I noticed a "your Evernote password has changed" message a few hours before I got that security email, and I couldn't log in. I freaked out thinking someone had hax0red my evernote account, so I quickly manually reset my password. I was relieved to log back in and find that none of my notes had been deleted, nor were there any extra notes saying "lolz hacked ur account betch!" Then I was even more relieved when I got the letter from Evernote explaining what had happened.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Evernote Issues Password Reset After Security Breach
- Thread starter MacRumors
- Start date
- Sort by reaction score
You need to encrypt anything you are even remotely concerned about. 1Password's files are already encrypted in Dropbox, so that's OK. I use BoxCryptor for my own sensitive files on Dropbox, but I'll be moving to using it on pretty much everything.
This incident looks like my .mac email address has just become further polluted, and I can look forward to even more spam and phishing emails.
I wish Apple would let me change that from my Apple ID.
I use dynamic DNS and openVPN with a shared key to access data externally... Then just use a full copy of Onenote on a tablet; it does live shared updating of the notebooks. For me, I don't worry about "Evernote got hacked!"
Of course, its not a solution for the average user; simply too much complexity, but there is no substitution for providing your own security and hosting your own data if you can do it.
Of course, its not a solution for the average user; simply too much complexity, but there is no substitution for providing your own security and hosting your own data if you can do it.
It must be the same people behind the twitter and apple attacks too. It seems very likely that they are related.
In case of 1PW, they would need all the time in the world.
As long as you use a long and safe Master Password, encrypted data in the cloud is not an issue.
They will go for a dictionary attack before they try to decrypt your contents.
-t
Thanks for this remark. You are absolutely spot on.
I hate it when companies mail invoices to you stating billing address and your payment method etc.
My phone company for example writes a completely anonymous message that I can now download my monthly phone bill including call records.
It contains no name, customer id or anything.
This is a really important part of privacy.
I use Evernote but didn't seem to receive the email warning of the password breach. It certainly wasn't in my inbox.
So, I just searched my Mail.app and discovered that Apple's junk-mail filter had put the Evernote email directly into the trash.
So, I just searched my Mail.app and discovered that Apple's junk-mail filter had put the Evernote email directly into the trash.
I never got an email either but I think I know why... evernote sent the email from a NON-evernote domain that was only registered a few months ago and who's ID looks like it doesn't belong to evernote. It looks EXACTLY like a classic fishing scheme... except evernote has admit it really was from them. Many email services grab these messages because they look so obviously fake. They are now saying on the forums it was due to this happening in the midst of a big email server switch for them and this was the only way they could send out 50 million emails on short notice. To me it says that this is a big company still playing amateur hour when it comes to user security.
1. no 2 factor authentication.
2. SSL only when sending data to their servers.
3. no encryption of ANY KIND of ANY of your notes or notebooks on their servers. if someone gets your primary password, everything is exposed.
4. poor handling of the large data leak... email response, style and timing was all beyond poor. all passwords reset prior to ANY email, twitter, homepage or any other notification sent from evernote. the error alert saturday morning on evernote.com and in apps simply said you were entering the wrong password leading thousands to think they had been hacked with nothing at all explaining what had really happened.
this is a company that proudly has articles on their website saying "how to use evernote at tax time" but does nothing at all to protect the critical nature of user information on their servers. no one does this as poorly in the crowd they want to play in: apple, twitter, google, dropbox etc. it is downright irresponsible for them to imply that critical user data is safe and they haven't even hinted they want to improve it ('cept for 2 factor which they have been implying for a year and never arrived even with the big 5.0 update.)
i hope evernote stops what they are doing, realizes they are becoming a MAJOR player in the cloud space and with 60 million accounts they have to do FAR better. evernote has been iterating like mad on their service which has brought them great success but they need to pour their resources into security they desperately need starting with 2 factor authentication and the ability to encrypt notebooks. only then will evernote be a modern, secure cloud service to store your life's most valuable information.
1. no 2 factor authentication.
2. SSL only when sending data to their servers.
3. no encryption of ANY KIND of ANY of your notes or notebooks on their servers. if someone gets your primary password, everything is exposed.
4. poor handling of the large data leak... email response, style and timing was all beyond poor. all passwords reset prior to ANY email, twitter, homepage or any other notification sent from evernote. the error alert saturday morning on evernote.com and in apps simply said you were entering the wrong password leading thousands to think they had been hacked with nothing at all explaining what had really happened.
this is a company that proudly has articles on their website saying "how to use evernote at tax time" but does nothing at all to protect the critical nature of user information on their servers. no one does this as poorly in the crowd they want to play in: apple, twitter, google, dropbox etc. it is downright irresponsible for them to imply that critical user data is safe and they haven't even hinted they want to improve it ('cept for 2 factor which they have been implying for a year and never arrived even with the big 5.0 update.)
i hope evernote stops what they are doing, realizes they are becoming a MAJOR player in the cloud space and with 60 million accounts they have to do FAR better. evernote has been iterating like mad on their service which has brought them great success but they need to pour their resources into security they desperately need starting with 2 factor authentication and the ability to encrypt notebooks. only then will evernote be a modern, secure cloud service to store your life's most valuable information.
