Skip to main content
February 27, 2025
Solved

Session Key Enhancement Suggestion

  • February 27, 2025
  • 1 reply
  • 93 views

Hi,

Regarding the Disney Employee attack (see Lounge post "Did 1Password get hacked? The Disney Employee said hackers got into his 1password account."), a commenter suggested that 1P was illicitly accessed by stealing a session key for a 1P session. If that's possible (even if it wasn't the problem in this case), can't 1P modify it's session keys so this is detected and prevented? Apparently session key harvesting is sometimes employed by hackers, so this this would be a useful security enhancement.

Thanks,

Mike

Best answer by 1P_Blake

Hey Mike,

I totally understand the concern, and I appreciate you bringing this up! The key thing to note here is that in this particular case, the attacker compromised the individual’s entire device.

Once a device is compromised (e.g., via a keylogger or other malware), an attacker can intercept anything the user types, including their Master Password. That means they could log in and access data just as the legitimate user would. At that point, security measures within 1Password can’t override the fact that the attacker essentially has full control of the device.

To help protect against this type of attack, the best defense is keeping devices secure by installing updates, enabling built-in security protections, and using endpoint protection tools to detect and block malware.

For more details on how 1Password protects information on your devices (and when it can’t), I would recommend reading our blog linked below. 👇

🔗 How 1Password protects information on your devices (and when it can’t)

1 reply

1P_Blake
1P_BlakeAnswer
Community Manager
February 28, 2025

Hey Mike,

I totally understand the concern, and I appreciate you bringing this up! The key thing to note here is that in this particular case, the attacker compromised the individual’s entire device.

Once a device is compromised (e.g., via a keylogger or other malware), an attacker can intercept anything the user types, including their Master Password. That means they could log in and access data just as the legitimate user would. At that point, security measures within 1Password can’t override the fact that the attacker essentially has full control of the device.

To help protect against this type of attack, the best defense is keeping devices secure by installing updates, enabling built-in security protections, and using endpoint protection tools to detect and block malware.

For more details on how 1Password protects information on your devices (and when it can’t), I would recommend reading our blog linked below. 👇

🔗 How 1Password protects information on your devices (and when it can’t)