh · March 4, 2013

I might as well chip in with a comment as a paid user of Evernote - there's no excuse for poor security at the server end. It's not like encryption or security is a new concept and no matter which way you look at this, Evernote dropped the ball and need to do a lot more than force a password reset! Evernote can play it down as much as they like, but if there was no risk of our data being compromised, why force a password reset?!

If this isn't dealt with effectively and soon I'm going to pull the plug on my account and find an alternative. If I pay for a service, isn't it reasonable to expect security?

The point is, if my bank and lots of other companies can implement effective security and something along the lines of a two stage process, why can't Evernote? It's not rocket science and plenty of comments have been made in the past about Evernote security concerns, so this isn't a new issue. No excuses.

RussP41 · March 4, 2013

Anyone on Android might want to check their status - my app shows me as still logged in but it's unable to sync. When I go to log out, I get a warning that I have unsynced notes "that will be lost if I continue". So I haven't.

But how do I identify my unsynced notes so I can email them out of here? I have a support enquiry running, but if anyone has any suggestions...

I had the same issue on my Android phone. Slide open the Evernote settings panel (or whatever it's called) and select Notes. That opens all Notes sorted by most recent. I then opened the ones that hadn't synced (verified by doing a similar process in Evernote on my PC) and copied and pasted to an email on my phone to send to myself so I could paste into Evernote in the PC app.

gazumped · March 4, 2013

Anyone on Android might want to check their status - my app shows me as still logged in but it's unable to sync. When I go to log out, I get a warning that I have unsynced notes "that will be lost if I continue". So I haven't.

But how do I identify my unsynced notes so I can email them out of here? I have a support enquiry running, but if anyone has any suggestions...

I had the same issue on my Android phone. Slide open the Evernote settings panel (or whatever it's called) and select Notes. That opens all Notes sorted by most recent. I then opened the ones that hadn't synced (verified by doing a similar process in Evernote on my PC) and copied and pasted to an email on my phone to send to myself so I could paste into Evernote in the PC app.

Thanks - After a nervous hour or two I got the app update from Play which then immediately prompted me to change the password, so I was able to reset my app and all is well again. Now my only problem is trying to keep up with all the traffic in the forums talking about the last 48 hours!

davelivingston50@yahoo.com · March 4, 2013

I tapped the evernote app on my ipad this morning, it prompted me to log in, (thought to myself...Oh this must be about that password reset email), Use forgot password link and log in...ALL MY NOTES ARE GONE!!!!!

I don't have these notes backed up to my computer. The reason is because I don't seem to plug my ipad into my computer as much as my iphone.

Can someone please confirm that after completing this password update, the only way I can obtain my notes back is if I had previously backed them up??

Ticket # 16051-257000

Mike Wood · March 4, 2013

I tapped the evernote app on my ipad this morning, it prompted me to log in, (thought to myself...Oh this must be about that password reset email), Use forgot password link and log in...ALL MY NOTES ARE GONE!!!!!
I don't have these notes backed up to my computer. The reason is because I don't seem to plug my ipad into my computer as much as my iphone.
Can someone please confirm that after completing this password update, the only way I can obtain my notes back is if I had previously backed them up??
Ticket # 16051-257000

Using a PC or Mac login to the web client at www.evernote.com

Assuming you see all you notes on the web then they will reappear on the iPad. If you had any unsynced notes then you may be in trouble. Hope that helps....

dlu · March 4, 2013

I might as well chip in with a comment as a paid user of Evernote - there's no excuse for poor security at the server end. It's not like encryption or security is a new concept and no matter which way you look at this, Evernote dropped the ball and need to do a lot more than force a password reset! Evernote can play it down as much as they like, but if there was no risk of our data being compromised, why force a password reset?!

If this isn't dealt with effectively and soon I'm going to pull the plug on my account and find an alternative. If I pay for a service, isn't it reasonable to expect security?

The point is, if my bank and lots of other companies can implement effective security and something along the lines of a two stage process, why can't Evernote? It's not rocket science and plenty of comments have been made in the past about Evernote security concerns, so this isn't a new issue. No excuses.

Evernote has a team of experienced operations and security experts who are continuing to investigate the details of this attack. We believe this activity follows a similar pattern of the many high profile attacks on other internet-based companies that have taken place over the last several weeks.

We have not found any evidence of unauthorized access to user accounts, and we have no evidence that any personal data has been lost. Our operations and security team caught this at what we believe to be the beginning stages of a sophisticated attack.

Though Evernote passwords are stored in a secure, industry standard format (salted and hashed), we are requiring all Evernote users to change their account passwords before their next Evernote login.

Mike Wood · March 4, 2013

@dlu thanks for keeping us updated but its a little worrying you aren't able to give a more specific idea of the level of encryption used to protect the passwords.

Also I note this interesting observation from Sophos about the email you sent to 50 million users....

http://nakedsecurity.sophos.com/2013/03/03/evernote-reset-password/

I wish you the best of luck at your end, but please think about how we can reassure our clients/friends that you are on top of the situation ....perhaps by enhancing security going forward with a 2fa option?

BlueOak · March 4, 2013

OK, anecdotally I might be seeing some negative activity as a result of the Evernote breach -- starting to get fake bounced email messages at my email address, the one I associated with Evernote. Until now that email address has been very 'clean' (zero spam) in that I share it only with family and (carelessly) Evernote. I have a separate email address that I'd normally use to register commercially. My bad.

For those who do not know - a fake bounced email message looks like you sent an email that bounced, but that you never sent. The spammer's hope is you'll click on links in the bounced message.

BTW, just Googled "security breach" and 4-5 hits on the first page were Evernote-related.

Leastonh · March 4, 2013

Evernote has a team of experienced operations and security experts who are continuing to investigate the details of this attack. We believe this activity follows a similar pattern of the many high profile attacks on other internet-based companies that have taken place over the last several weeks.

We have not found any evidence of unauthorized access to user accounts, and we have no evidence that any personal data has been lost. Our operations and security team caught this at what we believe to be the beginning stages of a sophisticated attack.
Though Evernote passwords are stored in a secure, industry standard format (salted and hashed), we are requiring all Evernote users to change their account passwords before their next Evernote login.

Thanks for your reply.

Please don't take my post as an attempt to troll or start a flame war, it isn't meant as such....I am however incredibly frustrated by all this and would like to respond to your post...

1. If this follows a pattern that's well established and already known about, it begs the obvious and most important question of all: Why weren't Evernote proactive in preventing this happening instead of waiting until the attack happened?

2. Why hasn't Evernote already implemented a two stage authentication process at the very least? A simple login, whether hashed or not is insufficient. If it were adequate, I wouldn't be posting angrily in this thread and Evernote users wouldn't be forced to reset their passwords.

3. It's not just about personal data though, is it? This raises the very simple question of whether I can trust your company with the security of my data, personal or otherwise. That I've been made to reset my password would suggest there is at least a risk or possibility that your systems were breached far enough to compromise something that should have been secure. That's a reaction to a problem and just not good enough. You should have seen this coming a mile away.

4. "Lack of evidence" doesn't mean a thing to me other than you don't know whether anything was compromised or not. That's actually more worrying than a flat denial of a breach.

spacemonkey9 · March 4, 2013

Evernote has a team of experienced operations and security experts who are continuing to investigate the details of this attack. We believe this activity follows a similar pattern of the many high profile attacks on other internet-based companies that have taken place over the last several weeks.

We have not found any evidence of unauthorized access to user accounts, and we have no evidence that any personal data has been lost. Our operations and security team caught this at what we believe to be the beginning stages of a sophisticated attack.
Though Evernote passwords are stored in a secure, industry standard format (salted and hashed), we are requiring all Evernote users to change their account passwords before their next Evernote login.

If Evernote has such "a team of experienced operations and security experts" then why can I not use a complex multi-word passphrase?

Please take the "correct horse battery staple" lesson to heart already: http://xkcd.com/936/

cwb · March 4, 2013

Let this be a wake up call to Evernote... they need to prioritize data loss at the top of the stack, starting with complete encryption of all user data stored on their servers.
If EN encrypted all your notes on their server, they would not be able to do the indexing that is so helpful. You should search the board on security/encryption, as this has been discussed a lot already.

Not true. Yet again.

If evernote encrypted all the notes on their server, the only change would be... that all the notes would be encrypted. They're still readable and index-able. If you use encryption built into many databases, Encrypting file systems, or hardware storage devices, then you don't even change anything in your code. You just turn it on.

If you turn on whole drive encryption on your laptop or put it on your iphone/ipad which has whole device encryption on by default, it doesn't make the data any less readable to you. Only those who try and access the data by alternate means than the authenticated front door.

That aside, it may or may not be a factor in this weekend. I'd guess not.

The problem here is that when the user names and passwords are hacked, the front door isn't secure either. Storage Encryption is irrelevant at that point.

This weekend is one part infrastructure security and isn't an area we can know/discuss much about other than to make your own value judgement to stay or leave.

And it's one part an authentication methodology issue.

The "front door" model is fundamentally broken when you don't have the ability to say only User X can open the door to User X's data.

