Jump to content

(Archived) Password Reset Discussion Thread


Recommended Posts

  • Replies 201
  • Created
  • Last Reply

I certainly hope they send and email to everyone's email of record. I

was lucky and tried to sign in on the web client and discovered I had

to do a password reset to log in.

 

From the blog post:

 

The following blog post is also being sent to all Evernote users as an email communication.

 

I assume that may take a little time though...

Link to comment

Beware - I had to resync all my off-line content on iPad and iPhone because of this. Support ticket #16051-248323.

Me too... 5GB worth - not at all happy about that - also not sure I haven't lost space on the iPad with the re-download... I'd appreciate some word on this from Evernote

Link to comment
  • Level 5

Well, Evernote can't say they weren't repeatedly warned.

There have been tons of previous comments about Evernote security requesting 2-factor authentication, full note encryption and many other security suggestions.

I'm sure most users are glad to hear that even though this type of activity is becoming more common with large services, Evernote is doing something to improve its security (by asking you to create a new password).
 

Hope it's not too difficult for everyone with multiple mobile devices and fat fingers to complete the process of getting back online by entering a new lengthy complex password several times.

According to the blog post mentioned above, there has been:

  • no evidence that your Evernote content was accessed
  • no evidence that any payment information was accessed
  • but the hackers did gain access to user information, usernames, email addresses and encrypted passwords.

However no worries man - your password was hashed and salted.

Make sure you have multiple Evernote backups as well.

 


 

Link to comment

I guess it's understandable, if rather annoying. But...

 

No e-mail, yet.

 

Why no announcement on the Evernote Status RSS feed?

 

Why no announcement on the Evernote Tech Blog RSS feed?

 

Martin

Link to comment

Why no announcement on the Evernote Status RSS feed?

Why no announcement on the Evernote Tech Blog RSS feed?

So the status is more for technical messages (outages/maintenance/etc.), but I guess a message could have gone there.

The Tech blog would (possibly) be slightly redundant and the normal blog, which is where the announcement is, would be better as there are more likely more followers to that than the tech blog.

At least, that is my take on it.

Scott

Link to comment

"Evernote’s Operations & Security team has discovered and blocked
suspicious activity on the Evernote network that appears to have been a
coordinated attempt to access secure areas of the Evernote Service.

As a precaution to protect your data, we have decided to implement a
password reset. Please click link below for details and instructions."

 

Every company gets hit with problems - how they handle those problems is what sets them apart.

 

Easy misses (EN did *not* do) by Evernote once they discovered the problem:

 

1) Immediate email broadcast to all users with the simple text above.

 

2) For those users who had not seen the email and were wondering why they were being forced to reset PW, insert the same simple text in the password reset screen rather then leaving them wondering "I did not click 'reset password' - why is Evernote stuck in this reset loop?"

 

Edit: I had to learn what happened via a Tech Crunch tweet:

http://techcrunch.com/2013/03/02/evernote-saw-first-signs-of-hacking-on-feb-28-emails-passwords-and-usernames-accessed-but-not-your-data-or-payment-details/

Link to comment

I really wish they explained on the password reset screen WHY Evernote is forcing you to reset a password.  I originally thought it was either a bug (since I didn't ask for a reset) or that I was experiencing some sort of man in the middle attack. 

Link to comment
  • Level 5*

This is the first time that I can remember that they've had any sort of breach, although I'm not overwhelmed with joy at how I found out about it, I think you have to give them a chance and let them learn a little as they go along. Hopefully there won't ever be another breach (of course there will be), but if there is then our expectation of how they handle notifications will be justifiably higher.

Link to comment

Like everyone else, it was only from reading one of the other discussions, I learned why Evernote needed to have everyone reset their passwords (security breach) - and that's completely understandable, and of course, the necessary response. However, there was no mention of the reason, no email or anything to indicate why this was taking place. Granted, it only took a few minutes to find out, but there are clearly still some issues - nearly constant crashing of the app, inability to sync, etc. - and no doubt the folks at Evernote are in a frenzy to get things under control, but some simple, clear communication would be most welcome. I also think it's essential to maintaining Evernote's well-deserved stellar reputation that their ability to communicate is on a par with the excellence of their product(s). We'll certainly give it some time to get sorted out, but please Evernote, take this to heart - it will serve the company well to keep the relationship strong with your users.

Link to comment
  • Level 5

Not being surprised or annoyed I'll just note this sort of thing is precisely why MY company won't let me keep sensitive data in public cloud services. Before we get anywhere near Evernote Enterprise - and they tell us this isn't something they're terribly interested in - this would have to get fixed to enterprises' satisfaction.

 

BTW what happens if an Evernote  Business customer grows to become an Enterprise one? :-)

Link to comment

This is the first time that I can remember that they've had any sort of breach, although I'm not overwhelmed with joy at how I found out about it, I think you have to give them a chance and let them learn a little as they go along. Hopefully there won't ever be another breach (of course there will be), but if there is then our expectation of how they handle notifications will be justifiably higher.

 

Understandable to a point... but as someone with clients I strive to be transparent with them.  While I'm sure lots of folks at Evernote are scrambling to fix the hole, Evernote is large enough to spare someone for a few moments to email all its users and post the notice on the PW reset screen. 

 

This is a DNA/instinct kind of thing - a sincere desire to put oneself in the shoes of its clients.  I hope (and don't believe it was) the minimized user direct communication was not an attempt to ride under the radar on the breach.

Link to comment

I'm a premium user and I didn't get an email. Not happy about it, but the security breach is even more worrisome. 

I've been a Premium user for 2 days and I've not received any notification of any problems. Very unprofessional considering the numerous communications options available on the 'net!!

I'll reconsider my continued subscription over the weekend.

I'm hoping that someone will have the decency to tell us exactly what as been compromised.

Link to comment
  • Level 5*

As I understand it emails are being sent out but it takes time to send 45m+ of them.

 

I'm guessing they never intended to use the reset screen in this fashion.

 

The CEO coming out and talking to TechCrunch, the blog post and the emails certainly don't seem to indicate that they are trying to hide anything.

Link to comment
  • Level 5*

This is the first time that I can remember that they've had any sort of breach, although I'm not overwhelmed with joy at how I found out about it, I think you have to give them a chance and let them learn a little as they go along. Hopefully there won't ever be another breach (of course there will be), but if there is then our expectation of how they handle notifications will be justifiably higher.

