Evernote Security Breach Announcement Includes One (Big) Stumble

You’ve heard by now that Evernote had a major security breach and is forcing its customers to reset passwords… 50 million accounts.

What you may not have realized is that Evernote’s email announcing the problem – a much more transparent and prompt response to the issue than most of the tech giants who preceded them down this path – included what looked like a spoofed link to a password-reset page.

I learned about this Saturday when a tech friend provided a heads-up re the discrepancy. I wondered out loud if someone was already using the outage as a phishing attack.

But no, the odd link came from Evernote’s email marketing firm.

Here’s my link:

http://links.evernote.mkt5371.com/ctt?
kn=4&ms=NTcwNzMxMwS2&r=MzMwMzA2NDY0OTAS1&b=0&
j=Njc1NzUzOTES1&mt=1&rt=0

Who/what is mkt5371.com? It’s the mail server for Silver Pop, a direct email marketing firm.

This is not the time to be tracking email clicks like this, guys. Add tracking code to your primary domain if you must track, don’t substitute it with something that looks this suspicious.

And then in what has to be the biggest irony in the heads-up email from Evernote … they warn you not to click on password reset links in emails:

Never click on ‘reset password’ requests in emails – instead go directly to the service

This is after Evernote has prompted the reader twice to reset her password by clicking on a link in the email. Yes, the link goes only to the top level (Evernote home) but the only way you can know that is to click on the link.

This is a big stumble in what was otherwise an exemplary crisis communications response.

Recent cracked security systems: LinkedIn, Pinterest, Twitter, Tumblr.

Updated: added a link to a screen capture of my friend’s (anonymized) email