Evernote shoots itself in foot over “never click on ‘reset password’ requests” advice

Evernote shoots itself in foot over "never click on 'reset password' requests" advice

After being hacked, Evernote, quite responsibly, has sent out emails to its users informing them of the security breach – and letting them know that it has decided to reset all passwords.

The email goes on to give some password advice – including a warning:

Evernote advice

Never click on ‘reset password’ requests in emails – instead go directly to the service.

That’s a very sound piece of advice, because of the obvious threat – after millions of Evernote customers had their usernames and email addresses stolen – of phishing email attacks.

Sign up to our free newsletter.
Security news, advice, and tips.

But take a closer look at the email that Evernote has sent out, with the subject line “Evernote Security Notice: Service-wide Password Reset”:

Evernote email

Uh-oh, in the same email that Evernote tells users not to click on ‘reset password’ requests sent via email, they have clickable links.

And what might make some recipients pause for thought is that the links don’t go directly to evernote.com, but instead link to a site called mkt5371.

Now, before you panic that someone is attempting to phish your Evernote credentials with a craftily-designed email, just relax.

Evernote and emailThis was just carelessness on Evernote’s part. mkt5371 is a domain owned by Silverpop, an email communications firm who Evernote has clearly employed to send emails to its 50 million or so affected users.

The links in this case *do* end up taking you to Evernote’s website – but go silently via Silverpop’s systems first.

Presumably that’s so Evernote can track and collect data on how successful the email campaign has been.

That’s a technique commonly used in a normal marketing email communications, but looks very out of place in an email about a security breach which tries to hammer home the point to “Never click on ‘reset password’ requests in emails – instead go directly to the service”.

You could certainly understand why someone freaked out by the Evernote security breach would be alarmed to receive an email with links like that.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.