 

Understandable to a point... but as someone with clients I strive to be transparent with them.  While I'm sure lots of folks at Evernote are scrambling to fix the hole, Evernote is large enough to spare someone for a few moments to email all its users and post the notice on the PW reset screen. 

 

This is a DNA/instinct kind of thing - a sincere desire to put oneself in the shoes of its clients.  I hope (and don't believe it was) the minimized user direct communication was not an attempt to ride under the radar on the breach.

 

I don't know about riding under radars, but a blog post, reaching out to tech blog sites, emails to 50 million users (I haven't gotten mine yet -- it may take some time to get everyone), and a post on this site seems pretty public to me! There are certainly some things that could have been done better (I have suggested some ideas myself), but overall, I think they are handling it well. They detected the breach, investigated, and took action within a relatively short time frame. 

Link to comment
  • Level 5*

Anyone on Android might want to check their status - my app shows me as still logged in but it's unable to sync. When I go to log out,  I get a warning that I have unsynced notes "that will be lost if I continue".  So I haven't. 

 

But how do I identify my unsynced notes so I can email them out of here?  I have a support enquiry running,  but if anyone has any suggestions...

Link to comment

So the first I hear about this is when I try to login and have to reset my password. Nothing about the reason on the reset screen at all, and then suddenly I read about it on BBC News.

No email? Nothing on the password reset screen?

 

Stay classy, Evernote...  :wacko:

Link to comment

 

This is the first time that I can remember that they've had any sort of breach, although I'm not overwhelmed with joy at how I found out about it, I think you have to give them a chance and let them learn a little as they go along. Hopefully there won't ever be another breach (of course there will be), but if there is then our expectation of how they handle notifications will be justifiably higher.

 

Understandable to a point... but as someone with clients I strive to be transparent with them.  While I'm sure lots of folks at Evernote are scrambling to fix the hole, Evernote is large enough to spare someone for a few moments to email all its users and post the notice on the PW reset screen. 

 

This is a DNA/instinct kind of thing - a sincere desire to put oneself in the shoes of its clients.  I hope (and don't believe it was) the minimized user direct communication was not an attempt to ride under the radar on the breach.

 

I don't know about riding under radars, but a blog post, reaching out to tech blog sites, emails to 50 million users (I haven't gotten mine yet -- it may take some time to get everyone), and a post on this site seems pretty public to me! There are certainly some things that could have been done better (I have suggested some ideas myself), but overall, I think they are handling it well. They detected the breach, investigated, and took action within a relatively short time frame. 

 

"... emails to 50 million users..."?  Did they do that?  If so, I take back my concerns above.  I did not get one.

 

I don't understand the desire to be so apologetic for Evernote.  I too love Evernote and want it to be better.  This event was apparently discovered two days ago - It shouldn't take that long to email users.   BTW, the first tweet I from EN I can find on this was two hours ago.

 

Posting to the forum is hardly going public when I'd be surprised if 5% of Evernote users have ever been to the Forum.  And I suspect Tech Crunch reached out to Evernote, not the other way around. 

Link to comment

I'm not shocked about the PW reset--this seems that's par for the course these days, but Evernote botched this change by missing some easy but important details:

 

If there is a global password change required, put that in big bold letters at the top of every page on the ***MAIN SITE***. Not everyone follows you on Twitter! If you are trying to keep things from looking bad on your main sales site, that's silly.

 

Not, only was there no message on the main site, but the forced change password page had no explanation. If I login to a site as normal and I just get a change password prompt, uninitiated, I start to think something is broken. At that point, the last thing I want to do is change my password.

 

Lastly, all the 3rd-party stuff should return a "password change required" message, not "invalid password".

 

Companies getting hacked seems to be the new reality. I suggest your engineering team build-in a proper *global password change* feature so you aren't scrambling to hack something in when/if this happens again. ...something that does a better job of letting users know *what is happening*.

Link to comment

I must admit that I was pretty upset about the amateurish password reset action today.

 

I was on the road with my wife, taking notes and pictures with my android client. I was actually believing that it would sync properly. At home, I started the mac client and found the password reset thing, no other comment. Logging on on the website - same issue, password reset. What the hell! Of course I did it. Later, I checked back on Android and found all of today's notes being stored locally only - not synced.

 

What now? Logging out of the client will delete all non-synced notes. Re-syncing doesn't work too. Clear cache? No way. Change the password back to the original one? Didn't work either.

 

Honestly, I'm pretty pi**ed. That could've been done MUCH smarter guys!

 

Anyway, it's time for two factor authentication now. Yes, now.

 

Sidenote: I was in a process to convince my department to use evernote. I'll have to rethink this step.

Link to comment
  • Level 5*

 

 

This is the first time that I can remember that they've had any sort of breach, although I'm not overwhelmed with joy at how I found out about it, I think you have to give them a chance and let them learn a little as they go along. Hopefully there won't ever be another breach (of course there will be), but if there is then our expectation of how they handle notifications will be justifiably higher.

 

Understandable to a point... but as someone with clients I strive to be transparent with them.  While I'm sure lots of folks at Evernote are scrambling to fix the hole, Evernote is large enough to spare someone for a few moments to email all its users and post the notice on the PW reset screen. 

 

This is a DNA/instinct kind of thing - a sincere desire to put oneself in the shoes of its clients.  I hope (and don't believe it was) the minimized user direct communication was not an attempt to ride under the radar on the breach.

 

I don't know about riding under radars, but a blog post, reaching out to tech blog sites, emails to 50 million users (I haven't gotten mine yet -- it may take some time to get everyone), and a post on this site seems pretty public to me! There are certainly some things that could have been done better (I have suggested some ideas myself), but overall, I think they are handling it well. They detected the breach, investigated, and took action within a relatively short time frame. 

 

"... emails to 50 million users..."?  Did they do that?  If so, I take back my concerns above.  I did not get one.

 

I don't understand the desire to be so apologetic for Evernote.  I too love Evernote and want it to be better.  This event was apparently discovered two days ago - It shouldn't take that long to email users. 