User Y should never be able to masqurade as User X. Username/Password just like the physical keys to the lock on your home's front door share the inability to enforce that. They can both be copied and used simultaneously by different people. They can be lost and used by those other than the owner.

That's fundamentally the goal (in absence of better solutions yet to arrive) of methods championed by services like Google.

transparency of IP's and devices recently accessing your account (such as the link at the bottom of Gmail).
Account login restrictions (I don't seem to ever be throttled or locked out of my Evernote account entering bad passwords), whereas Google has reduced fraudulent logins by 99.7%
2 factor authentication aims to prevent anyone but you using a set of login credentials (even if they are weak poorly chosen ones). Whereas the login credentials aim to prevent the 2nd factor from being found and used by anyone but the owner.

It would finally be nice to see Evernote's front door and remaining perimeter get some attention now that the air of invincibility is lost.

iNik · March 4, 2013

spacemonkey9: You can use a complex multi-word passphrase. Without giving too much away, mine was half a dozen words/numbers delimited by special characters. (Now it's something else...)

mehuge: You commented that because the attackers have the salts, the passwords are compromised anyhow. That's not really true. Salts are typically stored with passwords, because the point of the salt is to make it too inefficient to crack the passwords for it to be profitable. Even if I have the salt and your hashed/salted password, I then need to create a whole set of dictionary hashes based on that salt (probably more than once to figure out where in the string the salt's placed). Finally, if you have a reasonably secure password, I won't find it at all quickly in my hash table (if at all). Multiply that by 45 million users, and you're much better off going after some other service with poorer security.

Regarding emails: I've been involved with multiple companies that send millions of emails each day. The ISPs (Gmail, Hotmail, Yahoo, etc.) throttle the number of emails that can come in from any one sender. This is a spam prevention measure. As a result, any emailer sending millions of emails to a single email host simply has to be patient as the emails trickle through.

Now, for Evernote peeps: Was the attack vector through a compromised password, or is the password reset just in case someone has managed to crack the salted/hashed password list?

BurgersNFries · March 4, 2013

If evernote encrypted all the notes on their server, the only change would be... that all the notes would be encrypted. They're still readable and index-able.

No, no they are not, if they are truly encrypted. It's clear you don't understand about encryption. But don't take my word for it. This from the CTO of Evernote.

http://discussion.evernote.com/topic/10431-is-anyone-worried-about-our-data-not-being-stored-encrypted/#entry48994

Yes, "can't search encrypted content" is an intentionally abbreviated reply. The longer version would be:
If
a server has access to encrypted data, and access to the keys required
to decrypt that data (for searching, display on the web, etc.), then
anyone who successfully attacks that server has access to your data. If
someone can gain control of that server, then the encryption has
absolutely no value (other than making things slightly inconvenient).
The attacker can make the server decrypt the data and read whatever she
wants.
Meaningless encryption offers the illusion of security,
which is frequently more dangerous than intentionally and transparently
omitting encryption.
The only "meaningful" encryption would require that Evernote does not have a copy of the keys to decrypt the data at all.
I.e. we just store a big blob of data that can only be decrypted by a
client that has the keys. This would mean: no web interface, no "thin"
mobile clients, no image processing/OCR, etc. If you lose/forget your
personal encryption key/passphrase, then your data is basically
unrecoverable (since Evernote doesn't keep a copy of the key).
This
is actually what we do for the "encryption" feature within Evernote ...
if you select some text in a note and encrypt it, that is encrypted
with your passphrase, and Evernote does not have any secret "back door"
to read your encrypted data. This is why you can't search for the
contents of encrypted regions from the web ...
I.e. you're
talking about an opaque file storage service, like one of the secure
backup services. Not "Evernote." While these sorts of services have
their place, that's not what Evernote's consumer service aims to be.

cwb · March 4, 2013

From a former life at an ISP I seem to recall that to prevent spam a variety of protections were being built into mail servers, including restrictions on the number of emails that can be sent at one time. Too much activity gets servers closed down for fear they've been compromised - and possibly listed as a threat which is worse than being hacked! I doubt anyone has a regular need to send out millions of emails in multiple languages, and even if the possibility had been planned for I doubt it would be easy to get the necessary team together and the protocols in place within 48 hours. Evernote have done fantastically well to get things together over the weekend. Just be glad it wasn't Christmas too...

It's not really that great a problem these days. ISP's have moved on to other methods.

With companies like Linkedin and Facebook having many multiples of the 50 millions users that Evernote has, sending that much email to users on a daily basis, this is a known quantity.

In this case I don't know that Evernote deserves any kudo's for the effort. They outsourced the email to Silverpop.com apparently, given the 3rd party links in the email. And counter to Kudo's they got flack for - on the one hand saying in the email to never click on reset password requests in email, and then in the same email providing the link and instruction to reset your password. Yet the link was to a 3rd party for tracking purposes.

That's common enough. But it would have taken only an extra minute to create an evernote subdomain in their DNS to use in the links. Most decent Mass Marketing services we've used allow you to use your own domain in link tracking redirects. Again here, this would have preserved image and reputation credibility through the process.

Now that they've gone through the process it may be beneficial to take a tip from AT&T who practice every year in a different location, their worst case disasters. Instead of just theory they actually deploy all the failover serveral times a year, and go live on it. The kinks in password resets with network structure and clients can be ironed out in live tests, before it's needed.

Julian McNally · March 4, 2013

Help!

I can't reset my password because:

I can't login to evernote because neither of my browsers (Safari and Chrome on OSX) can find the server. This IS isolated to EN servers as I'm having no problems with any other sites.

Also, don't know if it's related, but my iPhone EN crashed on loading several times and the iPad version appears to be working - from what I can tell the activity log is saying it logged in okay and the sync wheel rolls. But I don't know how to reset the password from the iPad version. Does anybody?

Also when click on "My Profile" from this forum and use my regular password it says that password is incorrect. Should I assume this means my account has been hacked? If so, what should I do next?
I'd try contacting support. It could be that our site is under heavy traffic. Password resets have to be done on the web.

Thanks, I didn’t need to contact support. The login from my laptop worked fine. So that and the iPad EN are online. I havent checked the iPhone yet which has the latest version. However, the iMac, which is my main computer, is able to start EN, but not sync or perform any other functions. I will check if there's a new version for OSX.

On a related note, this has shut down my ifttt.com Evernote channel which relies on my EN credentials. When I click on "Edit Channel" i get one of the following urls which also fails to load (same as my original problem):

https://www.evernote.com/OAuth.action?oauth_callback=http%3A%2F%2Fifttt.com%2Fchannels%2Fevernote%2Foauth_auth&oauth_token=ltibbets.13D37CCD178.687474703A2F2F69667474742E636F6D2F6368616E6E656C732F657665726E6F74652F6F617574685F61757468.377C49C7149B14616F9DFBF1D3280C73&format=microclip

Likewise for this one when i click on "evernote settings" on the ifttt.com Channels page:

https://www.evernote.com/PersonalSettings.action

cwb · March 5, 2013

If evernote encrypted all the notes on their server, the only change would be... that all the notes would be encrypted. They're still readable and index-able.
No, no they are not, if they are truly encrypted. It's clear you don't understand about encryption. But don't take my word for it. This from the CTO of Evernote.

http://discussion.evernote.com/topic/10431-is-anyone-worried-about-our-data-not-being-stored-encrypted/#entry48994

Easy with that finger pointing at who doesn't understand encryption, you know what they say about the other three. Plus you've responded to my other thread posts enough, that if you'll recall, that's demonstrably not the case.

In fact I'm comfortable with it enough to understand it's not a magical buzzword you can invoke to solve all problems or answer all forum requests.

It can be used at many different layers in many different ways for many different use cases.

The problem we have in the forums is a lack of defining and agreeing on terms and purposes before launching a new back and forth on old soapboxes.

If encryption is like a lock, then one doesn't say, if the lock is "truly" locked then no one can open it. If so the lock usage is broken. Locks are to control access, not prevent it altogether. That's what you use walls for, not doors. Just as with locks, encryption can be opened by anyone who has a key. So if your goal is access by the client user, as well as the evernote servers and indexing services, you can still do that with encryption. You merely have a key distribution issue to manage. But whatever. In all the methods I've suggested in other threads, the data has already been decrypted by the time it reaches Evernotes hard drives. My posts have discussed local encryption more than remote encryption.

Of all the many beneficial ways encryption can be used (Evernote already uses 2 on the client side), the only one that effectively prevents search indexing on the Evernote server side is the one where Evernote does not have the decryption keys.

Some in forums want that taken further. It's not my particular bailiwick.

I don't care if Evernote has and indexes my data so long as their physical security is up to par (there's demonstrably some reason to keep considering that this week). Others have a different stance.

There are other uses, other benefits in other areas covered in other threads for encryption.

You can't with integrity reply to my answer with "the CTO says so" with one link addressing a specific user request.

Can I ask, are you an IT manager? Do you write software that uses encryption and other data handling safekeeping measures? Do you support the safety of your organization's customers with good data and security handling? Do you provide best practice solutions to an enterprise of users to keep them productive together with keeping their data safe?

