News

Security Notice: Service-wide Password Reset

作者: Dave Engberg 發佈日期: 02 三月 2013

作者: Dave Engberg 發佈日期: 02 三月 2013

評論

The following blog post was sent to all Evernote users as an email communication.

Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.

As a precaution to protect your data, we have decided to implement a password reset. Please read below for details and instructions.

In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure. This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords. Please create a new password by signing into your account on evernote.com.

After signing in, you will be prompted to enter your new password. Once you have reset your password on evernote.com, you will need to enter this new password in other Evernote apps that you use. We are also releasing updates to several of our apps to make the password change process easier, so please check for updates over the next several hours.

As recent events with other large services have demonstrated, this type of activity is becoming more common. We take our responsibility to keep your data safe very seriously, and we’re constantly enhancing the security of our service infrastructure to protect Evernote and your content.

There are also several important steps that you can take to ensure that your data on any site, including Evernote, is secure:

  • Avoid using simple passwords based on dictionary words
  • Never use the same password on multiple sites or services
  • Never click on ‘reset password’ requests in emails — instead go directly to the service

Thank you for taking the time to read this. We apologize for the annoyance of having to change your password, but, ultimately, we believe this simple step will result in a more secure Evernote experience. If you have any questions, please do not hesitate to contact Evernote Support.

The Evernote team

If you’re having trouble resetting your password, read this FAQ. If you still need help, please contact Evernote Support.

Premium

Evernote 專業版

升級獲得更多功能,讓生活更美好、工作更高效。

升級至專業版
閱讀更多故事 'News'

52 意見 RSS

  • jp

    How could anyone access user information on your servers? I was hoping Evernote had solid security mechanisms in place to protect my data…!?

  • Donna Essner

    In the future, can security notices of this kind be highlighted on the homepage, so we don’t have to try to find out about an issue by searching through the website. Those of us who love Evernote would be grateful. Thanks.

  • Tim Garcia

    I think it would have been wise to notify us via email — but to include a link to reset our password in the email would have, of course, been against security “best practices.”

  • Tim Garcia

    I share that concern — in my case, I first got, from the Evernote app on Windows, a notice of a new application update, which I downloaded and installed — then suddenly, I saw that sync’ing was failing because “my password had expired.” I wasn’t aware that Evernote passwords expired, but still more or less acting on the assumption that the “expiration” was legitimate (unwise in retrospect), I clicked from the app to the web page where it asked me to authenticate, which I did — then I “woke up” and realized, “um, foolish me — that could have easily been a phishing attempt”, and before I input a new password, I stared long and hard at the address bar to ensure the domain was actually “evernote.com” and that I was protected by SSL — but in truth, I realized that I could have been redirected after a phishing attempt to get my “old” password to a legitimate evernote.com page — though unlikely given that they would need to have also hacked evernote.com sufficiently enough to know how to access “change password” functionality… still, I realized it was possible and how I need to be ever more vigilant… and I agree, if Evernote had first sent an email notice, it would have at least prepared me to watch more carefully URLs as I went from old password to new.

  • Alexandra Jane Shaw Arrowsmith

    so, were our documents, notes, etc. accessed? How long after the hack were the passwords reset? I am a writer and have ‘trusted’ my evernote account with my musings!!!!
    PLUS, I also received NO email. I had a call from my husband this morning!!

  • Alexandra Jane Shaw Arrowsmith

    Hello Andrew, can you please advise: Are my documents, musings etc safe? I trusted my account with my notes, etc. Are/were they secure?

  • Alexandra Jane Shaw Arrowsmith

    I have still to receive an email. I had to find out from my husband when he saw it on BBC website!!

  • Alison

    That’s where I am at too – only option for password is via email and that is not working. Surely should have a Q&A option as well. Can’t reset password and can’t access documents and work orders don’t seem to get any response. Wondering if it is a con to get us to upgrade but very frustrating. If anyone has had any communications on workaround for this please post.

  • Louise Love

    I mainly use Penultimate. When I opened the app, it said my Password has expired, and it gives me the option to reset, but no matter how many times I click reset the window doesn’t go away. I can’t even click out of it, let alone reset my password. Help??

  • Arthur

    ‘While our password encryption measures are robut’ <– Can you tell us more ?

  • AndrewSinkov

    Please contact Evernote Support: http://evernote.com/support

  • AndrewSinkov

    Our support team will be able to help you: http://evernote.com/support

  • AndrewSinkov

    Please contact Evernote Support. They’ll be able to help: http://evernote.com/support

  • ronaldtoledo

    Our apologies if you didn’t receive your email in a more timely manner. Sending emails to our many users is a large project that unfortunately took longer than we expected.

  • ronaldtoledo

    If you would like to confirm or update the email address we have on file for you after you have successfully logged in to your account, you can do so here:

    https://www.evernote.com/PersonalSettings.action

  • ronaldtoledo

    Please contact our support team so they can help you get your password reset. evernote.com/support

  • ronaldtoledo

    We appreciate your contacting us about this very important topic. We already offer encryption, you can learn more herehttps://support.evernote.com/link/portal/16051/16058/Article/549/Overview-of-Encryption-in-Evernote

    Our CEO, Phil Libin, has this to say about Two-Factor Authentication:

    “We’re working on it. Finding an approach that gives you increased security without making Evernote harder to use is not just a matter of adding two-factor authentication, so we plan on rolling out several related security and protection enhancements in the coming months.”

    We invite you to join other users in discussing 2FA and other security features on our Forums located here:

    http://discussion.evernote.com/

    Thank you for using Evernote!

