I just received a possibly fraudulent email from Evernote, claiming that I had put in a request to change my password. I DIDN'T. The email states that if I didn't make the request, just ignore the email--DO NOT click on the link.

I believe this may be a legit message. See:

http://blog.evernote.com/blog/2013/03/02/security-notice-service-wide-password-reset/

Clicking on links in messages is to be avoided an

gunars wrote:

I believe this may be a legit message. See:

http://blog.evernote.com/blog/2013/03/02/security-notice-service-wide-password-reset/

Clicking on links in messages is to be avoided an

---------------------------------------------------------------------------------------
The email included a link to click on. As Evernote says (in the above mentioned blog), "Never click on ‘reset password’ requests in emails — instead go directly to the service," either the email was a spoof, or Evernote foulde up.

I don't think that this has to do with the recent Evernote password reset initiative.

I believe that the message is legitimate, but that the trigger is erroneous. I have been getting such messages for the past year, quite regularly. My explanation is that a user remembers their Evernote username wrongly, and has been entering it in the "forgot my password" form, in order to recover access to their account. Unfortunately, I do not have any way to identify who that lost soul is.

Cassius wrote:

The email included a link to click on. As Evernote says (in the above
mentioned blog), "Never click on ‘reset password’ requests
in emails — instead go directly to the service," either the email
was a spoof, or Evernote foulde up.

The problem here is that, if the password has already been reset by Evernote, how on earth does one enter the service? The password reset link supposedly includes a verification MD5-type code which is unlikely to be forged.