 

Posting to the forum is hardly going public when I'd be surprised if 5% of Evernote users have ever been to the Forum.  And I suspect Tech Crunch reached out to Evernote, not the other way around. 

 

I doubt tech crunch reached out to evernote. How would they know to do that Saturday morning? Evernote didn't go public about this until this morning, and the Tech Crunch site had an interview and everything with the CEO at roughly the same time. 

 

It's not about being apologetic for Evernote. It is saying that I think they are trying to be quite open and public about this. 

 

I don't know what to think about the Feb. 28 thing. What does it mean to detect unusual activity? When did they realize passwords had been stolen? There are all sorts of things I think would have to happen between noticing unusual activity and alerting 50 million users around the world. I have also not gotten an email yet, so I think email is probably not going to be a very useful medium for them to alert users. 

Link to comment

Anyone on Android might want to check their status - my app shows me as still logged in but it's unable to sync. When I go to log out,  I get a warning that I have unsynced notes "that will be lost if I continue".  So I haven't. 

 

But how do I identify my unsynced notes so I can email them out of here?  I have a support enquiry running,  but if anyone has any suggestions...

 

 

That's exactly what's happening to me. There's no way to mail them. Copy/Paste?

Link to comment

 

 

 

This is the first time that I can remember that they've had any sort of breach, although I'm not overwhelmed with joy at how I found out about it, I think you have to give them a chance and let them learn a little as they go along. Hopefully there won't ever be another breach (of course there will be), but if there is then our expectation of how they handle notifications will be justifiably higher.

 

Understandable to a point... but as someone with clients I strive to be transparent with them.  While I'm sure lots of folks at Evernote are scrambling to fix the hole, Evernote is large enough to spare someone for a few moments to email all its users and post the notice on the PW reset screen. 

 

This is a DNA/instinct kind of thing - a sincere desire to put oneself in the shoes of its clients.  I hope (and don't believe it was) the minimized user direct communication was not an attempt to ride under the radar on the breach.

 

I don't know about riding under radars, but a blog post, reaching out to tech blog sites, emails to 50 million users (I haven't gotten mine yet -- it may take some time to get everyone), and a post on this site seems pretty public to me! There are certainly some things that could have been done better (I have suggested some ideas myself), but overall, I think they are handling it well. They detected the breach, investigated, and took action within a relatively short time frame. 

 

"... emails to 50 million users..."?  Did they do that?  If so, I take back my concerns above.  I did not get one.

 

I don't understand the desire to be so apologetic for Evernote.  I too love Evernote and want it to be better.  This event was apparently discovered two days ago - It shouldn't take that long to email users. 

 

Posting to the forum is hardly going public when I'd be surprised if 5% of Evernote users have ever been to the Forum.  And I suspect Tech Crunch reached out to Evernote, not the other way around. 

 

I doubt tech crunch reached out to evernote. How would they know to do that Saturday morning? Evernote didn't go public about this until this morning, and the Tech Crunch site had an interview and everything with the CEO at roughly the same time. 

 

It's not about being apologetic for Evernote. It is saying that I think they are trying to be quite open and public about this. 

 

I don't know what to think about the Feb. 28 thing. What does it mean to detect unusual activity? When did they realize passwords had been stolen? There are all sorts of things I think would have to happen between noticing unusual activity and alerting 50 million users around the world. I have also not gotten an email yet, so I think email is probably not going to be a very useful medium for them to alert users. 

 

I love the app and believe they have good folks working there.  Hopefully they've learned something.  I'd much rather their time be spent fixing and polishing the apps before crossing over to the 'physical' world with pads of paper.

Link to comment

I'm just glad I noticed this on my desktop client first, and not on my Android phone. The Android app just says "sync failed," with no explanation. Of course, there's no explanation for the desktop client either, but if I'd noticed the problem first on the phone, I probably would have signed out, and presumably lost notes. This is crazy.

A freakin' email notification would have been appreciated!! Bad business, folks.

Link to comment

Any educators out there? I have approximately 500 students that will not be able to get into their Evernote accounts on Monday morning. Most students are accessing their account from an iPad as many of my classrooms are in a 1:1 or share a cart situation. I have sent an email to all of my teachers, but resetting passwords in the computer lab was probably not in their plans for Monday and/or they would feel more comfortable to have me guide their students through the process. I only see each of my classes once a week which means some classes will not do the reset until Friday. If there is a breech, couldn't someone else reset their password before the students get a chance to reset it?

 

Would love some ideas besides me spending my Saturday reseting 500 student passwords...

Link to comment

Any educators out there? I have approximately 500 students that will not be able to get into their Evernote accounts on Monday morning. Most students are accessing their account from an iPad as many of my classrooms are in a 1:1 or share a cart situation. I have sent an email to all of my teachers, but resetting passwords in the computer lab was probably not in their plans for Monday and/or they would feel more comfortable to have me guide their students through the process. I only see each of my classes once a week which means some classes will not do the reset until Friday. If there is a breech, couldn't someone else reset their password before the students get a chance to reset it?

 

Would love some ideas besides me spending my Saturday reseting 500 student passwords...

 

Consider making this a lesson in the online world - you might be surprised at how aware your students already are of these risks.  The students should be responsible for their own passwords - if not, then perhaps they're two young for authenticated apps like Evernote. 

 

No way around it - breaches happen.  And password resets are the logical solution.

Link to comment

Got an email today asking me to change my password. Did so.

 

Now I can't log in on my iPad with the new password.

 

"Error : Too many failures, please try again later"

 

What the heck ?

Got no problems signing in online or on my iPhone.

Link to comment
  • Level 5

This is the first time that I can remember that they've had any sort of breach, although I'm not overwhelmed with joy at how I found out about it, I think you have to give them a chance and let them learn a little as they go along. Hopefully there won't ever be another breach (of course there will be), but if there is then our expectation of how they handle notifications will be justifiably higher.

They recently had the forums breached if I recall.  But regardless the news cycle is littered with plenty of illuminating examples to learn from.  As they say, Learn from the mistakes of others, as you won't live long enough to make them all yourself.

Link to comment

After changing my Pw I wanted to check which Apps are currently connected with my Account but I can't find the Settings option to check this?!

 

When I use https://www.evernote.com/AuthorizedServices.action I am redirected to the General Settings.

 

Did the URL / Link change?

