Evernote shoots itself in foot over “never click on ‘reset password’ requests” advice

Graham Cluley
@gcluley

After being hacked, Evernote, quite responsibly, has sent out emails to its users informing them of the security breach – and letting them know that it has decided to reset all passwords.

The email goes on to give some password advice – including a warning:

Never click on ‘reset password’ requests in emails – instead go directly to the service.

That’s a very sound piece of advice, because of the obvious threat – after millions of Evernote customers had their usernames and email addresses stolen – of phishing email attacks.

But take a closer look at the email that Evernote has sent out, with the subject line “Evernote Security Notice: Service-wide Password Reset”…

Read more in my article on the Naked Security website.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.