So… Evernote was hacked. Yay. Except that their “recovery” procedure is seriously, significantly, embarrassingly flawed. I’m flabbergasted.
The procedure is as follows:
- Log in with your old password.
- Change your password to a new one.
Yes, that’s right. All you need to change your password is your old, compromised password, and there’s no other verification required. No email verification, no secret questions, no nothing.
Evernote, I don’t think you understand how serious this is. This needs to change, immediately.
(If you have an evernote account, I advise you to go change your password NOW. Before someone else does.)