 

You raise an interesting security issue related to breaches - visibility into when and on what device the last login/synch happened.

 

Facebook has implemented login device recognition.

 

Security improvement at the account level: a log of devices, location when available, and synch times.  We might then have a hint that someone in Siberia had accessed our account.  I am far more concerned about data safety in EN than for the fluff in FB.

Link to comment

I got the password reset notice and I see a link to it on evernote's homepage.

 

What I want to know is why the link reset and support URLs are NOT on the evernote domain?  This is a sign of a classic phishing attack and anyone who knows anything about security would not follow a link like this in their email.

 

Since they have posted a note about it on their homepage, I'm very disappointing that they would choose to send out an email like this.. People who should change it, may not because of such a  simple mistake in security.

 

 http://links.evernote.mkt5371.com <<< -- mkt5271 domain NOT evernote.com

 

 

Link to comment

After changing my Pw I wanted to check which Apps are currently connected with my Account but I can't find the Settings option to check this?!

 

When I use https://www.evernote.com/AuthorizedServices.action I am redirected to the General Settings.

 

Did the URL / Link change?

I believe that if that page doesn't exist for you, then all authorised applications that would be listed there have been de-authorised. It only shows when there is am app that you have allowed access.

For example, I know that I was connected to one app, and it was not listed in the settings. I went to the website, and it asked me to re-authorise it again.

So, it looks like the password reset also reset the authorisations for external apps as well.

Scott

Link to comment

A more timely response would have been ideal, but apparently Evernote did initiate the email broadcasts to users sometime "last night" (it is currently 2:40pm Eastern US time /UTS -5:00, 2-March-2013).  However, I have not yet received it.

 

That ideally would have triggered a corresponding tweet at the same time as well as notice on the Password Reset screen to minimize confusion.

 

Excellent communication is important but locking out the passwords immediately upon discovery of the breach was even more critical.

 

A learning opportunity for Evernote.  I'm not going anywhere - 'still one of my favorite apps and one I recommend to friends and colleagues.

 

Link to comment
  • Level 5

I can't save anything from Reeder for iPad to my reset EN. No problem with the iPhone version but on the iPad my login details keep getting rejected. I tried everything, including reinstalling the app. No joy.

Same.  Also can't reconfigure IFTTT workflows.

 

[fixed] logging out and back in plus re-authorizing 25 mobile apps and services to Evernote.

Link to comment

why not using 2 step auth providing by google?

 

There are a number of treads suggesting that. I really hope that EN will put improving security (i.e. implementing 2-step sync) as a high priority on their to do list...

Link to comment

Any educators out there? I have approximately 500 students that will not be able to get into their Evernote accounts on Monday morning. Most students are accessing their account from an iPad as many of my classrooms are in a 1:1 or share a cart situation. I have sent an email to all of my teachers, but resetting passwords in the computer lab was probably not in their plans for Monday and/or they would feel more comfortable to have me guide their students through the process. I only see each of my classes once a week which means some classes will not do the reset until Friday. If there is a breech, couldn't someone else reset their password before the students get a chance to reset it?

 

Would love some ideas besides me spending my Saturday reseting 500 student passwords...

 

Consider making this a lesson in the online world - you might be surprised at how aware your students already are of these risks.  The students should be responsible for their own passwords - if not, then perhaps they're two young for authenticated apps like Evernote. 

 

No way around it - breaches happen.  And password resets are the logical solution.

I think that you misunderstood my question. The password needs to be changed on a computer before the account can be accessed on a device, specifically an iPad. Most of my classrooms are accessing their Evernote accounts on iPads. Teachers have certain curriculum that needs to be covered each day and have little time to spend taking their class to the lab in order to change passwords. Therefore, they may have to wait or want to wait for the next time I am available to their class, for some as late as next Friday.

There is no risk to my students, all that will be found in my student's accounts are school work and fluency recordings... not of much interest to a hacker. What is more concerning is that student work may not be recovered if someone resets their password before the students do.

What I am mostly saying is... If there is a breach and someone already knows my students' user names, what is to stop the hacker from resetting my students' passwords before the students get the chance to. If the reset could be done on the iPad then it would be easier to get every account reset on Monday, but someone still could take over the student accounts between now an Monday.

Link to comment

As others have said, this security breach just points to the urgent need for 2-factor authentication. I've been meaning to post about this for some time, but this event has definitely motivated me to do so. No, 2-factor authentication is not foolproof, but it a hell of a lot better than just a username and password, as this breach shows. I really liked the way Dropbox implemented it, using Google's Authenticator app to generate the key rather than making their own app. I suggest that Evernote does the same. That way we can use a single app to access multiple accounts.

Link to comment
  1. I'm a premium user who did not receive an email -- learned about this on Gizmodo.
  2. The search engine was not able to find any reset info for "android password" or "android login" -- but Google could; within the Evernote Knowledge Base.
  3. Having to unload and reload content on my smartphone in order to enter a new password is poor software design; people have been complaining about this for a year.
  4. Time for a more robust security model -- as many people here have called for.
  5. Evernote follows other vendors' practice of having a major problem at the end of the week, then not staffing their Helpdesk over the weekend to deal with it.

Not ready for the enterprise...

Link to comment

 

Any educators out there? I have approximately 500 students that will not be able to get into their Evernote accounts on Monday morning. Most students are accessing their account from an iPad as many of my classrooms are in a 1:1 or share a cart situation. I have sent an email to all of my teachers, but resetting passwords in the computer lab was probably not in their plans for Monday and/or they would feel more comfortable to have me guide their students through the process. I only see each of my classes once a week which means some classes will not do the reset until Friday. If there is a breech, couldn't someone else reset their password before the students get a chance to reset it?

 

Would love some ideas besides me spending my Saturday reseting 500 student passwords...

 

Consider making this a lesson in the online world - you might be surprised at how aware your students already are of these risks.  The students should be responsible for their own passwords - if not, then perhaps they're two young for authenticated apps like Evernote. 

 

No way around it - breaches happen.  And password resets are the logical solution.

I think that you misunderstood my question. The password needs to be changed on a computer before the account can be accessed on a device, specifically an iPad. Most of my classrooms are accessing their Evernote accounts on iPads. Teachers have certain curriculum that needs to be covered each day and have little time to spend taking their class to the lab in order to change passwords. Therefore, they may have to wait or want to wait for the next time I am available to their class, for some as late as next Friday.