That's my day job.

I indeed know it well enough.

And well enough to know that a partial CTO answer to a partial user need, does not encompass the totality of the discussion.

Evernote is not infallible in their public discussions on where, why and how they use it.

Just start with the crippled strength of the in-note encryption they use, citing US export restrictions. I've previously posted the regulations, and those haven't applied to companies like Evernote for years.

So it's almost pointless to use, and it doesn't apply easily to a whole note, particularly (not at all) to attachments, or to the local database as a whole.

But that's all beside the point. I'm not arguing for it in this thread, I'm responding to the other posters call for it.

It may or may not have helped depending on the attack vector, but likely wouldn't in this case.

robjyost · March 5, 2013

Hey Cyber Folks - I am despirate. looking for the solution to the "reset" issue in Penultimate. I have only used the free app for one week, when the attack occured on 28Feb I reset my EverNote account password but Penultimate is stuck in a loop. I cannot reset that password. EverNote account is good to go, but Penultimate is locked and I cannot reset the password - any ideas are helpful since EverNote support team has not replied. Please email a good idea to robjyost@gmail.com as well as post. Thanks.

dlu · March 5, 2013

Hey Cyber Folks - I am despirate. looking for the solution to the "reset" issue in Penultimate. I have only used the free app for one week, when the attack occured on 28Feb I reset my EverNote account password but Penultimate is stuck in a loop. I cannot reset that password. EverNote account is good to go, but Penultimate is locked and I cannot reset the password - any ideas are helpful since EverNote support team has not replied. Please email a good idea to robjyost@gmail.com as well as post. Thanks.

Support team is possibly your best bet. What happens when you do sync on Penultimate?

cwb · March 5, 2013

mehuge: You commented that because the attackers have the salts, the passwords are compromised anyhow. That's not really true. Salts are typically stored with passwords, because the point of the salt is to make it too inefficient to crack the passwords for it to be profitable. Even if I have the salt and your hashed/salted password, I then need to create a whole set of dictionary hashes based on that salt (probably more than once to figure out where in the string the salt's placed). Finally, if you have a reasonably secure password, I won't find it at all quickly in my hash table (if at all). Multiply that by 45 million users, and you're much better off going after some other service with poorer security.

Except perhaps if one uses MD5?

From Arstechnica:

"By comparison, the use of slow algorithms such as bcrypt, which Twitter uses to protect its passwords, adds considerable time and computing requirements to the task of converting the hashes into the underlying plaintext passwords. Even when hashes are generated using cryptographic salt to add randomness—as Evernote says it does—MD5 is still considered a poor choice.

"When you can do five billion [guesses] per second on one GPU, the salting doesn't make that much of a difference," Adam Caudill, a security consultant and software developer, told Ars. "You need something else, something like bcrypt, scrypt, or PBKDF2 to slow things down so you can't do 5 billion [guesses] per second."

In a blog post from 2011, Evernote engineer Dave Engberg seemed oblivious to this well-understood truism."

Ars continues:

"Caudill also criticized Evernote's use of the RC2 cipher to encrypt sensitive user data. RC2 fell out of favor in the late 1990s, after researchers devised a simple attack that makes it relatively easy to extract the key used to secure the underlying data.

As online services try to convince us to trust them with more and more of our sensitive data, they have a responsibility to employ state-of-the-art software and techniques to harden their systems to hacking and minimize the damage when compromises do happen."

On the plus side is the articles quote: "Evernote engineers are planning a "significant upgrade" to the optional client-side encryption protection for later this year."

But then 2 factor authentication and a todo/DO solution were on their way too, says they, last year.

cwb · March 5, 2013

Hey Cyber Folks - I am despirate. looking for the solution to the "reset" issue in Penultimate. I have only used the free app for one week, when the attack occured on 28Feb I reset my EverNote account password but Penultimate is stuck in a loop. I cannot reset that password. EverNote account is good to go, but Penultimate is locked and I cannot reset the password - any ideas are helpful since EverNote support team has not replied. Please email a good idea to robjyost@gmail.com as well as post. Thanks.

Have you considered doing an uninstall/reinstall of penultimate?

The content will resync back.

Might be a quick check. I'm sure support will have their hands full.

cwb · March 5, 2013

I tapped the evernote app on my ipad this morning, it prompted me to log in, (thought to myself...Oh this must be about that password reset email), Use forgot password link and log in...ALL MY NOTES ARE GONE!!!!!
I don't have these notes backed up to my computer. The reason is because I don't seem to plug my ipad into my computer as much as my iphone.
Can someone please confirm that after completing this password update, the only way I can obtain my notes back is if I had previously backed them up??
Ticket # 16051-257000

In all likelihood you merely need to do the password change at Evernote.com first then Re-login the ipad with the new password.

All content will sync back to the ipad.

The idea of Evernote is that the data is synced up to their servers in real time as you use it.

The only window for loosing data is if you entered a lot while offline and didn't have a chance to sync before the reset.

In fact once you're done entering the data in Evernote it doesn't all stay there in normal course. Only the headers. Unless you chose to keep. Some notebooks for offline, your notes are fetched from the servers as you open them. So most of the time they're automatically backed up for you.

In regards to backing up your ipad...

If I might encourage you to try the tools apple has provided.

Turn on iCloud backup.

Your ipad is then wirelessly backed up once per day (more, manually if you need it). No PC required.

mamaqueue · March 5, 2013

What a mess!

My email changed from the opening of this acct to this present time of "changing of the password".

Never had an option to update my profile. Huge problem.

Files from the original account (hours of documentation) are GONE!

Does anyone know how to get in touch with these people?

mamaqueue

mamaqueue · March 5, 2013

Another one bites the dust.

Tech people: Can you hear us now?????

dlu · March 5, 2013

What a mess!
My email changed from the opening of this acct to this present time of "changing of the password".
Never had an option to update my profile. Huge problem.
Files from the original account (hours of documentation) are GONE!

Does anyone know how to get in touch with these people?
mamaqueue

Another one bites the dust.
Tech people: Can you hear us now?????

Did you just post twice in a row or was there something in between there that I'm missing?

So in general you should go contact customer support, they should be able to sort you out. You can file a ticket here: https://support.evernote.com/

However, I'm also not understanding your first post. I think you changed emails, but never updated the email address you have associated with your Evernote account? (Just for reference, you can always change this on the web by logging into evernote.com and going to Settings). I'm not sure what you mean by files from the original account are gone. Did you open a second Evernote account?

cwb · March 5, 2013

What a mess!
My email changed from the opening of this acct to this present time of "changing of the password".
Never had an option to update my profile. Huge problem.
Files from the original account (hours of documentation) are GONE!

Does anyone know how to get in touch with these people?
mamaqueue

To be clear, there's no part of the password change process that uses your email as a verification step. You should be fine even if you no longer have control of the email address you signed up with.

In a web browser, log into Evernote.com with either the "username" or the email address you originally signed up with.

Enter the password you were most recently using, then choose a new one when prompted.

Confirm that all your "documentation" is visible in the web view of Evernote ( https://www.evernote.com/Home.action )

Then re-try logging into your desktop and mobile evernote clients using the old email address and the new password.

If that doesn't present you with the expected content as it previously was, open a support ticket.

If it does and everything looks fine, then take the opportunity to update your email address to the correct one - here: https://www.evernote.com/PersonalSettings.action

The account summary page ( https://www.evernote.com/Settings.action ) shows you your account name which you can use with your new password, regardless of what your email address is.

But it's a good idea to keep the email up to date and correct so that Evernote can communicate with you.

From that point you can no longer log in with the old email address.

Log in with the "username" or the new email address, together with the newly selected password.

cwb · March 5, 2013

Seems to me that various accusations that Evernote "don't take security seriously enough" are missing the point that after what sounds like a sophisticated hacking attempt, nothing was compromised...

You can't say that gazumped. This started last Thursday. There will be users who have yet to respond and make the needed changes. Some other users may not have received the email as they've not kept their account up to date with changes to email.

Since there's no other verification needed other than knowing the old password, if the not hard to brute force salted MD5 hashes (relative to the current industry standards) are breached, many could have lost data even before the email was received and acted on. Some unknown number may yet, and lose access to their account as well.

This doesn't make it look like Evernote is even trying much.

MD5?, RC2?, late to the party with 2factor?

http://arstechnica.com/security/2013/03/critics-substandard-crypto-needlessly-puts-evernote-accounts-at-risk/

But they're salted we say...

The effort is all in the details which we don't know, but here's an example of one PC chewing through 40,000 of the liberated user passwords in one of the Sony hacks, that have been salted and hashed with sha1.

http://gpuscience.com/cs/cracking-salted-sha1-password-hashes-on-gpu/

They were processed at a rate of 260 million hashes per second, such that in 45 minutes 23,000 of the passwords had been cracked.

Why is Evernote not worried about relying on MD5 hashing?

In their words: http://blog.evernote.com/tech/2011/05/17/architectural-digest/

"Since the hashed password is never exposed outside of our data center, we don’t think that the differences between MD5 and SHA-1 are relevant."