  • ronaldtoledo

    We encourage you to read this blog post explaining the details of the Service-wide Password Reset http://blog.evernote.com/blog/2013/03/02/security-notice-service-wide-password-reset/

  • ronaldtoledo

    Please contact our support team so they can assist in retrieving any notes that aren’t showing up evernote.com/support

  • ronaldtoledo

    If you’ve already followed the password reset steps and are still having login issues, please contact our suppor team so they can get everything sorted out. evernote.com/support

  • amuramoto

    To reset your password, please visit https://www.evernote.com/RForgotPassword.action

  • amuramoto

    Sorry to hear about the issues you have been having. You can access the password reset directly at https://www.evernote.com/RForgotPassword.action

  • amuramoto

    Please access our password reset form directly at https://www.evernote.com/RForgotPassword.action

  • amuramoto

    Please contact our support team. They will be able to help you recover your account. http://evernote.com/contact/support/

  • amuramoto

    I’m sorry to hear about the issues you have been having. Can you please respond with your support ticket number so that a member of our support team can look into it?

    • Marge

      Hi,

      Ticket number (#16051-251198)

      Marge

  • amuramoto

    I’m sorry to hear about the issue you have been having with your account. Please contact our support team, and they will be able to help you restore access to your account: https://evernote.com/contact/support/

  • David Woodruff

    What a pain this is! I changed my email address, but the password reset only. Works with the original email I used to make the account, which I don’t have access to! So locked out and waiting, waiting, waiting for support to answer my email…

    • amuramoto

      I apologize for the inconvenience. Please reply with your support ticket number, and I will get it to a member of our support team.

  • Marion Murphy

    You have lost my data – for more than six days I have been on a concerted effort to retrieve with no results and no word from your support team and I paid you to be a premium customer! SHAME ON YOU!

    • amuramoto

      I’m sorry to hear about the issue you are having accessing your account. Please reply with the ticket number for your support request and I will make sure it gets to a member of our support team.

  • Peter Smith

    I just opened my account so I am not worrying at all

  • Timothy Reeves

    I don’t know where to ask this question, but I have had EverNote Plus (version 1.00.4.127) on my laptop for a long time and have saved quite a few notes in it. Is there a way to migrate that stuff into the latest version of EverNote so I can use it with my phone etc.?

    Thanks,

    • AndrewSinkov

      Please contact our support team, they should be able to help you migrate to the current version of Evernote.

  • Won Word

    I also didn’t get the email (reading the threads below, it is obvious most folks don’t understand that email is neither reliable nor instantaneous), and upon discovering my varous apps weren’t working, came to the main site and was immediately informed.

    In light if what happened, please implement support for Yubikey!

    Thank you for your diligence!

  • Todd Williamson

    What is this please type 5 uncommon words to reset your password? I can’t reset my password because it won’t take my words. Help?

  • Todd Williamson

    What is this please type 5 uncommon words to reset your password? I can’t reset my password because it won’t take my words. Help?

  • John Doxey

    4/1/13 10:46am EST. I never received an email notification. Saw the update notice on my App Store app. Came here to the blog to check it out.

    Wasn’t it just a month ago that Evernote required everyone to change their password? I did it then.

    So I just want to make sure this is all legit.

    • amuramoto

      I apologize for the confusion. If you already reset your password when we initiated the initial system-wide reset at the beginning of March, you do not have to reset it again.

  • jean claude ethier

    i cant get reset my password as my originals email no longer worksd what do i do?

    • amuramoto

      Please contact our support team. They will be able to help you restore access to your account. http://evernote.com/contact/support/

  • er0ck

    i never got an email on this. evernote now wants me to “verify account ownership” by typing in “5 uncommon words that you recently added to your account” i haven’t been into my account in over a month, how the hell am i supposed to remember that. how do i verify my account? i see no way around this and no way to contact support. wtf??
    this means that anyone that knows my email address can DOS my account anytime they want! seriously broken and misguided attempt at user security.
    the irony of a service that is supposed to remember stuff for me, asking ME to remember what i may have typed in is not lost on me, and should not have been lost on evernote. seriously thinking of deleting my account… if i could get in

    • amuramoto

      I apologize for the inconvenience. Please contact our support team (http://evernote.com/contact/support/). They will be able to help you restore access to your account.

  • amuramoto

    2-step verification is in the works. Stay tuned to our blog for future updates.

  • amuramoto

    2-step verification is in the works. Stay tuned to our blog for future updates.

  • amuramoto

    To the right of the log in there is a link to ‘continue as a guest.’ This will allow you to open a support ticket without logging in.

  • Mary

    I agree – people really need to get and show some gratitude for folks who provide apps like Evernote and provide them at no cost…

  • Mary

    Yeah! Well said!

  • Maremare

    Yessssssss !!! Tell ‘em !

  • Andrea Jaramillo

    I cannot reset my password and I cannot log-in to request support. The “Get Started” button on support takes me to the log-in, which tells me to reset my password. I can’t because I can’t remember 5 uncommon words that were recently used. I had not recently made notes because I was using Catch Notes and decided to switch back to Evernote. How do I contact support without being able to log-in or reset the password? Maybe it is not possible to switch back? If that is the case, I want my information deleted. Please provide a contact method I can use without a password.

    • AndrewSinkov

      When you go the support page, click on the “Continue as Guest” option.

  • amuramoto

    I apologize for the inconvenience. Please visit https://www.evernote.com/SupportLogin.action then click the ‘continue as guest’ link on the right side of the page to open a ticket without logging in.