There is no risk to my students, all that will be found in my student's accounts are school work and fluency recordings... not of much interest to a hacker. What is more concerning is that student work may not be recovered if someone resets their password before the students do.

What I am mostly saying is... If there is a breach and someone already knows my students' user names, what is to stop the hacker from resetting my students' passwords before the students get the chance to. If the reset could be done on the iPad then it would be easier to get every account reset on Monday, but someone still could take over the student accounts between now an Monday.

 

Got it.  'Can see how this will be a pain for you, your teachers, and students.  Very cool you're leveraging iPads in the classroom tho.  My kids are stuck with logging onto web sties for assignments, uploading homework, etc...

 

I suppose the rest of us should consider the lack of the ability to change passwords on our mobile devices to be a security 'feature', small tho it be in case we lose our devices.

Link to comment

After changing my Pw I wanted to check which Apps are currently connected with my Account but I can't find the Settings option to check this?!

 

When I use https://www.evernote.com/AuthorizedServices.action I am redirected to the General Settings.

 

Did the URL / Link change?

 

You raise an interesting security issue related to breaches - visibility into when and on what device the last login/synch happened.

 

Facebook has implemented login device recognition.

 

Security improvement at the account level: a log of devices, location when available, and synch times.  We might then have a hint that someone in Siberia had accessed our account.  I am far more concerned about data safety in EN than for the fluff in FB.

 

Last pass has country lockdown as well, so I can only login from my own country, and countries that I travel to.  I have to remember when going travelling to add those extra countries to the list, but it means that someone in Siberia will never access my lastpass, even if they had my password and second factor.

Link to comment

Beware - I had to resync all my off-line content on iPad and iPhone because of this. Support ticket #16051-248323.

I didn't get an e-mail, but I did see a news article about Evernote having been hacked.  I changed my password on my web account via my laptop PC.  Now I am trying to figure out where/how to tell Evernote for Android to reset my password.  Any pointers on how do that, please?

 

Follow-up: found what I needed to know.  Thanks, Heather.

Link to comment

Beware - I had to resync all my off-line content on iPad and iPhone because of this. Support ticket #16051-248323.

I didn't get an e-mail, but I did see a news article about Evernote having been hacked.  I changed my password on my web account via my laptop PC.  Now I am trying to figure out where/how to tell Evernote for Android to reset my password.  Any pointers on how do that, please?

You need to log out and log back in. On any Android device all the notes have to be downloaded again.  So if you have all your notebooks stored on your device it can take quite some time to download them again.

Link to comment

Opened a ticket for the android sync issue. Not even a ticket# yet.

I'm trying to imagine the shitstorm in my company if really 50% of the employees - 800 roughly - would have been using EN for Business as main knowledge repository as I suggested. I guess the CEO himself would have fired me.

How many salted passwords were exposed? No way to only reset those and inform the others first? Are all passwords stored on that very same place?

Highly unprofessional behaviour. I'm deeply disappointed.

Link to comment

Opened a ticket for the android sync issue. Not even a ticket# yet.

I'm trying to imagine the shitstorm in my company if really 50% of the employees - 800 roughly - would have been using EN for Business as main knowledge repository as I suggested. I guess the CEO himself would have fired me.

How many salted passwords were exposed? No way to only reset those and inform the others first? Are all passwords stored on that very same place?

Highly unprofessional behaviour. I'm deeply disappointed.

It's not going to Sync unless you reset your password via the web.  You then need to sign out then back in.

Link to comment

Opened EN on my Mac, read the email, and reset my password for my Mac, iPhone, and iPad. But now my notes from 2/28/13 are gone!!! I have never had this happen before and I have used EN for well over a year!! I think users DID lose data. I just want my notes back!!!

Link to comment

Opened EN on my Mac, read the email, and reset my password for my Mac, iPhone, and iPad. But now my notes from 2/28/13 are gone!!! I have never had this happen before and I have used EN for well over a year!! I think users DID lose data. I just want my notes back!!!

I lost one note from my phone.  It hadn't synced to the server before the problem.  I signed out on my phone, after resetting my password via the web, which reloads the device from the server.  Could be a similar situation.

Link to comment

Got an email today asking me to change my password. Did so.

 

Now I can't log in on my iPad with the new password.

 

"Error : Too many failures, please try again later"

 

What the heck ?

Got no problems signing in online or on my iPhone.

That's exactly what happened to me.

  1. Changed password on web client.
  2. Logged into account with new password on iPad.
  3. Now I get this message on my iPhone, so I couldn't connect that app.
  4. Logged out of web client to make sure new credentials worked. Could NOT log back in.
  5. Read this forum for maybe 10-15 minutes.
  6. Tried to log in to web client so I could post to this forum. It WORKED.
  7. Now I CAN log in to iPhone app.
  8. Desktop client worked fine. A new version was issued which allows you to retain your data as you provide the new password.

Conclusion: Wait 10-15 minutes before trying your other devices, so the new password has a chance to percolate through the Evernote server farms. However, the error message is very misleading, as it comes up after a single attempt to enter a password.

 

I'm sorry for those who lost data on mobile devices. Evernote needs to add the password-reset functionality to mobile apps, so data in the device isn't lost if (when) this happens again.

 

+1 vote for two-factor authentication

Link to comment

TFA is the next logical step in protecting user accounts.  Your user community has been requesting it for over two years.  Phil, are you listening?

 

 

Two-step verification would be nice to avoid this type of problems

 

 

why not using 2 step auth providing by google?

 

 

 

Facebook has implemented login device recognition.

 

Security improvement at the account level: a log of devices, location when available, and synch times.  We might then have a hint that someone in Siberia had accessed our account.  I am far more concerned about data safety in EN than for the fluff in FB.

 

 

why not using 2 step auth providing by google?

 

There are a number of treads suggesting that. I really hope that EN will put improving security (i.e. implementing 2-step sync) as a high priority on their to do list...

