Last week, our systems detected a sequence of login attempts to Evernote from a single web browser at IP addresses that appeared to originate from Italy. Each attempt sent a unique username and password combination. Some of these usernames were the same as Evernote usernames, and less than one percent of the attempts sent a username and password combination that matched that of an existing Evernote account. From our logs, we were able to identify which Evernote accounts had an exact username and password match. We sent each of the affected account holders an email warning them to change their password on Evernote, as well as on any other service(s) where they used the same combination of username and password.
We believe that this activity came from someone who has a list of usernames and passwords that were obtained without authorization from people who use another web service. Based on a few identifying factors, we believe that the list contains a disproportionately high percentage of Italian residents. It’s possible that this list was obtained without authorization from a popular Italian-focused service. But because the attackers have plaintext passwords for each account, we think it’s more likely that the list was assembled from an Italian-focused phishing attack.
We’ve found a few recent examples of such attacks via Google News, but we don’t have a good way to know whether these are describing the actual origin for our incident.
Once we detected that someone was laundering what we suspected was a stolen account database against Evernote accounts, we added some temporary blocks to stop the immediate problem. We also deployed additional permanent heuristics to provide even faster warnings of this type of issue in the future.
We’re providing these details as a Public Service Announcement to remind everyone that they shouldn’t reuse the same password for any important services. Utilize a good system for remembering distinct passwords, or install a strong password manager like 1Password. If you get an email/call/fax that appears to be from your bank/government/social-network/etc., and it says you need to tell them your password … don’t click on any links they provide. Go directly to the web site yourself without clicking on the links.
Obviously, most of the people reading this post already know all of that. So take this opportunity to remind a less technical friend.