Oops, the hashed passwords are now exposed outside the data center. Not that SHA-1 would have helped either as we see above. But now the difference between MD5 and bcrypt or pbkdf2 become relevant.

Again from the EN CTO:

"Before Evernote, I spent five years building high-end cryptographic systems for government customers ... so I get to make use of my old crypto knowledge from time to time"

with emphasis on old perhaps. MD5 is not a nist.gov FIPS compliant hashing method. Nor is RC2 encryption, or even it's later replacement RC4. Both have been cracked. For context, RC2 was written for use in Lotus Notes in 1987 and designed to run fast on 286 CPU's. MD5 came along in 1991 and the first flaws and guidance to move away from MD5 happened in 1996.

The point is though, with merely a username and password authentication system, there is no ability to tell a valid account access from a stolen credentials one. And thus no ability to say "nothing was compromised" or lost.

I still maintain after decades in IT that most (average) users data is at greater risk on their own PC than in the cloud, but there are good and bad ways to do cloud, and they are by no means all equal.

andreb · March 5, 2013

...

This doesn't make it look like Evernote is even trying much.
MD5?, RC2?, late to the party with 2factor?

http://arstechnica.com/security/2013/03/critics-substandard-crypto-needlessly-puts-evernote-accounts-at-risk/

...

Oh man, ars technica linking to blog post which makes me shiver: http://blog.evernote.com/tech/2011/05/17/architectural-digest/

...
UserStore: While the vast majority of all data is stored within the single-tier NoteStore shards, they all share a single master “UserStore” account database (also MySQL) with a small amount of information about each account, such as: username, MD5 password, and user shard ID. This database is small enough to fit in RAM, but we maintain high redundancy with the same combination of RAID mirroring, DRBD replication to a secondary, and nightly backups.
...

If I had to design something like this, I'd rather split the user store to different separated machines. Like this, you'd be able to limit the damage to a subset of accounts. A single master guarantees that all accounts and md5 hashes were sucked off the DB.

Not to talk about the MD5 passwords. This is basics. I bet the passwords were ROT13'd before hashing.

SCNR.

Cheers

pollytext · March 5, 2013

Opened EN on my Mac, read the email, and reset my password for my Mac, iPhone, and iPad. But now my notes from 2/28/13 are gone!!! I have never had this happen before and I have used EN for well over a year!! I think users DID lose data. I just want my notes back!!!

Yes! Me too. I didn't get the email until AFTER I had already reset the password. So I was working away happily on 2 March (Australian EST), having reset the password via the iPhone app. Kept getting syncing errors but just assumed it would all sort itself out once I got back to my computer and the web version. However, as soon as I logged into the web version of Evernote, two days later, I lost all my iPhone notes. They were damn good PhD notes too. Annoying. Have been going backwards and forwards in emails with support now too and just keep getting standard responses that are not helping. I've lost those notes forever haven't I?

cwb · March 5, 2013

Opened EN on my Mac, read the email, and reset my password for my Mac, iPhone, and iPad. But now my notes from 2/28/13 are gone!!! I have never had this happen before and I have used EN for well over a year!! I think users DID lose data. I just want my notes back!!!
Yes! Me too. I didn't get the email until AFTER I had already reset the password. So I was working away happily on 2 March (Australian EST), having reset the password via the iPhone app. Kept getting syncing errors but just assumed it would all sort itself out once I got back to my computer and the web version. However, as soon as I logged into the web version of Evernote, two days later, I lost all my iPhone notes. They were damn good PhD notes too. Annoying. Have been going backwards and forwards in emails with support now too and just keep getting standard responses that are not helping. I've lost those notes forever haven't I?

Quite likely.

Unless you have iCloud backup enabled. It might be worth restoring one of the automated daily backups. Turn off WiFi and data before launching the evernote app.

At least then you could copy and paste out of evernote.

"Maybe" when back online you'd just get the sync error and could sync things back after entering the new password.

I can't test that easily. But even now, post password change and with the updated iphone client, changing the password again on the website, caused my two ipad/iphone evernote clients to reset on launch to the login screen, followed by a resync of notes.

However in your case you aren't changing the password again, just reverting your iphone settings back to a point in time with your full notes present and an old password. There's a slim chance you could update without a reset, and sync the data up.

None of my 3rd party evernote apps were affected by the password change this time, as is the norm. They retained their valid OAuth tokens. These had to be all re-authorized when Evernote forced the password change as they must have felt that data was compromised as well, and they revoked all the application authorizations.

mehuge · March 5, 2013

mehuge: You commented that because the attackers have the salts, the passwords are compromised anyhow. That's not really true. Salts are typically stored with passwords, because the point of the salt is to make it too inefficient to crack the passwords for it to be profitable. Even if I have the salt and your hashed/salted password, I then need to create a whole set of dictionary hashes based on that salt (probably more than once to figure out where in the string the salt's placed). Finally, if you have a reasonably secure password, I won't find it at all quickly in my hash table (if at all). Multiply that by 45 million users, and you're much better off going after some other service with poorer security.

people dont crack hashed passwords these days, they look them up in an already existing database returning the un-hashed data within seconds, do that on a few salted passwords and it won't take long to figure out what the salt is and what the password is.

A leaked hashed password and its salt, IS a compromised password.

Allowing passwords to be changed without email verification IS stupid and insecure.

leexgx · March 7, 2013

Passwords are hashed and salted, but not peppered. Amateurs!!!!!!!!!!!!

I'm not too worried, all my important stuff is encrypted prior to syncing with Evernote.

MD5 does not matter much they are random salted or not most of the passwords (70-90%) was most likely discovered in the first 2 hrs (the easy ones any way)

I might as well chip in with a comment as a paid user of Evernote - there's no excuse for poor security at the server end. It's not like encryption or security is a new concept and no matter which way you look at this, Evernote dropped the ball and need to do a lot more than force a password reset! Evernote can play it down as much as they like, but if there was no risk of our data being compromised, why force a password reset?!

If this isn't dealt with effectively and soon I'm going to pull the plug on my account and find an alternative. If I pay for a service, isn't it reasonable to expect security?

The point is, if my bank and lots of other companies can implement effective security and something along the lines of a two stage process, why can't Evernote? It's not rocket science and plenty of comments have been made in the past about Evernote security concerns, so this isn't a new issue. No excuses.

Evernote has a team of experienced operations and security experts who are continuing to investigate the details of this attack. We believe this activity follows a similar pattern of the many high profile attacks on other internet-based companies that have taken place over the last several weeks.

We have not found any evidence of unauthorized access to user accounts, and we have no evidence that any personal data has been lost. Our operations and security team caught this at what we believe to be the beginning stages of a sophisticated attack.
Though Evernote passwords are stored in a secure, industry standard format (salted and hashed), we are requiring all Evernote users to change their account passwords before their next Evernote login.

like how they say "no evidence that any personal data has been lost" apart from users who have not synced up before the password reset with out any notice, and unless you moved to scrypt ,PBKDF2 or bcrypt (in that order but only one of them) from MD5 will be broken stupidly very fast, your system is also allowing users to set the same password they had before that should not happen as well

mehuge: You commented that because the attackers have the salts, the passwords are compromised anyhow. That's not really true. Salts are typically stored with passwords, because the point of the salt is to make it too inefficient to crack the passwords for it to be profitable. Even if I have the salt and your hashed/salted password, I then need to create a whole set of dictionary hashes based on that salt (probably more than once to figure out where in the string the salt's placed). Finally, if you have a reasonably secure password, I won't find it at all quickly in my hash table (if at all). Multiply that by 45 million users, and you're much better off going after some other service with poorer security.

Except perhaps if one uses MD5?

From Arstechnica:

"By comparison, the use of slow algorithms such as bcrypt, which Twitter uses to protect its passwords, adds considerable time and computing requirements to the task of converting the hashes into the underlying plaintext passwords. Even when hashes are generated using cryptographic salt to add randomness—as Evernote says it does—MD5 is still considered a poor choice.
"When you can do five billion [guesses] per second on one GPU, the salting doesn't make that much of a difference," Adam Caudill, a security consultant and software developer, told Ars. "You need something else, something like bcrypt, scrypt, or PBKDF2 to slow things down so you can't do 5 billion [guesses] per second."
In a blog post from 2011, Evernote engineer Dave Engberg seemed oblivious to this well-understood truism."

Ars continues:
"Caudill also criticized Evernote's use of the RC2 cipher to encrypt sensitive user data. RC2 fell out of favor in the late 1990s, after researchers devised a simple attack that makes it relatively easy to extract the key used to secure the underlying data.
As online services try to convince us to trust them with more and more of our sensitive data, they have a responsibility to employ state-of-the-art software and techniques to harden their systems to hacking and minimize the damage when compromises do happen."

On the plus side is the articles quote: "Evernote engineers are planning a "significant upgrade" to the optional client-side encryption protection for later this year."
But then 2 factor authentication and a todo/DO solution were on their way too, says they, last year.

