Editorial

Evernote asks you to do what they said you shouldn't

The security world has been hot the past few weeks, with attacks on Apple and Microsoft leading the headlines. Then yesterday, the popular site Evernote was attacked and salted user passwords were stolen. Although the compromises are bad, we have to give the companies credit for coming forward to the media and reporting these breaches to the public.

Evernote went a step further and forced all of their users to reset their passwords. Although they claim that the passwords are very secure and would be difficult for the attackers to decrypt, it’s still a good idea to change it. The Evernote email stated to “read below for details and instructions” on how to do that, and those instructions included:

While our password encryption measures are robust, we are taking steps to ensure your personal data remains secure. This means that in an abundance of caution, we are requiring all users to reset their Evernote account passwords. Please create a new password by signing into your account on evernote.com.

To be helpful, the company provided a hyperlink for evernote.com. However, upon careful inspection, you’ll notice that the link does not take you directly to the website, but instead to http://links.evernote.mkt5371.com. What is mkt5371? It’s a domain owned by Mark Monitor, which is in turn owned by Thomson Reuters, with Silverpop also somehow factoring into the equation. The company provides an email service to companies that want to send messages out to their customers since sending 50,000,000 messages at once is not an easy task. The service probably also records “opens and clicks” so that Evernote can tell how many people opened the email and clicked on the links it contains.

Evernote’s email goes on to include some useful security tidbits for everyone, not just their site.

There are also several important steps that you can take to ensure that your data on any site, including Evernote, is secure:

  • Avoid using simple passwords based on dictionary words
  • Never use the same password on multiple sites or services
  • Never click on 'reset password' requests in emails - instead go directly to the service

Do you see the last recommendation? It’s great advice, especially since email spoofing is really easy. Unfortunately, Evernote apparently doesn’t practice what they preach given the link to mkt5371.com that redirects to evernote.com. Although in this case the link is harmless, it’s continuing to train users that clicking links is ok and is one of the biggest security concerns on the Internet today.

We have a feeling this may be a case of the marketing and security teams not seeing eye to eye.

Report a problem with article
Previous Story

Windows Blue build 9347 screenshot surfaces but doesn't show much

Next Story

HTC's Zoe Share and Microsoft's Windows 1.0 logo have a lot in common

26 Comments

Commenting is disabled on this article.

Maybe it's a test? Maybe Evernote tracked all the people who clicked the link to see how many people didn't read the advice. Just a thought, it probably isn't that but best to look from all angles.

Evernote apparently doesn't practice what they preach given the link to mkt5371.com that redirects to evernote.com.

Not really. They aren't the ones clicking or not clicking the link in the email so I don't see exactly how you are drawing this hypocrisy conclusion. It is probably confusing for the end users to be given a link and then told not to click on it, but their recommendations are still valid in spite of the link.

Shadrack said,
Not really. They aren't the ones clicking or not clicking the link in the email so I don't see exactly how you are drawing this hypocrisy conclusion. It is probably confusing for the end users to be given a link and then told not to click on it, but their recommendations are still valid in spite of the link.

They should have said, "You shouldn't click links in emails, so please go to Evernote.com, then click the 'reset password' link." Instead they said, "Don't click links in emails," and then provided a link in the email.

Which is what they said: "Please create a new password by signing into your account on evernote.com."

They do not say "click this link", they say to go to the site and change your password, which is the proper way of doing this kind of thing. As has been stated above, it is unclear who made "evernote.com" into a link.

NoPanShabuShabu said,
As has been stated above, it is unclear who made "evernote.com" into a link.

It doesn't matter who made it into a link, the fact is it IS a link and since the email came from Evernote, they're directly responsible for it.

The website's homepage has a direct link to reset homepage, the email has no link.... "Editorial" invalid.

Well there is good security advice, and then there is the reality of the situation that people are not going to follow up, and those passwords don't reset themselves. What they should have done is included a link but send it to a page that says "NEVER click on password resets from unexpected emails!" as a test, but then again, anyone who clicked the link isn't going to ever learn anyway.

Lots of sites use services to send out mass emails... so perhaps evernote put a plain text url in the email body, and it was the emailing service that upgraded it to a tracked URL... I don't think Evernote should get blame for something they may not have done...

Evernote should get the blame because they included a link in the first place to reset your password, after saying that you should go directly to the service and not use links. Whether it was upgraded by the marketing company isn't relevant since the sin was including the link in the first place.

petrolly said,
Evernote should get the blame because they included a link in the first place to reset your password, after saying that you should go directly to the service and not use links. Whether it was upgraded by the marketing company isn't relevant since the sin was including the link in the first place.

I think what k776 meant was that the email service might have taken a plaintext (non link) URL and then turned it into a link for tracking purposes

Another reason why you should use OneNote instead... it's miles better than Evernote and integrates nicely with SkyDrive and Office on all devices.

Jolo said,
There's no OneNote for Mac.

There's OneNote for iOS. For Mac you can use the new web version which is great as well.

j2006 said,

There's OneNote for iOS. For Mac you can use the new web version which is great as well.
For some reasons, the app rating on Google Play and iTunes App Store aren't pretty good.

tanjiajun_34 said,
For some reasons, the app rating on Google Play and iTunes App Store aren't pretty good.

Probably because the iOS app was released and then never updated. It doesnt even fill the screen on an iPhone 5.

Techno_Funky said,
But Onenote is not free.

How is it not free?

https://skydrive.live.com/ (Create > OneNote Notebook)

https://play.google.com/store/...ft.office.onenote&hl=en

https://itunes.apple.com/us/app/onenote/id410395246?mt=8

http://apps.microsoft.com/wind...f3a6-417e-ad23-704fbdf57117

If you're talking about the desktop application, then yeah that one's not free but the majority of students have Microsoft Office Word as part of the Office Home and Student suite. Which includes OneNote.