Simplenote security breach tonight!
-
I’ve just created myself a Reddit account so I can alert the world of this issue I experienced tonight…
I can’t find anyone else talking about it online, so maybe it’s only happened to me, but it’s still important enough to raise the alarm…When I logged into Simplenote tonight using via a web browser on my laptop, all of my notes had been changed and were written in a foreign language (that language was Finnish according to Google translate, I’m based in the UK). I could also actively see the person writing a new note.
The account also showed as a different email address to mine, even though it still accepted my login details.
My first thought was that I’ve been hacked, so I instantly put my phone in airplane mode and exported my actual notes to file (on Android).
Back on the laptop I changed my password and email address, which I was still able to do and got the confirmation emails, even though I was looking at someone elses notes. Then I deleted the account.
It’s as if the Simplenote database messed up and linked my account details with someone elses notes. The oldest note of theirs was last modified in 2018, so how could it have been them hacking my account and editing my own notes.
If I’ve been able to read someone elses notes, who knows who else in the world has seen my notes!
Simplenote doesn’t have MFA features, and I’ve not stored anything particularly private or identifiable in my notes. But many others will have done!
I will contact Simplenote support now, but just wanted to raise the alarm here.
PS: I signed up to Reddit tonight to try and warn there world there, but every subreddit I posted to blocked me because I’m too new. So that’s frustrating when I want to warn everyone of a security breach :-D
-
Same issue here. When I logged into simplenote, it asked me to “review” my account and showed that it was “owned” by someone with a completely different email address, even though I had logged in with my own email address.
I saw a bunch of notes in a foreign language. None of my own notes.
-
Just wanted to chime in. I am seeing the same as well. I am getting someone else’s notes in Japanese.
-
-
I have had the same problem and concern. So far I have somehow gotten into three other random accounts for emails I have never heard of, using my usual login credentials. The site is not allowing me to change my email or see my own notes on the web app.
The iOS and Mac OS apps seem to be working. But this is a major issue if other people might accidentally be seeing my account.
-
same here simple notes comes up with someone elses email address and notes in another language is this being taken care of?
-
Thanks for the report everyone, we’re looking into this. If any of you remember, did you sign in using a link/code that arrived in your email, or using your username and password?
We reset some changes that were made last week, if you sign out and sign in on the web app please let us know if you see your account properly again.
-
Update: Today, we discovered that a small number of accounts were mistakenly given access to a few other Simplenote accounts on the web app. We have already taken steps to correct this for all affected users. The Simplenote Mobile and Desktop apps were not affected.
If you logged in and noticed notes from another user, please be assured that your own notes remain secure and were not accessible to anyone else. We will soon be emailing everyone affected with further details. We take data privacy very seriously and appreciate those who reported the issue promptly.
If you are still having problems signing in, please let us know here and we will look into it!
-
I deleted my account and I want all of my data removed from SimpleNote. I don’t understand how you can say “your own notes remain secure and were not accessible to anyone else.”
How can you say that? I saw somebody else’s notes, so how can you be sure nobody saw my notes? I will never use SimpleNote again after this, and I would like to be personally contacted by a staff member with an apology.
-
@mikeliberale We sincerely apologize for any inconvenience or concern this may have caused. We understand and respect your decision with your Simplenote account.
If you’re also affected by this incident and haven’t received any emails from us, please do let us know. We’ll make sure to reach you out personally. Thank you.
-
I was affected by this incident and still haven’t received any emails from you.
—
For those looking for an alternative, check this out:
https://gitjournal.io/
https://github.com/GitJournal/GitJournal
There is also migration tool from Simplenote to GitJournal: https://github.com/siviae/gitjournal-simplenote-exporter/I have tried it and I find it great. There are still some minor issues, but it’s actively maintained and hopefully all “critical” issues will be resolved in time.
-
@staff-pikachu @staff-fred
Can you guarantee that me deleting my Simplenote account definitely deleted all of my own notes? I have the deletion confirmation email dated 16 August 2024. But I am concerned that it deleted the Finnish person’s notes and not my own. I am concerned my notes are still out there being accessed by someone random. -
@24879f0ufosdhfs02395 Yes, deleting your account uses email verification and will delete only the notes associated with it. The other users notes did not get associated with your account as a result of this incident.
-
@staff-pikachu If I was to provide you with the email address I was using for my Simplenote account, could you confirm how many other users viewed my notes during this issue?
-
-
-
Hi @aji3689! Yes, we responded to that issue immediately when it happened.
We corrected this access, and affected users can sign back into the web app to access their account again. Please note that user’s accounts and notes were not compromised during this incident and remain only accessible to their account.
Simplenote Support Forums 