(hmm think i miss press the muti quote button)

mehuge: You commented that because the attackers have the salts, the passwords are compromised anyhow. That's not really true. Salts are typically stored with passwords, because the point of the salt is to make it too inefficient to crack the passwords for it to be profitable. Even if I have the salt and your hashed/salted password, I then need to create a whole set of dictionary hashes based on that salt (probably more than once to figure out where in the string the salt's placed). Finally, if you have a reasonably secure password, I won't find it at all quickly in my hash table (if at all). Multiply that by 45 million users, and you're much better off going after some other service with poorer security.

people dont crack hashed passwords these days, they look them up in an already existing database returning the un-hashed data within seconds, do that on a few salted passwords and it won't take long to figure out what the salt is and what the password is.

A leaked hashed password and its salt, IS a compromised password.

Allowing passwords to be changed without email verification IS stupid and insecure.

your thinking of how hashed passwords + Large random salt does not = password not right away but it is still compromised password (unless its an dictionary word or an qwerty or password 1 as password ,type of one then yes is been broken right away so that will be about 70-90% of EN accounts that have all ready been broken right away, probably take about less then an week to do most of the others), some sites do use static salt you can near brake 90% of the passwords right away with an rainbow tables

the point of hashing the password is to give time to give your self enough time to notify your users and change there passwords with enough time you can get an password from an hash, md5 is an silly hash function to use as its made to be fast

Salts are norm stored with the hash that is normal as they cant use it to build rainbow tables they have to crack each password (not that it matters if they are using MD5 they may had just not used random salt) i agree there change password is silly if some one gets the EN password they can go right to that page and change your password locking you out

gramagirl · March 8, 2013

I did the app update on my iPad and reset my password on Mar. 2. Today the same update notice appeared again with the same reference to the blog - but the blog entry appears to be the same Mar 2 entry. Is there in fact another update requiring yet another password reset?

BlueOak · March 8, 2013

EN, thanks for tweeting a few minutes ago, the new password resetting process that requires email verification.

Hopefully folks have not used the same password for EN & Email or they'd still be exposed due to the breach. But even in that case the new process would render bulk abuse impractical.

BTW, hopefully urgent and critical emails from EN will come from your domain (rather than xxx.MKTxxx.com) - one of the original PW reset emails got spam filter trapped.

"Please provide the username or email address that you used when you signed up for your Evernote account.

We will send you an email that will allow you to reset your password."

https://www.evernote.com/RForgotPassword.action

dlu · March 8, 2013

I did the app update on my iPad and reset my password on Mar. 2. Today the same update notice appeared again with the same reference to the blog - but the blog entry appears to be the same Mar 2 entry. Is there in fact another update requiring yet another password reset?

It looks like we're just over-communicating to you. If you rest already you are good to go. You should type in your new password and be good to go

Seth G. · March 11, 2013

So my boss went to reset his password and when he logged back in all his notes were gone. Help!

BurgersNFries · March 11, 2013

So my boss went to reset his password and when he logged back in all his notes were gone. Help!

http://discussion.evernote.com/topic/35574-notes-missing-after-password-reset/?p=192773

Deef · March 12, 2013

What annoys me is the mess with Android phones. Can someone confirm that to save anything created on my phone since, I will have to manually copy all text to an email, save all images individually, and save every audio file individually...

.

There's a better way right?

GrumpyMonkey · March 12, 2013

What annoys me is the mess with Android phones. Can someone confirm that to save anything created on my phone since, I will have to manually copy all text to an email, save all images individually, and play every single audio file individually.. before I get the option to save.. each one... individually...

.

.

.

There's a better way right?

Whenever it comes to something like this, I recommend contacting support (see the link in my signature). This is a new situation for everyone, and your data is at stake, so it helps to have an expert on hand to offer advice.

gazumped · March 12, 2013

Not saying you should do this before following GM's suggestion to contact support, but for information there have been a couple of happy posts from individuals - and I've done it myself - who were stuck with active sessions and unsynced notes; then upgraded to the latest Android client (which was issued for this purpose) and were prompted for the password reset. Syncing resumed immediately with no known loss of data.

(You need to go to Evernote.com and follow the reset process there before upgrading your Android)

Mileage may vary with different handsets so I'd get advice before you risk essential data with this trick..

Deef · March 12, 2013

Thanks Gaz, that was the ticket.

Play Store -> Find Evernote -> Select Update -> Once it's updated, Evernote prompted for the new password.

gazumped · March 12, 2013

No probs - I think the nice folks at Evernote helped a bit..

lotus road · March 21, 2013

I haven't had a chance to read all the posts on this thread but I just went into my Evernote account, the first time since I was asked to reset my password and.....all my notes are GONE.

I am HOPING that they can be retrieved. I am effing angry. I had a fair bit of important notes on there that are not stored anywhere else and, oooohhhhh boy Evernote, I had best be able to retrieve them somehow.

If not, than I will never use Evernote again. They asked us to reset our passwords but no warning that we may be losing our notes.

BurgersNFries · March 21, 2013

I haven't had a chance to read all the posts on this thread but I just went into my Evernote account, the first time since I was asked to reset my password and.....all my notes are GONE.
I am HOPING that they can be retrieved. I am effing angry. I had a fair bit of important notes on there that are not stored anywhere else and, oooohhhhh boy Evernote, I had best be able to retrieve them somehow.
If not, than I will never use Evernote again. They asked us to reset our passwords but no warning that we may be losing our notes.

Maybe you should spend time reading the posts before posting a knee jerk reaction. Like this one that is only ~ six up from your post

http://discussion.evernote.com/topic/35558-password-reset-discussion-thread/?p=194549

It surely doesn't make any sense to me that someone would post about a problem without first trying to see if there is a resolution.

lotus road · March 21, 2013

I haven't had a chance to read all the posts on this thread but I just went into my Evernote account, the first time since I was asked to reset my password and.....all my notes are GONE.
I am HOPING that they can be retrieved. I am effing angry. I had a fair bit of important notes on there that are not stored anywhere else and, oooohhhhh boy Evernote, I had best be able to retrieve them somehow.
If not, than I will never use Evernote again. They asked us to reset our passwords but no warning that we may be losing our notes.
Maybe you should spend time reading the posts before posting a knee jerk reaction. Like this one that is only ~ six up from your posthttp://discussion.evernote.com/topic/35558-password-reset-discussion-thread/?p=194549
It surely doesn't make any sense to me that someone would post about a problem without first trying to see if there is a resolution.

I have read that, actually, and it didn't help in my case. I logged in using the same email etc.

But thanks for your presumptuous and condescending answer.

Hope that made sense to you.

BurgersNFries · March 21, 2013

I have read that, actually, and it didn't help in my case. I logged in using the same email etc.
But thanks for your presumptuous and condescending answer.
Hope that made sense to you.

And did the part about contacting support make sense to you...???

dlu · March 21, 2013

I haven't had a chance to read all the posts on this thread but I just went into my Evernote account, the first time since I was asked to reset my password and.....all my notes are GONE.
I am HOPING that they can be retrieved. I am effing angry. I had a fair bit of important notes on there that are not stored anywhere else and, oooohhhhh boy Evernote, I had best be able to retrieve them somehow.
If not, than I will never use Evernote again. They asked us to reset our passwords but no warning that we may be losing our notes.
Maybe you should spend time reading the posts before posting a knee jerk reaction. Like this one that is only ~ six up from your posthttp://discussion.evernote.com/topic/35558-password-reset-discussion-thread/?p=194549
It surely doesn't make any sense to me that someone would post about a problem without first trying to see if there is a resolution.
I have read that, actually, and it didn't help in my case. I logged in using the same email etc.
But thanks for your presumptuous and condescending answer.
Hope that made sense to you.

So do you mean literally all your notes? Also, what device are you using?

I haven't heard of a case where we all the notes in an account. All the cases like this, (that I know of) have turned out to be a case of logging into a different account. I'd recommend trying all the steps here (which I think you've already read): http://discussion.evernote.com/topic/35574-notes-missing-after-password-reset/?p=192773

lotus road · March 21, 2013

Burgers. Can you just stop? Really, are you always this condescending?

I contacted support last night, after I tried repeatedly to fix my problem, following the steps that I, yes, read on here BEFORE I posted my first comment.

So, to answer all your obnoxiously stated 'questions', I have done all the obvious things and I have yet to have my notes returned to my account.

Anything else you want to say to me or has someone else satisfied your need to snark on an Internet stranger today?

lotus road · March 21, 2013

And Dlu, I am on iPad and desktop computer. I have already followed all the instructions, step by step, stated in the link above. No luck.

And, yes, all my notes are gone. Not a single one remains.

Thanks for replying.

dlu · March 21, 2013

And Dlu, I am on iPad and desktop computer. I have already followed all the instructions, step by step, stated in the link above. No luck.
And, yes, all my notes are gone. Not a single one remains.
Thanks for replying.

It sounds like you'll need to keep working with support, I don't know how much more help I'll be able to give via forum posts (this is just not the right venue), but I'll give it a shot. Also, are you on a Mac or a PC?

If you're on the desktop, you should have all your notes on your local hard drive at least. I'd make a backup of those immediately. Maybe a few backups, just for fun. There are plenty of forum posts about this if you search for them. Please go see if you have anything stored locally or anything that hasn't been synced yet. Ideally both your devices would have your notes and they would be in sync with each other, but that's probably not the case here.

