Evernote shoots itself in foot over "never click on 'reset password' requests" advice

Filed Under: Data loss, Featured, Privacy

After being hacked, Evernote, quite responsibly, has sent out emails to its users informing them of the security breach - and letting them know that it has decided to reset all passwords.

The email goes on to give some password advice - including a warning:

Evernote advice

Never click on 'reset password' requests in emails - instead go directly to the service.

That's a very sound piece of advice, because of the obvious threat - after millions of Evernote customers had their usernames and email addresses stolen - of phishing email attacks.

But take a closer look at the email that Evernote has sent out, with the subject line "Evernote Security Notice: Service-wide Password Reset":

Evernote email

Uh-oh, in the same email that Evernote tells users not to click on 'reset password' requests sent via email, they have clickable links.

And what might make some recipients pause for thought is that the links don't go directly to evernote.com, but instead link to a site called mkt5371.

Now, before you panic that someone is attempting to phish your Evernote credentials with a craftily-designed email, just relax.

Evernote and emailThis was just carelessness on Evernote's part. mkt5371 is a domain owned by Silverpop, an email communications firm who Evernote has clearly employed to send emails to its 50 million or so affected users.

The links in this case *do* end up taking you to Evernote's website - but go silently via Silverpop's systems first.

Presumably that's so Evernote can track and collect data on how successful the email campaign has been.

That's a technique commonly used in a normal marketing email communications, but looks very out of place in an email about a security breach which tries to hammer home the point to "Never click on 'reset password' requests in emails - instead go directly to the service".

You could certainly understand why someone freaked out by the Evernote security breach would be alarmed to receive an email with links like that.

, , , ,

You might like

19 Responses to Evernote shoots itself in foot over "never click on 'reset password' requests" advice

  1. gentmatt · 951 days ago

    This is quite an interesting story. Thanks for the blog post!

    A few months ago I received an email asking to reset my paypal password. But no publicly reported breach had occurred at that time. Since the email's link to reset the password was not *.paypal.com but http://links.mkt2944.com/ctt... I thought it was phishing.

    See my tweet here: https://twitter.com/gentmatt/status/282028098512371712

    I'm still not sure what happend that day. But I went to the paypal website myself and reset the password there.

  2. Freida Gray · 951 days ago

    It seems to me that any password reset request would also be more likely to send you to a site that was https instead of http.

  3. knarf · 951 days ago

    The technique may commonly used in a normal marketing email communications but the email communications firm asks for DNS records in the zone of the customer and ususally does not use its own domain.

  4. This is exactly what I thought when I read that email. I didn't even click on the link because of the warning. Come on, folks, think it through.

  5. sheryldedee · 951 days ago

    I got my email today, and I naturally would have clicked on the link until I read that sentence about never clicking on the links in the email. It does have a bit of bizarre sense about it, but I am still not clicking on the link. Stuff their data collection.

  6. After read this I moved all my stuff to dropbox and delete my Evernote account.

    • 13thGeneral · 950 days ago

      Right, because Dropbox has never been hacked... oh, wait. CNET: Dropbox Hacked

      • Deramin · 949 days ago

        To be fair, DropBox can now prove that they learned their lesson. http://www.h-online.com/security/news/item/Worth-...

        Hopefully Evernote has learned the same lessons. It's good to see Evernote at least knows the proper way to store passwords. That encourages me to think they will be a company that learns that fire is hot, hackers break everything, and be more cautious in the future.

        The good outcome to an incident like this is a company like DropBox who clearly learns their lesson. A bad outcome is one where they don't learn and something like this happens again.

        • lee (donotsell) · 948 days ago

          they are only using MD5 or SHA-1 (64bit) for the hashes so they may had just saved them in plain text (with the password cracking GPU rigs out there)

          at least they used random salts so they cant use rainbow tables meaning that two users with the password called password1 have diferant hashes

  7. What still bothers me is the fact that so far I've only learned about the hack through Sophos. I have not received an email from Evernote. I did go to the site and was prompted to reset my password, but there was nothing indicating why. This leads me to conclude that I should not trust Evernote with my data.

    • 13thGeneral · 950 days ago

      I did the same thing when I couldn't sign into my Evernote desktop app. I checked my email inbox and spam/junk folders, and did not find any notification or warning email issued from Evernote - except I did have the fake Phishing email. Luckily I never click a reset password link unless I go to the site first and specifically request it.

  8. dan · 950 days ago

    Kind of funny...I received this mail from Evernote and noticed the "evernote.mkt5371.com" links. I thought it looked suspicious, so I searched for the domain and found this article. Glad I wasn't the only one weirded out. Pretty stupid, Evernote....

  9. KC94 · 950 days ago

    Maybe they're trying to trick them on purpose, to test if they're listening?

  10. Concerned · 950 days ago

    A very interesting discussion of this issue is on Evernotes Forum now; http://discussion.evernote.com/topic/35615-phishi...

  11. Taz Wake · 950 days ago

    This is quite entertaining - and Evernote was doing so well in handling it's breach until this point...

  12. Alan · 950 days ago

    In this case it looks like Evernote (like many other companies) has simply outhoused corporate communications to a third party, i.e., they no longer speak for themselves. One might wonder if the costs Evernote saved are worth the irritation and confusion they caused to their customers.

  13. Mike · 950 days ago

    First of all, never ever put your private data unprotected on any external service you don't have control over yourself.

    Second: Any data you send unprotected out of your own network, should be considered as "published on Internet".

    Third: It is you who are responsible for protecting your data. Nobody else.

  14. kabigabor · 949 days ago

    I've already re-set it before I got the e-mail from Evernote, thanks for this blog.

    And my new password is... :D

  15. lee (donotsell) · 948 days ago

    there max password limit is 64 as well (no 255 ANSI or brackets, but you can use ?"£)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at https://grahamcluley.com, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley