12 hours Ago
1Password attacks urges users to reset master password There’s good reason why security experts, and analysts such as myself, recommend using a password manager as hackers continue to attack the integrity of your login credentials across accounts. Some people have suggested using emoji passwords in the face of 10-second infostealer threats to your passwords, but a password manager remains your primary best defense. But what if your password manager itself comes under attack? That’s the issue facing users of my recommended platform, 1Password , as scamming hackers strike in an effort to obtain the master password that unlocks the treasure vault within.
Here’s what you need to know. What we have here is a phishing scam that, because it targets one of the most popular password managers out there, 1Password, is particularly dangerous if successful. A number of users, as first spotted by Hillary Keverenge at TechIssuesToday , have been posting online, to the 1Password subreddit and the X social media platform, including screenshots of the same email that they have received.
The email, with a subject line of “Action Required: Reset your password,” warned the recipient that a security issue regarding their 1Password account password has been detected. “Our advanced Al monitoring system flagged it as compromised due to a recent breach,” the email stated, along with the action required to supposedly keep the account safe. 1Password phishing email.
“Please reset your password within the next 24 hours to maintain account security. If not updated, your account will be temporarily locked for your protection, and you'll need to contact support to regain access.” Because a 1Password data breach is mentioned in the phishing email, and users have received the attack bait to addresses connected with their accounts, there has been a lot of speculation online that 1Password must have been successfully attacked.
This seems very unlikely indeed to me, not only due to the measures in place to protect users from such an event, but also the sheer number of red flags present in the phishing campaign itself. I have reached out to 1Password for a statement and will update this article in due course, but in the meantime, here’s what I know. Firstly , and most obviously, is the email itself that has been sent from a totally random domain with “support” as the account.
That, quite frankly, should fool nobody these days. 1Password is not going to send out important notifications from such an address. Ever.
Secondly , there’s the urgency aspect of the email which urges action within 24 hours or the account will be suspended. Again, total nonsense. If there were any doubt in your mind as the recipient of such a communication, then a quick visit to 1Password’s home page using a directly typed address, bookmark, or search result would quickly put you at ease.
Why would such a critical notification arrive by email and not be present on your account pages or in your app? Any further lingering doubts would be squashed by contacting the official 1Password support team. Thirdly , even if you were fooled and headed for the link to reset your password that is included in the email, that’s not all that is required. Sure, they could get you to enter your master password with the lure of it being a change required by that supposed security incident, but there’s a little something else that 1Password also needs: a secret key.
This secret key adds another layer of protection atop the 1Password master password, 34 characters that are stored only on devices you use to sign into your account. The secret key is created on your own device, and 1Password said, “we have no record of your secret key and can’t recover it.” Nobody can access your 1Password data without the secret key, and being asked to enter this should set those red flags flapping even more.
At the very least, the time taken to go and locate it and then enter it should allow for that knee-jerk urgency to calm down a little and rational thought to enter the process once more. So, to recap: Never allow a sense of urgency to cloud your judgement. Always step back, count to 100, and think about what is being asked of you before.
Always check the email address that such a notification is coming from, some scammers are truly lazy, as was the case here, and don’t even try to obfuscate it. Never follow a link through email or messaging to reset your password, always go directly to the source yourself. Never reveal your 1Password secret key as this is the ultimate protection for your password vault.
.