If you login to both devices and you see nothing, then I am extremely confused. Perhaps some more detail would be useful as to where you are seeing zero notes. I've been assuming it has been only one device or just on the web.

If you can find your notes on either of your devices, I would get the activity logs for one or both devices. Towards the top of the logs it should say the username or email address of the account. I'm really hoping that we can find that, and it'll be a username and/or email address you haven't tried yet.

Otherwise, I may need more detail about what you're seeing, what you've done, etc.

best of luck.

BurgersNFries · March 21, 2013

Burgers. Can you just stop? Really, are you always this condescending?
I contacted support last night, after I tried repeatedly to fix my problem, following the steps that I, yes, read on here BEFORE I posted my first comment.
So, to answer all your obnoxiously stated 'questions', I have done all the obvious things and I have yet to have my notes returned to my account.
Anything else you want to say to me or has someone else satisfied your need to snark on an Internet stranger today?

You came here for help. You do not post anything about what you've done, just a gripe post & yet you are annoyed when others (including moi) are pointing you to the already posted replies and ask if you've tried these things already. We are not mind readers, contrary to what you seem to think.

Additionally, if you had a recent backup of your data (always good computer advice), you would at least have a good starting point, if indeed, you did lose all your data.

Good luck.

BlueOak · March 21, 2013

I haven't had a chance to read all the posts on this thread but I just went into my Evernote account, the first time since I was asked to reset my password and.....all my notes are GONE.
I am HOPING that they can be retrieved. I am effing angry. I had a fair bit of important notes on there that are not stored anywhere else and, oooohhhhh boy Evernote, I had best be able to retrieve them somehow.
If not, than I will never use Evernote again. They asked us to reset our passwords but no warning that we may be losing our notes.

Burgers. Can you just stop? Really, are you always this condescending?
I contacted support last night, after I tried repeatedly to fix my problem, following the steps that I, yes, read on here BEFORE I posted my first comment.
So, to answer all your obnoxiously stated 'questions', I have done all the obvious things and I have yet to have my notes returned to my account.
Anything else you want to say to me or has someone else satisfied your need to snark on an Internet stranger today?

Actually, @ lotus road, perhaps you could relax a bit. Nobody enjoyed this security event. Your first post was angry and threatening, while admitting you had not first taken the minimal effort to read and learn from others' experiences. And then you swore as well.

Phil Dean · March 21, 2013

@lotus road - I just replied to your ticket with detailed steps of what we need you to do in order to pinpoint where the issue lies. I included steps for all the major devices supported to determine if you have more than one Evernote account, as this has been the case from customers contacting support with loss of notes.

lotus road · March 21, 2013

Burgers, I was frustrated last night. Admittedly. I had a lot of stuff on there regarding therapies for my daughter that I had on Evernote. I wasn't directing it at any specific individual, I was venting in general.

I have just recently uprooted my family and moved to a new country. The only device that came with us, technology-wise, is my daughters iPad. So, while backup is always sound advice and I DID do that regularly when I was living in Australia, I am starting all over again here in Canada and rely on the iPad and a recently acquired Windows desktop, which used to belong to my parents-in-law.

What I was annoyed at was the tone of your messages, which continued right up until your most recent message, where you calmed down the condescending tone a bit and stopped assuming.

BlueOak, I am relaxed. Actually, I'm about to meditate after I post here and get all Om with my naughty, swearing, has the odd-moment-of-frustration self (am i the only one who gets frustrated and vents when i lose important sh1te?!).

And if you would have another look at my first post, I refrained from properly swearing. I said 'effing', which felt damn good and somewhat satisfying at the time. The next time you do something like stub your toe or lose an important document, I wanna be a fly on the wall when you shout "Oh..... GOLLY-GOSH!"

Also, I said that I hadn't had a chance to read ALL of the posts. I had scanned some and had tried what had been suggested but, at that stage, I hadn't been able to read EVERYTHING.

Phil, thanks. I just saw it in my inbox. Will go through it and hopefully resolve this.

JMichaelTX · March 25, 2013

Evernote Security Criticized by Security experts

Article by arstechnica.com, Critics: Substandard crypto needlessly puts Evernote accounts at risk, makes two major points that many of us have been making here in these forums for a long time:

"the service needlessly put sensitive user data at risk because it employed substandard cryptographic protections when storing passwords on servers and Android handsets."
"As online services try to convince us to trust them with more and more of our sensitive data, they have a responsibility to employ state-of-the-art software and techniques to harden their systems to hacking and minimize the damage when compromises do happen"

In particular, I remember a point make repeatedly by Evernote management that Evernote is highly skilled in security as their CTO Dave Engberg and others have a lot of pre-Evernote security experience, so we can rest assured that Evernote is providing a very high level of security.

The ArsTechnica article criticized Engberg in particular:

The chief complaint involves Evernote's use of the MD5 cryptographic algorithm to convert user passwords into one-way hashes before storing them in a database. Use of MD5 to store passwords has long been frowned on by security experts. . .

In a blog post from 2011, Evernote engineer Dave Engberg seemed oblivious to this well-understood truism.

"In the case of a purely back-end MD5 hash," he wrote in response to a reader challenging the MD5 choice, "any hypothetical attacker doesn’t have access to either the output (the MD5 hash) or the original input (the user’s password and our salt), so there really isn’t any productive attack based on MD5 vulnerabilities."

Of course, the attackers who gained access to Evernote servers did have the ability to read the MD5 hash, we now know.

Another point I remember made repeatedly by Evernote Evangelist BurgersNFries was that ALL of the security responsibility was ONLY on the user and that we should not be blaming Evernote for a lack of security.

Well it turns out that, like many of us, ArsTechnica puts the core security responsibility on the provider:

As online services try to convince us to trust them with more and more of our sensitive data, they have a responsibility to employ state-of-the-art software and techniques to harden their systems to hacking

Finally, I hope that what an Evernote Spokeswoman stated in the article concerning two-factor authentication is true:

"We were also planning on rolling out optional two-factor authentication to all of our users later this year and are accelerating those plans now."

Imagenomad · March 25, 2013

*grabs popcorn*

Metrodon · March 25, 2013

There is already a thread about this from a few days ago.

GrumpyMonkey · March 25, 2013

There is already a thread about this from a few days ago.

Yeah, but that thread didn't start out by taking aim at BNF, who would probably dispute the characterization of her representation. I don't recall very many threads in the last few years discussing how Evernote encrypts our passwords on its servers, after all.

The point she made is still valid, I think: if you have something private then don't upload it to any cloud service unless you have encrypted it beforehand. And, I think she'd also point out that local notebooks would protect you from having sensitive data exposed no matter what happens with your password, so users have two tools (encryption + local notebooks) to protect themselves.

The rest of the points have been covered in other threads. I don't see much point in starting a new one for each article on the web about Evernote security, so I'll merge this with the other thread.

BurgersNFries · March 25, 2013

Another point I remember made repeatedly by Evernote Evangelist BurgersNFries was that ALL of the security responsibility was ONLY on the user and that we should not be blaming Evernote for a lack of security.

Jmichael/jmunderwood/etc, if you expect your criticism of anything I said to be taken seriously, then don't generalize what I've said. As it is, your generalization is (as usual) incorrect & I defy you to point out anywhere I said "we should not be blaming Evernote for a lack of security".

JMichaelTX · March 25, 2013

There is already a thread about this from a few days ago.

Yeah, but that thread didn't start out by taking aim at BNF, who would probably dispute the characterization of her representation. I don't recall very many threads in the last few years discussing how Evernote encrypts our passwords on its servers, after all.

The point she made is still valid, I think: if you have something private then don't upload it to any cloud service unless you have encrypted it beforehand. And, I think she'd also point out that local notebooks would protect you from having sensitive data exposed no matter what happens with your password, so users have two tools (encryption + local notebooks) to protect themselves.

The rest of the points have been covered in other threads. I don't see much point in starting a new one for each article on the web about Evernote security, so I'll merge this with the other thread.

GM, I am very disappointed in you. I didn't realize that you had turned so politically correct. It is clear that you merged my new thread in with this one to bury it, to make it harder for new readers to find/see. My thread was NOT about "password reset", which is the topic of this thread.

I did NOT start out by taking aim at BNF. I am not going to waste my time to pull out all the quotes where BNF rudely put down other posters because they were asking for better security from Evernote.

Until now knowledge of the lack of proper Evernote security has been mostly limited to a few threads in this User Group. Only a very small percentage of Evernote users ever visit these forums.

But now Evernote security issues are public knowledge, known to a lot of reviewers and security experts.

Evernote has a choice. They can either step up to the plate and turn this issue into an opportunity, or they can continue to deny what many of us have know for a long time.

For the record, I am a long time premium account user and fan of the Evernote app/system. If I didn't care about Evernote, I wouldn't waste my time posting. I have neither the time nor the inclination to criticize Evernote just to make it look bad. Just not my style.

JMichaelTX · March 25, 2013

There is already a thread about this from a few days ago.

