Yesterday I was cleaning my inbox and find some strange emails.
They are emails from Evernote and Uber informing me that someone signed into my accounts and they need to verify the 2nd-factor OTPs:
Since I don’t use Evernote and Uber since a long time, I’m sure this is not from me.
My guess is that I used the same password in a lot of services before, and maybe some of these services were compromised. Hackers now use an automated tool to sign into well known services with compromised login credentials they got.
Uber did a good job preventing further access by requiring an OTP. Evernote not so much.
I don’t store any confidential content on Evernote. But if you do, it’s really troublesome.
The solution to this is quite simple: You should use different passwords for each services, and use a password manager to save the passwords. Or you can use a simple hash function to derive your password from the name of the service and a simple secret word that you remeber in your head.
You can check whether your password is compromised at https://haveibeenpwned.com/
You can see my email was compromised in 28 services.