Fantastic info. Thanks! I couldn't figure out why the message would have been filtered as "junk."
This is why I use Dashlane:
1. I never reuse passwords, so it was minimal damage to my security.
2. I got an alert that let me know of the breach even before Evernote did.
3. I changed my passwords on my iPhone while at dinner. Dunzo.
Impact of breach? Minimal. Cost of Dashlane? Free.
1. I never reuse passwords, so it was minimal damage to my security.
2. I got an alert that let me know of the breach even before Evernote did.
3. I changed my passwords on my iPhone while at dinner. Dunzo.
Impact of breach? Minimal. Cost of Dashlane? Free.
I used 1 password for my not important site that contain no personal data, credit card or financial information.
But I don't feel safe leaving all my important to any one company such as 1 Password. If hackers (China included) can hack into Apple, Facebook, government agencies etc. why can't they hack into 1 Password? Specially WE all know they keep everyone's account and passwords. That who I will target if I really want a big payout.
I used 1 password for my not important site that contain no personal data, credit card or financial information.
But I don't feel safe leaving all my important to any one company such as 1 Password. If hackers (China included) can hack into Apple, Facebook, government agencies etc. why can't they hack into 1 Password? Specially WE all know they keep everyone's account and passwords. That who I will target if I really want a big payout.
Would not do them any good for two reasons :
1. AgileBits (the developer) does not keep details of your 1Password password.
2. Any hacker would need two things to access your password. Physical access to the Password database, which is only stored were you choose to keep it and your 1Password password. Your 1Password database is not stored by Agilebits.
Lost access to my account since password reset
Anyone had the expereince of losing access to their acount. I have been in contact with evernote. Seems my account was linked to an old email and they can not verify my account so they will not allow me access. They sent me a way to try to access my notebooks on my computer. This is what they told me to o:
Were sorry youre unable to access your copy of Evernote Desktop due to an incorrect password, but were happy to assist you with getting your notes back into Evernote.
Heres how to accomplish that:
On Mac:
Your database is in a hidden directory. You can access it by opening the Finder, then selecting "Go" from the top menu and hitting the "Option" key. Once you have done that, you'll see the "Library" folder pop up.
Select it.
~/Library/Containers/com.evernote.Evernote/Data/Library/Application Support/Evernote/accounts/Evernote/<your username>/content
or
~Library/Application Support/Evernote/accounts/Evernote/ <your username>/content
Create a brand new Evernote account with your new, desired username. Note, you will need to use a different email address than the one currently on file with your account. Login to Evernote Desktop for Mac with this username, then drag the Content directory onto your desktop.Contact Support for further instruction.
Once you have performed these steps, please reply with your new account username and we will be happy to issue you additional storage space to help you with importing your data to the new account.
I tried and do not see the library files they mention. Does anyone have any other suggestions on how I may recover my notebooks. I feel scared I may have lost them forever
Thankyou
Anyone had the expereince of losing access to their acount. I have been in contact with evernote. Seems my account was linked to an old email and they can not verify my account so they will not allow me access. They sent me a way to try to access my notebooks on my computer. This is what they told me to o:
Were sorry youre unable to access your copy of Evernote Desktop due to an incorrect password, but were happy to assist you with getting your notes back into Evernote.
Heres how to accomplish that:
On Mac:
Your database is in a hidden directory. You can access it by opening the Finder, then selecting "Go" from the top menu and hitting the "Option" key. Once you have done that, you'll see the "Library" folder pop up.
Select it.
~/Library/Containers/com.evernote.Evernote/Data/Library/Application Support/Evernote/accounts/Evernote/<your username>/content
or
~Library/Application Support/Evernote/accounts/Evernote/ <your username>/content
Create a brand new Evernote account with your new, desired username. Note, you will need to use a different email address than the one currently on file with your account. Login to Evernote Desktop for Mac with this username, then drag the Content directory onto your desktop.Contact Support for further instruction.
Once you have performed these steps, please reply with your new account username and we will be happy to issue you additional storage space to help you with importing your data to the new account.
I tried and do not see the library files they mention. Does anyone have any other suggestions on how I may recover my notebooks. I feel scared I may have lost them forever
Thankyou