 

 

As others have said, this security breach just points to the urgent need for 2-factor authentication. I've been meaning to post about this for some time, but this event has definitely motivated me to do so. No, 2-factor authentication is not foolproof, but it a hell of a lot better than just a username and password, as this breach shows. I really liked the way Dropbox implemented it, using Google's Authenticator app to generate the key rather than making their own app. I suggest that Evernote does the same. That way we can use a single app to access multiple accounts.

Link to comment

I am in Oz. Found out when trying to launch Evernote this morning.

Password change simple, synced across all devices no problems.

My Q: what happens to the mail-in address created by EN. Do the hackers have access to this information.

If so, may be able to SPAM my EN account with unwanted material?

Can we change this address?

Love the Evernote service, I believe they have acted promptly and I will continue to use EN as my primary tool to brain dump everything :-)

Link to comment

Such a cavalier approach to security Evernote is using cannot be tolerated anymore. I really like Evernote, but a service's security should be commensurate with the amount of personal data stored. I store more personal date in Evernote than in any other service, yet Evernote has the worst security. I just renewed my premium subscription. If by the next time I am due to renew my account is protected only with a password, I am probably not going to renew.

Link to comment

I just saw a new update for Evernote in the App Store at 6:31 PM (EST). This update is supposed to be a fix for the password issue (although, in retrospect, I am glad that they required me to change my password since hackers were involved).

I can now also change the Sort Field on my iPad without it crashing! I always sort by Created Date, and not being able to see my notes sorted by the date I created them was giving me a headache. Other than getting used to a new password, things feel like they are getting back to normal.

And the Snippets View (or List View) is what I have been secretly hoping they would add to the iPad for months.

+1 for 2-step verification (or something similar)

Link to comment
  • Level 5*

OK I've now had my email,  an update to my Android app and everything is working smoothly again.  I think.

 

I don't think many software firms with 50M customers have had to deal with this sort of situation previously - all credit to Evernote that having been caught on a weekend with a major security crisis they got things back together again within 12 hours.  Thank you to the Evernote team who worked over the weekend to restore things.

 

Users generally have had a bad experience,  and in some cases the pain may still continue - while users of shared notebooks catch up with their password resets forinstance - but I'd imagine this is new territory for everyone.  Hopefully there won't be a next time - but if there is I hope we'll all be better prepared for it.

Link to comment

Updating the password seemed to be quite easy and painless. After reading the blog post I changed my email from the web client. Then updated the OS X app and iOS app. No problems.

 

BUT the Android update was a fail. It said that I should reset my password even though I already had reset it and successfully logged in with the new password with the other clients. So I created a new password yet again in Android but then I get a message saying the password is wrong... huh, how can a new password be wrong? Well it turned out the dialogs were off. They told me to reset but actually it just wanted me to log in. But after I log in it asks a password again and this time I'm not sure if it wants me to create a new password or just log in (again)? I ended up signing out of all the clients, making yet another password in the web client, and logging in. This solved all issues. Except for some reason signing out of the Android client deleted all cache and now I have to wait for a full sync (looks like it's going to take an hour). I don't understand why logging out removes the cache. This didn't happen on iOS.

Link to comment

I got what purports to be a password reset notice today directing me to: http://links (dot) evernote (dot) mkt5371 (dot) com/

The text is copypasta from the Evernote homepage, except the Evernote.com links are switched to the above website. (And, for whatever reason, the wiki link to salting was changed to plain text.)

Either that's: (1) a follow-up phishing attempt; or (2) Evernote is sending password reset notices that look suspicious.

Anyone at Evernote want to say "that's OK" or look at the forwarded e-mail?

Link to comment

I got what purports to be a password reset notice today directing me to: http://links (dot) evernote (dot) mkt5371 (dot) com/

The text is copypasta from the Evernote homepage, except the Evernote.com links are switched to the above website. (And, for whatever reason, the wiki link to salting was changed to plain text.)

Either that's: (1) a follow-up phishing attempt; or (2) Evernote is sending password reset notices that look suspicious.

Anyone at Evernote want to say "that's OK" or look at the forwarded e-mail?

One further note: I logged into Evernote using a browser and it accepted my old password, whereupon I reset my password.
Link to comment

This seriously sucked. Android gave no notice and my web browser clipping services kept rejecting my pwd. Only by dumb luck I tried to log into the web service and was asked for a new password. I probably needed to change mine but what a bass awkwards way to force a reset. I thought for a minute my account had been hijacked. Hellow Evernote... is anyone home?

Link to comment

I can't save anything from Reeder for iPad to my reset EN. No problem with the iPhone version but on the iPad my login details keep getting rejected. I tried everything, including reinstalling the app. No joy.

Same.  Also can't reconfigure IFTTT workflows.

 

[fixed] logging out and back in plus re-authorizing 25 mobile apps and services to Evernote.

 

Still not working for me with Reeder. Logged out and in and deleted/re-entered EN login more times than I can count. Seriously annoyed.

 

Also, I never received a notification email. I found out when EN desktop told me that my password was invalid.

Link to comment

I would like to register my extreme dislike of forcing us to reset our password.

That should be MY CHOICE NOT YOURS

 

I REALLY HATE THIS!!

 

10 thumbs down for whomever thought that was a good idea.

 

Whenever companies force me to change passwords on a regular basis, I always end up going to a systemized password so I can easily figure out what the latest is.

If you just leave it alone, I will use a very good password.

 

At any rate, it is my responsibility and my data so leave me alone!

Link to comment

I would like to register my extreme dislike of forcing us to reset our password.

That should be MY CHOICE NOT YOURS

I REALLY HATE THIS!!

10 thumbs down for whomever thought that was a good idea.

Whenever companies force me to change passwords on a regular basis, I always end up going to a systemized password so I can easily figure out what the latest is.

If you just leave it alone, I will use a very good password.

At any rate, it is my responsibility and my data so leave me alone!

EN does not force regular password changes & apparently you didn't read through the thread. In this case, it's because of this:

http://discussion.evernote.com/topic/35555-security-notice-service-wide-password-reset/

It takes a special kind of dumb to be peeved b/c of the forced password change in this case.

Link to comment

I got what purports to be a password reset notice today directing me to: http://links (dot) evernote (dot) mkt5371 (dot) com/

The text is copypasta from the Evernote homepage, except the Evernote.com links are switched to the above website. (And, for whatever reason, the wiki link to salting was changed to plain text.)