I did a search and also clicked on the "security" tag to try to find all threads like the one I posted, before I posted it. I did not find any. But then the search is so bad in this forum that it is possible that I missed it.

BurgersNFries · March 25, 2013

I did NOT start out by taking aim at BNF. I am not going to waste my time to pull out all the quotes where BNF rudely put down other posters because they were asking for better security from Evernote.

JMichael/JMUnderwood, you are the one who put the statement out there... You love to make blanket statements/generalizations & then every single time you are called upon to prove what you say, you either ignore it or won't "waste" your time. So, to be blunt, either put up or shut up. Also (as above), you try to deflect. So let me repost what you originally said I said & are unwilling (actually unable) to prove... (emphasis mine).

Another point I remember made repeatedly by Evernote Evangelist BurgersNFries was that ALL of the security responsibility was ONLY on the user and that we should not be blaming Evernote for a lack of security.
Jmichael/jmunderwood/etc, if you expect your criticism of anything I said to be taken seriously, then don't generalize what I've said. As it is, your generalization is (as usual) incorrect & I defy you to point out anywhere I said "we should not be blaming Evernote for a lack of security".

So unless you can post links to where I actually said what you say I said, I'm going to accept your apology for being wrong.

Metrodon · March 25, 2013

There is already a thread about this from a few days ago.

I did a search and also clicked on the "security" tag to try to find all threads like the one I posted, before I posted it. I did not find any. But then the search is so bad in this forum that it is possible that I missed it.

Agreed, the search is beyond dreadful.

jefito · March 25, 2013

* Moderators are allowed to merge topics if their content is related, at their discretion. Personally, when I do it, it's for purposes of organization of the forum, and I know of no cases where it's been done to try to bury anyone's content, this one included (I've merged posts into this topic as well). If anyone has a problem with this policy, or its application, then the correct thing to do would either be to report it, or contact gbarry directly (who reviews reported content anyways), as he makes the rules, such as they are (they generally rely on moderator common sense).

* I think that it's fair to point out that although the Ars article did take on Evernote for using "substandard cryptographic protections", they (and the comments for the article) were also generally complimentary about Evernote's response to the breach (which is not excusing them for the former practice). The comments there were well worth reading, as have been many of the comments posted here in this thread.

* As a general principle of forum etiquette, it's a good idea to provide specific references (or at least be prepared to) when you choose to call out forum poster specifically for things that you claim that they've said. That just seems to make sense to me, anyways.

GrumpyMonkey · March 25, 2013

GM, I am very disappointed in you. I didn't realize that you had turned so politically correct. It is clear that you merged my new thread in with this one to bury it, to make it harder for new readers to find/see. My thread was NOT about "password reset", which is the topic of this thread.

If I wanted to bury your thread, why did I reply to your post, thereby putting the thread back to the top of the list? I don't appreciate the insinuation you are making. If you think I am treating you unfairly, please email the staff and they will take appropriate measures, but I think you can look back through a couple years of posts and find that I am often supporting you / engaging with you in a friendly manner on all kinds of topics, even when we don't agree.

The aim of merging threads is to keep the forum organized around topics so that people discuss them with one another, and as you can see in this thread, there is a lot of discussion about exactly the topics you raised. In fact, I think the Ars Technica article even came up once or twice. Merging isn't a punishment. It is actually a way to focus more eyes on your post, as there are probably a lot of people gravitating towards this thread (that is why there are so many pages).

For the record, I am a long time premium account user and fan of the Evernote app/system. If I didn't care about Evernote, I wouldn't waste my time posting. I have neither the time nor the inclination to criticize Evernote just to make it look bad. Just not my style.

It was not my intention to imply anything different. I appreciate your input, as always, and I am glad you participate in the forums. Please keep posting, but also be prepared to back up any claims about other forum members (evangelist or not) or Evernote. That's how we roll here

BlueOak · March 25, 2013

The aim of merging threads is to keep the forum organized around topics so that people discuss them with one another, and as you can see in this thread, there is a lot of discussion about exactly the topics you raised. In fact, I think the Ars Technica article even came up once or twice. Merging isn't a punishment. It is actually a way to focus more eyes on your post, as there are probably a lot of people gravitating towards this thread (that is why there are so many pages). It was not my intention to imply anything different. I appreciate your input, as always, and I am glad you participate in the forums. Please keep posting, but also be prepared to back up any claims about other forum members (evangelist or not) or Evernote. That's how we roll here

'Just a posting newby here, but I read a lot without posting... there are some impressively detailed and knowledgeable folks on here. I've learned useful stuff from each of the ">1,000 post" veterans in this dialog today. (As well as from Gbarry)

I appreciate the merging philosophy - in fact I think I was once a "victim" of it. I'll admit I was initially a bit confused but understood once I saw what triggered it.

Like, I suspect, a lot of readers, my tendency is to come here when I've run into an issue and flag a string to follow. The forum search logic might not be ideal, but those emails telling a follower there's a new post work just fine. The point being, if this latest info had not been merged, I would not have seen it - because I would not have known to go looking for it!

Thank you all for the time you put into the forum.

[ I hope this post doesn't get merged somewhere else - 'hopefully it was on-sub-topic. ;-) ]

jefito · March 26, 2013

[ I hope this post doesn't get merged somewhere else - 'hopefully it was on-sub-topic. ;-) ]

Not strictly topical, but sorta meta-topical, and in context with the conversation, so your post shouldn't get moved anywhere else.

As a rule, the moderators tend to be pretty light-handed about this stuff, in my experience. I do move misplaced posts and label with specific device tags around fairly often, but merge and split posts relatively rarely.

james_ots · March 27, 2013

I don't know what to do. Evernote reset my acount before I could go in and change my email address. I can access evernote on my ipad (but of course, you can't change your email there). I have no idea what my email was set to before --- I suspect it was an email that I killed long ago, as I've had evernote a long while. I had no idea it was wrong until I requested my password be sent to me via email and I got nothing back.

What can I do? Is there a staff member who can access my account; I can confirm the contents of my evernote by looking in my ipad.

I'm so frustrated this happened.

dlu · March 27, 2013

Hi James,

I don't believe you're required to have access to that email account to reset your password. (Someone correct me if I'm wrong). You should be able to login with your old username/email address and old password. You may be prompted to enter a few questions to verify your identity, and then reset you password. Once you've reset your password, you can go change your email address.

If you have any issues with this, you can contact customer support and they'll walk you through all the steps and any other options we might have. Last I checked with them, everyone who had contacted us because they no longer had access to their email address got their problem solved.

cheers!

tknice · April 4, 2013

I came here to post a mini-rant about evernote requiring a password change and low and behold, a thread is already created.

Please don't force a PW reset unless something catastrophic happens. I don't keep any sensitive data here and it's annoying. If you can't find a way to prevent this, I'll find another service.

dlu · April 4, 2013

I came here to post a mini-rant about evernote requiring a password change and low and behold, a thread is already created.
Please don't force a PW reset unless something catastrophic happens. I don't keep any sensitive data here and it's annoying. If you can't find a way to prevent this, I'll find another service.

We believed it was necessary.

BurgersNFries · April 4, 2013

I came here to post a mini-rant about evernote requiring a password change and low and behold, a thread is already created.
Please don't force a PW reset unless something catastrophic happens. I don't keep any sensitive data here and it's annoying. If you can't find a way to prevent this, I'll find another service.

As dlu said, this was a situation where forced password change was the right thing to do.

Seth G. · April 5, 2013

I came here to post a mini-rant about evernote requiring a password change and low and behold, a thread is already created.
Please don't force a PW reset unless something catastrophic happens. I don't keep any sensitive data here and it's annoying. If you can't find a way to prevent this, I'll find another service.

Um, just be cause YOU don't store sensitive stuff in Evernote doesn't mean others don't. How much trouble was it really to change your password. The world isn't all about you.

Evernote you did a good job. Now just institute 2FA and we'll be good.

My god people can be dense.

BurgersNFries · April 5, 2013

My god people can be dense.

I had to LOL. Indeed. Just proves the point that no matter what you do, it's going to peeve someone off.

BurgersNFries · April 5, 2013

I came here to post a mini-rant about evernote requiring a password change and low and behold, a thread is already created.
Please don't force a PW reset unless something catastrophic happens. I don't keep any sensitive data here and it's annoying. If you can't find a way to prevent this, I'll find another service.

Just exactly when is that moment when one realizes something catastrophic has happened??? And how do you instantly deploy that to 50 + million users??? They recognized there was something going on. Rather than waiting to determine exactly what was going on before taking action would be stupid. All the third party articles on this topic that I've seen stated Evernote did all the right things.

And I suspect you'd be one of the first to complain if EN did not take any action & your account got hacked.

BlueOak · April 5, 2013

I came here to post a mini-rant about evernote requiring a password change and low and behold, a thread is already created.
Please don't force a PW reset unless something catastrophic happens. I don't keep any sensitive data here and it's annoying. If you can't find a way to prevent this, I'll find another service.

'Not to pile on your comment, but I don't think we want Evernote peering into our stuff in an attempt to determine whether it is sensitive enough to justify a forced password reset.

