Issue With Evernote Newsletter Email Addresses

Posted by Dave Engberg on 16 Apr 2012

Posted by Dave Engberg on 16 Apr 2012

Earlier today, we found a flaw in the system we use to allow people to unsubscribe from our newsletters. We are alerting you, our users, because we think you should be aware that this flaw may have caused some user email addresses to fall into unintended hands. We want to ensure you that no accounts or personal data were compromised and we have corrected the error. No action is required by users.

At around 1 a.m. PST, we learned that a security researcher in Russia discovered that the tools we were using to process unsubscribe requests could be compromised to expose the email addresses of other people who also received the same newsletter. We fixed the problem as soon as we were notified about the flaw, but there was a roughly 12 hour period when email addresses could have been retrieved.

There is no evidence of a large-scale compromise, but an analysis of our log files during the affected time period shows that up to 536,613 email address of people who received our last Russian-language newsletter and up to 72,406 email addresses of people who received our English-language newsletters may have been seen by an unauthorized third party. Possession of an email address is not enough to compromise an Evernote account or access other private information, so you can be assured that all of the data in your Evernote account is safe and cannot be accessed by anyone other than you. However, it is possible that some of the exposed email addresses may have landed in the hands of spammers.

We take security and privacy very seriously at Evernote which is why, even though there was no apparent breach of account data in this incident, we think it’s important to describe the details of the situation. We apologize for this mistake and hope that it does not burden our users with extra spam. As always, please be careful about responding to email communications from people claiming to be employees of Evernote. In particular, remember that no Evernote employee will ever ask you for your password, credit card number, or other personal information.

If you have any additional questions or concerns, please contact Evernote Support.


Evernote Premium

Upgrade for features to help you live and work smarter.

Go Premium
View more stories in 'News'

3 Comments RSS

  • Adalbert Pakura

    Good to know, thx for the honest heads up.

  • Ed

    Excellent transparency Evernote! Keep it up. (and plug the hole:-)

  • John

    So will there be some kind of reward like a premium subscription for a month? (sorry)