Either that's: (1) a follow-up phishing attempt; or (2) Evernote is sending password reset notices that look suspicious.

Anyone at Evernote want to say "that's OK" or look at the forwarded e-mail?

 

The link then re-directs securely to evernote.com

 

This being the case, can passwords be phished in this way?

 

Following the link installs 2 cookies: akamaihd.net and evernote.com

Link to comment

Let this be a wake up call to Evernote... they need to prioritize data loss at the top of the stack, starting with complete encryption of all user data stored on their servers.

If EN encrypted all your notes on their server, they would not be able to do the indexing that is so helpful. You should search the board on security/encryption, as this has been discussed a lot already.

Link to comment

Let this be a wake up call to Evernote... they need to prioritize data loss at the top of the stack, starting with complete encryption of all user data stored on their servers.

If EN encrypted all your notes on their server, they would not be able to do the indexing that is so helpful. You should search the board on security/encryption, as this has been discussed a lot already.

They at least need to allow notes to be encrypted... if that means they are not indexable... fine.  But if they refuse to do this, I guess the wake up call is for me then... the risk of storing sensitive personal information in Evernote is too great.

Link to comment

They at least need to allow notes to be encrypted... if that means they are not indexable... fine. But if they refuse to do this, I guess the wake up call is for me then... the risk of storing sensitive personal information in Evernote is too great.

Um, they *do* allow users to encrypt text. EN has never purported to be a password manager type application. If you need to store sensitive info, you can either encrypt it yourself or use a true password manager type application. Like I said, this has been discussed a lot already. Please search the board if you are interested in more info on the topic.

Link to comment

They at least need to allow notes to be encrypted... if that means they are not indexable... fine.  But if they refuse to do this, I guess the wake up call is for me then... the risk of storing sensitive personal information in Evernote is too great.

Um, they *do* allow users to encrypt text. EN has never purported to be a password manager type application. If you need to store sensitive info, you can either encrypt it yourself or use a true password manager type application.

I know that... but what about people that want to go paperless and store lots of sensitive PDF documents in Evernote?!  Allowing optional encryption of Notes or whole Notebooks has got to be a good thing.  Why are you against it?

Link to comment

I got the password reset notice and I see a link to it on evernote's homepage.

 

What I want to know is why the link reset and support URLs are NOT on the evernote domain?  This is a sign of a classic phishing attack and anyone who knows anything about security would not follow a link like this in their email.

 

Since they have posted a note about it on their homepage, I'm very disappointing that they would choose to send out an email like this.. People who should change it, may not because of such a  simple mistake in security.

 

 http://links.evernote.mkt5371.com <<< -- mkt5271 domain NOT evernote.com

 

exactly - they obviously want to do tracking on response to the email but this goes against all security best practice standards that everyone else is

pushing to people:

- never click on links in emails about resetting passwords

- don't be fooled by fake URLs like evernote.mkt5371.com

then on the top of the home page there is link that takes you straight to a login page with no explanation - and the link looks completely out of character with the rest of the home page - it looks like it has been hacked in!

 

they have blog articles and other info on this issue that could have been linked to in a more legitimate looking way!

the forced password reset was a reasonable response to the intrusion, but their implementation of it was fundamentally flawed and counter-productive

 

kelly

Link to comment

how about setting up a two step verification system that uses an app on your phone to make sure it is actually you accessing your notes. I'd also like to see the option of adding a password to each note if I choose to. I guess until then I can zip files with passwords, but it's a pain.

Link to comment

I am in the middle on the comments here.  I am not impressed that they could be hacked, notwithstanding the salted passwords.  No way hackers should have got in.  But the rapid update to the apps was impressive, as I just got the Win desktop update now.  Good work there .... but...

 

But longer term, a 100 year extension of my brain had better learn from this, and maybe slow down on the fancy stuff to allow some back to basics thinking.  There is no way a hacker of any kind should be able to get in to my username, salted password etc - no way, ever!  Today is a wake up call.  

 

Premium user since 2008.

Link to comment

So, i get the notification of the Hack, and go to the web, reset my password, download new updated apps just like the instruction stated. Now I cannot log into my account on the IPhone or iPad, yes, I did  input the new Password from the web, but keep getting invalid password. 

 

I Filed a complaint ticket, and was impressed when I received a response in 20 min that read I am stupid, do what they had published then come here so all you fine folks can fix their problem. So here I am. Any Ideas?

 

Cheers

Link to comment

Hi jfnjr,

 

You need to go through the process on your other devices. But once you have a new password, it should just be a case of inputting it.

 

Have you gone onto the web and made sure you can log in that way? It might be worth changing your password on the web then trying again.

 

Best regards

 

Chris

Link to comment

 

They at least need to allow notes to be encrypted... if that means they are not indexable... fine.  But if they refuse to do this, I guess the wake up call is for me then... the risk of storing sensitive personal information in Evernote is too great.

Um, they *do* allow users to encrypt text. EN has never purported to be a password manager type application. If you need to store sensitive info, you can either encrypt it yourself or use a true password manager type application.

I know that... but what about people that want to go paperless and store lots of sensitive PDF documents in Evernote?!  Allowing optional encryption of Notes or whole Notebooks has got to be a good thing.  Why are you against it?

 

The EN team needs to grow up. EN as a tool for going paperless is worthless if there's no dedication to security.

 

The refusal to allow secure storage because "we wouldn't be able to do all the cool stuff if we can't index notes" reduces EN to storage only for trivial content that you don't care to be insecure. The lack of 2 pass authentication is even more lame. EN would be able to offer exactly the same benefits with an additional layer of authentication. It seems lack of priority, or maybe even lack of understanding. 

 

Why not let customers decide? offer optional 2 pass authentication, and offer optional security storage of notes. Let customers decide what they want. We can figure out the trade-off between notes that need more security and notes where we don't care.

 

I hope this breach was a wakeup call. I love EN, use it extensively, but if there's not more dedication to security, i'll move on to something else. If needed, i'll trade the user friendly EN for something less user friendly and much more secure.

Link to comment
  • Level 5

I'm increasingly of the view that so-called "Enterprise" requirements for things like Security and Availability are IDENTICAL to the personal requirement. This whole situation and our responses to it just reinforce that view.