The 'event' was not fun for anybody, but it was a good wake up call since I suspect a good chunk of users started out using Evernote casually and ended up with at least somewhat sensitive stuff in there. My passwords have definitely toughened up over the years. (I realize that wasn't the hack in this case.) If you don't have a difficult password on your gmail/yahoo/hotmail/outlook.com account it is just a matter of time before you get hacked.

Would it have been better if Evernote had toughened up security previously? Sure, but they've indicated they will be putting in two-factor-authentication... and I'll bet awake cloud-providers are paying attention and learning from this if they too needed a lesson.

VV00dy · April 23, 2013

Interesting....I was locked out due to the universal reset. When I requested a password reset I would get the email that would take me to the page to inform me I needed to reset my password. I was stuck in an endless loop. The recovery options were futile because I had a lot of pictures and dates and stuff I couldn't remember so asking to verify what was on my account to verify my identity was futile....I couldn't pass the verification.

I was completely stuck and frustrated.I sent emails to their feedback site but heard no response...I figured I was just dumped and all my data was lost. A lesson to be learned about "free" cloud storage. I had no interest in starting a new account to use this service again.

I couldn't even log into these forums to post any questions to fellow users. I tried different devices...different browsers, computers, android app, iPad app...nothing worked

Today on a whim I clicked the shortcut, requested a password reset, opened my email and clicked on the link (I had done all this twenty times before).

Today it was different, the link in my email actually took me to the password reset screen...I entered the new password and was in!

I am very certain I had done nothing different...all the old reset emails are still there in the same gmail thread. I'm even connecting through the same IP address.

My point is that there is a major glitch in the password reset system they use and there must be thousands more like me who are locked out of their Evernote account and have written off their data as lost. Unless they bother to create a new account they won't even be able to post their stories in here.

gazumped · April 23, 2013

Interesting....I was locked out due to the universal reset. When I requested a password reset I would get the email that would take me to the page to inform me I needed to reset my password. I was stuck in an endless loop. The recovery options were futile because I had a lot of pictures and dates and stuff I couldn't remember so asking to verify what was on my account to verify my identity was futile....I couldn't pass the verification.

I was completely stuck and frustrated.I sent emails to their feedback site but heard no response...I figured I was just dumped and all my data was lost. A lesson to be learned about "free" cloud storage. I had no interest in starting a new account to use this service again.

I couldn't even log into these forums to post any questions to fellow users. I tried different devices...different browsers, computers, android app, iPad app...nothing worked

Today on a whim I clicked the shortcut, requested a password reset, opened my email and clicked on the link (I had done all this twenty times before).

Today it was different, the link in my email actually took me to the password reset screen...I entered the new password and was in!

I am very certain I had done nothing different...all the old reset emails are still there in the same gmail thread. I'm even connecting through the same IP address.

My point is that there is a major glitch in the password reset system they use and there must be thousands more like me who are locked out of their Evernote account and have written off their data as lost. Unless they bother to create a new account they won't even be able to post their stories in here.

Hi - welcome to the forums, and sorry to hear about your problems. The glitch was recognised and fixed a little while ago, hence your ability to use the reset process now. The support team have always been available, though under a "little bit" of pressure when all this kicked off, and this is a user forum, so you're pretty much preaching to the choir here. The whole episode was one that would have been good to miss entirely, but on balance it went about as well as you might expect for a crisis. Evernote seem to be in the clean-up phase now, so we can look forward to more releases, including better security..

chasman · April 26, 2013

Catch 22...

We closed our company a couple of years ago and killed the domain and all associated email addresses.

As is always the case you try to update all your online accounts to a newer, functioning address but miss the odd one. Well my wife forgot to update her Evernote Premium account...

1) Following the recent breach you sent her a new password SHE CAN'T GET TO.

2) She can't reset it manually because it goes to an email address SHE CAN'T GET TO.

3) She can't open a ticket to get her old email address changed to her new one because she needs to login using the new password SHE CAN'T GET TO.

4) She can't use these forums because you need to login using the new password SHE CAN'T GET TO.

Now I understand your service lives or dies on the need for security but the recent breach and reset has exposed this Catch 22 problem...

My question is what do you intend to do about it?

jefito · April 26, 2013

My question is what do you intend to do about it?

Reporting...

dlu · April 26, 2013

Catch 22...

We closed our company a couple of years ago and killed the domain and all associated email addresses.

As is always the case you try to update all your online accounts to a newer, functioning address but miss the odd one. Well my wife forgot to update her Evernote Premium account...

1) Following the recent breach you sent her a new password SHE CAN'T GET TO.

2) She can't reset it manually because it goes to an email address SHE CAN'T GET TO.

3) She can't open a ticket to get her old email address changed to her new one because she needs to login using the new password SHE CAN'T GET TO.

4) She can't use these forums because you need to login using the new password SHE CAN'T GET TO.

Now I understand your service lives or dies on the need for security but the recent breach and reset has exposed this Catch 22 problem...

My question is what do you intend to do about it?

I thought you could still open a CS ticket. I'll double check to make sure you get a response

BlueOak · April 26, 2013

Catch 22...

We closed our company a couple of years ago and killed the domain and all associated email addresses.

As is always the case you try to update all your online accounts to a newer, functioning address but miss the odd one. Well my wife forgot to update her Evernote Premium account...

1) Following the recent breach you sent her a new password SHE CAN'T GET TO.

2) She can't reset it manually because it goes to an email address SHE CAN'T GET TO.

3) She can't open a ticket to get her old email address changed to her new one because she needs to login using the new password SHE CAN'T GET TO.

4) She can't use these forums because you need to login using the new password SHE CAN'T GET TO.

Now I understand your service lives or dies on the need for security but the recent breach and reset has exposed this Catch 22 problem...

My question is what do you intend to do about it?

I thought you could still open a CS ticket. I'll double check to make sure you get a response

@dlu, you are correct, there is a "guest" link over on the right side of the open a ticket login screen.

Clicking on that continue as a guest link initiates a ticket, not requiring you to log in.

BlueOak · April 26, 2013

Regarding potentially confusing password reset process, I just attempted to get into an old account that had not been used in a couple years.

The process can lock you into a loop of unhelpful Evernote web screens. Cookies seem to be the culprit since the loop was released after I cleared the Evernote cookies.

Note that the email address associated with my old Evernote account is no longer valid I and was not confident I had the correct old (pre-security breach) password.

Basically, once you've failed to get into your old account and been sent to the password reset page - it claims to have sent you an email. Not useful in my case since the old email address was dead. Instead the message logically says to contact support.

However, there is no link to support on that failed attempt page and clicking on the "Evernote" logo at the top of the page did not take me to the Evernote home page where I could then go to support.

[Aside: Furthermore, there was no ability to log into another Evernote account because even when you open a new tab to the Evernote site and click on the Web Login link, it puts you back into password reset loop, assuming you still want to be in the previous account. I get that the page wants to remember who you are, but there should be a link to log out or log in as a different user.]

If my experience was typical, the password reset process can be frustrating if you do not have access to your old email address or password.

I've opened a support ticket to get access that way...

sterlingz · April 29, 2013

Hi there,

It's been nearly two months since this breach was discovered. Could anyone from Evernote give us an update as to where things stand with security improvements? How far off is 2-factor authentication?

Thank you.

GrumpyMonkey · April 29, 2013

Hi there,

It's been nearly two months since this breach was discovered. Could anyone from Evernote give us an update as to where things stand with security improvements? How far off is 2-factor authentication?

Thank you.

Hi. I am not from Evernote, but the CEO (Phil Libin) is, and he says it is a few weeks away (in May).

http://www.pcworld.com/article/2035401/evernote-ceo-we-want-to-build-hardware.html

(Archived) Password Reset Discussion Thread

Recommended Posts

Chuck in Houston 0

Link to comment

glennmcq 1

Link to comment

jefito 5,589

Link to comment

gazumped 11,643

Link to comment

jfnjr 1

Link to comment

eebrubaker 0

Link to comment

Laura A 10

Link to comment

BlueOak 26

Link to comment

BlueOak 26

Link to comment

C6REW 416

Link to comment

mehuge 10

Link to comment

Julian McNally 7

Link to comment

dlu 628

Link to comment

A.Nefkens 0

Link to comment

C6REW 416

Link to comment

ddiaz 2

Link to comment

Leastonh 1

Link to comment

RussP41 7

Link to comment

gazumped 11,643

Link to comment

davelivingston50@yahoo.com 0

Link to comment

Mike Wood 139

Link to comment

dlu 628

Link to comment

Mike Wood 139

Link to comment

BlueOak 26

Link to comment

Leastonh 1

Link to comment

spacemonkey9 1

Link to comment

cwb 225

Link to comment

iNik 46

Link to comment

BurgersNFries 2,407

Link to comment

cwb 225

Link to comment

Julian McNally 7

Link to comment

cwb 225

Link to comment

robjyost 0

Link to comment

dlu 628

Link to comment

cwb 225

Link to comment

cwb 225

Link to comment

cwb 225

Link to comment

mamaqueue 0

Link to comment

mamaqueue 0

Link to comment