Forum Posts Feed
Watch out for Evernote spoofing
< Next Topic | Back to topic list | Previous Topic >
Posted by Cassius
Mar 21, 2013 at 12:15 AM
I just received a possibly fraudulent email from Evernote, claiming that I had put in a request to change my password. I DIDN’T. The email states that if I didn’t make the request, just ignore the email—DO NOT click on the link.
Posted by gunars
Mar 21, 2013 at 12:26 AM
I believe this may be a legit message. See:
http://blog.evernote.com/blog/2013/03/02/security-notice-service-wide-password-reset/
Clicking on links in messages is to be avoided an
Posted by Cassius
Mar 21, 2013 at 12:34 AM
gunars wrote:
I believe this may be a legit message. See:
>
>http://blog.evernote.com/blog/2013/03/02/security-notice-service-wide-password-reset/
>
>Clicking on links in messages is to be avoided an
———————————————————————————————————————————-
The email included a link to click on. As Evernote says (in the above mentioned blog), “Never click on ‘reset password’ requests in emails — instead go directly to the service,” either the email was a spoof, or Evernote foulde up.
Posted by Alexander Deliyannis
Mar 21, 2013 at 09:44 AM
I don’t think that this has to do with the recent Evernote password reset initiative.
I believe that the message is legitimate, but that the trigger is erroneous. I have been getting such messages for the past year, quite regularly. My explanation is that a user remembers their Evernote username wrongly, and has been entering it in the “forgot my password” form, in order to recover access to their account. Unfortunately, I do not have any way to identify who that lost soul is.
Cassius wrote:
>The email included a link to click on. As Evernote says (in the above
>mentioned blog), “Never click on ‘reset password’ requests
>in emails — instead go directly to the service,” either the email
>was a spoof, or Evernote foulde up.
The problem here is that, if the password has already been reset by Evernote, how on earth does one enter the service? The password reset link supposedly includes a verification MD5-type code which is unlikely to be forged.