 

And for those of us whose personal and work lives are a blend that's increasingly "interesting".

Link to comment
  • Level 5*

Seems to me that various accusations that Evernote "don't take security seriously enough" are missing the point that after what sounds like a sophisticated hacking attempt,  nothing was compromised and the password reset was part of the measures the company was taking to strengthen its defenses.  And Evernote had product patches out within 12 hours to help everyone through the password change.  Users may have had a bumpy experience,  but it wasn't the end of the world.  On a scale of 1-10,  I'd say Evernote deserve an 8.5 for responsiveness and action.

 

Following on from my favourite precept #1 on Security - "two people can keep a secret - if one of them is dead" I'd like  offer you my draft precept #2 - "you can keep things secure in the Cloud - provided you don't ever need to see them again"

 

If you store information online,  the biggest security hole is the fact that you have access to it at all.  If someone really wants your data could they get it by stealing your hardware?  Is your hard drive encrypted and password-protected?  Do you have a local backup of your precious information just in case?  If the answer to most of these questions is 'no',  guess who's the biggest threat to their own security...

 

So  -

  • Encrypt all or part of your hard drive.  Backup frequently.  Password protect your hardware.
  • If your data is really confidential,  keep it in an unsynchronised local notebook. 
  • If it's fairly private,  encrypt or password protect the files before you upload

All of the above is already perfectly feasible with free software and a little effort.

 

Simples,  yes?

Link to comment

 

  •  2-factor authentication needed
  • Better client level encryption
  • Payment via Bitcoin

Please implement these and I will feel safer. 

 

2-factor I'll allow

"better" client encryption? Didn't know we had any - see my last post.

Bitcoin? - last September don't I remember "Last night, a few of our servers were compromised..." - ?

 

That was one exchange, the protocol is still solid as it uses high level encryption. Bitcoin is gaining traction of late (current price circa $34) and is being accepted by many sites where people prefer to keep their identities anonymous. 

 

If Facebook, Apple and Evernote can be hacked....so can a young exchange. The main MtGox exchange and other large ones such as Bitstamp have upped their security massively since that happened... which is why confidence has returned. 

 

I would like to see Bitcoin for Payments as it would be cheaper than PayPal, and for the aforementioned near-anonymity it offers. The less personal info Evernote have, the less there is for hackers to gain should this happen again. 

Link to comment
  • Level 5*
If Facebook, Apple and Evernote can be hacked....so can a young exchange. The main MtGox exchange and other large ones such as Bitstamp have upped their security massively since that happened... which is why confidence has returned.

 

My point was rather than if Facebook,  Apple and Money Exchanges can get hacked (and lose data),  I don't think Evernote should have to work too hard to get user confidence back - they at least didn't lose anything,  and are already upping their security ...

Link to comment
  • Level 5*

 

 

  •  2-factor authentication needed
  • Better client level encryption
  • Payment via Bitcoin

Please implement these and I will feel safer. 

 

2-factor I'll allow

"better" client encryption? Didn't know we had any - see my last post.

Bitcoin? - last September don't I remember "Last night, a few of our servers were compromised..." - ?

 

That was one exchange, the protocol is still solid as it uses high level encryption. Bitcoin is gaining traction of late (current price circa $34) and is being accepted by many sites where people prefer to keep their identities anonymous. 

 

If Facebook, Apple and Evernote can be hacked....so can a young exchange. The main MtGox exchange and other large ones such as Bitstamp have upped their security massively since that happened... which is why confidence has returned. 

 

I would like to see Bitcoin for Payments as it would be cheaper than PayPal, and for the aforementioned near-anonymity it offers. The less personal info Evernote have, the less there is for hackers to gain should this happen again. 

 

No payment information was hacked. If you use an email address, password, and user account name that is not associated with your real one, then the hackers didn't make off with much. If your password was long (10 or 20 characters), random, and unique to the Evernote site, then it will take them several weeks, months, or years to hack it. You've changed your password by now, I suppose, so the hackers really have nothing useful in their hands, right?

 

I've got nothing against 2fa, which Evernote has already said they will be implementing. I've certainly got nothing against encryption, thought I am not sure what you mean by client-level encryption. I've got nothing against bitcoin either. It's just that this attack, as far as I can tell, would not have been affected one way or another by bitcoin.

Link to comment

So the hackers got a hold of a hash string stored on an Evernote server somewhere, and associated with me.  This hash string has now been replaced with another hash string generated when I reset my password.  My original password was pretty strong, and so is the new one.  What I have not heard from either Evernote or anyone here is "...and Evernote has plugged the hole that allowed them to get the hashed passwords in the first place".  If that hole isn't plugged, my data is as secure now as it was when I got the email.

Link to comment
  • Level 5*

So the hackers got a hold of a hash string stored on an Evernote server somewhere, and associated with me.  This hash string has now been replaced with another hash string generated when I reset my password.  My original password was pretty strong, and so is the new one.  What I have not heard from either Evernote or anyone here is "...and Evernote has plugged the hole that allowed them to get the hashed passwords in the first place".  If that hole isn't plugged, my data is as secure now as it was when I got the email.

 

-From the password reset email -

 

"As recent events with other large services have demonstrated, this type of activity is becoming more common. We take our responsibility to keep your data safe very seriously, and we’re constantly enhancing the security of our service infrastructure to protect Evernote and your content"

 

So that would be 'yes' to your question..  but then the next attack (if there is one) will probably try something else anyway.

Link to comment
  • Level 5

@gazumped That's about the same as the rather grim "this plane crash just made subsequent flights safer". A true fact. And this is a constant game of cat and mouse. Which is why I assume there will be incidents - with different attack vectors used.

Link to comment
  • Level 5*

@gazumped That's about the same as the rather grim "this plane crash just made subsequent flights safer". A true fact. And this is a constant game of cat and mouse. Which is why I assume there will be incidents - with different attack vectors used.

 

It's an arms race.  No matter how sophisticated the protections and how smart the protector,  there's always someone out there willing to bet s/he's smarter.  Nothing is impenetrable - you just have to use the Bear Hunter defence;  "all I have to do is run faster than you.." toughen up as much as possible and hope the black hats go after someone easier.

Link to comment

Archived

This topic is now archived and is closed to further replies.


×
×
  • Create New...