Hello! I'm a regular on this sub (lurking mostly). Feeling a bit skittish and violated at the moment, using a throwaway account for this.
This morning, wife got email alert from Evernote that there is a suspicious login activity on her account. I checked it out for her (ofc not interacting w/email directly - rather, went to Evernote website directly).
Indeed, someone in another country logged into her account. We revoked access to all devices (it was just 2 devices, her computer and this foreigner).
Quickly added 2FA on her account, changed pass to something much stronger. Looked at what kind of info the person could have obtained. I had shared a handful of documents with her Evernote account years ago. Unfortunately, one of those docs happens to be a photocopy of birth certificate of one of our kids, with both of our SSNs on it. Photocopies of our own birth certificates are also in the list. I know how much damange can be done if someone had our birth certificates and also our SSNs.
We have already placed credit freeze on everything for both of our accounts (6 total.. Experian, Equifax, Transunion x2) - surprisingly easy to do (thankfully!). That's done.
We also obtained latest copies of credit reports. No suspicious activity on them when we checked, but of course that doesn't mean we're out of the woods, who knows what the person would do with our information eventually.
I'm working ATM on getting pin numbers from IRS, notifying SSA of the breach, going through our accounts (especially financial ones and anything of high importance) to ensure we have 2FA and strong passwords - we already have both of those for almost everything, it's just unfortunate we completely overlooked and forgot about wife's Evernote account that has been dormant for a while.
The next thing I'm working on is placing fraud alerts. Here's where I have an question - there are two choices: Initial fraud alert (1 year), or extended fraud alert (7 years). I read the FAQs, etc.. to my understanding, extended fraud alerts are free only for victims of identity thefts. Question: are we already considered victims of identity thefts, or is that designation reserved only for when the data from breach of security is actually used against us (like attempts to apply for credit cards in our names, etc)? I would think yes, we are victims of identity theft here, but is that how they (credit reporting agencies) also see it - will they add extended fraud alerts on our account for free?
Thanks in advance - I'll update this post in case I need to add some more clarifications or updates on our situation.
Updates: Obtained filing pin from IRS (luckily I lived in one of 20 states where I can opt-in for the filing pin). Also, thanks to recommendation by one of comments here I've also placed a freeze on Innovis and requested copies of reports. Placed 1-year fraud alerts on both of our accounts with all 3 credit reporting agencies (still need to figure out if we want 7-year fraud alerts that is granted only to "victims of identity theft" - are we really one yet just by mere Evernote login breach?)
Submitted September 08, 2020 at 07:40PM by another_throw_awayz https://ift.tt/32ayg2R
