After being hacked, Evernote, quite responsibly, has sent out emails to its users informing them of the security breach – and letting them know that it has decided to reset all passwords.
The email goes on to give some password advice – including a warning:
Never click on 'reset password' requests in emails - instead go directly to the service.
That’s a very sound piece of advice, because of the obvious threat – after millions of Evernote customers had their usernames and email addresses stolen – of phishing email attacks.
But take a closer look at the email that Evernote has sent out, with the subject line “Evernote Security Notice: Service-wide Password Reset”:
Uh-oh, in the same email that Evernote tells users not to click on ‘reset password’ requests sent via email, they have clickable links.
And what might make some recipients pause for thought is that the links don’t go directly to evernote.com, but instead link to a site called mkt5371.
Now, before you panic that someone is attempting to phish your Evernote credentials with a craftily-designed email, just relax.
This was just carelessness on Evernote’s part. mkt5371 is a domain owned by Silverpop, an email communications firm who Evernote has clearly employed to send emails to its 50 million or so affected users.
The links in this case *do* end up taking you to Evernote’s website – but go silently via Silverpop’s systems first.
Presumably that’s so Evernote can track and collect data on how successful the email campaign has been.
That’s a technique commonly used in a normal marketing email communications, but looks very out of place in an email about a security breach which tries to hammer home the point to “Never click on ‘reset password’ requests in emails – instead go directly to the service”.
You could certainly understand why someone freaked out by the Evernote security breach would be alarmed to receive an email with links like that.