Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
Solved
Passkeys in a compromised account
In today's (2/26) Wall Street Journal is an article about someone whose 1Password account was hacked via Github malware with the hacker gaining access to the poor guy's vault(s). He did not have 2FA...
Hey JAC3467! đź‘‹
First, to address the core concern that some folks might have upon jumping into this thread: 1Password itself was not hacked. In this case, the attacker compromised the individual’s local device and intercepted their Account Password using a keylogger, which allowed them to log into 1Password. Once a device is compromised, an attacker can gain nearly unrestricted access.
While enabling 2FA on your 1Password account is a great security measure, it would not have prevented this specific attack. 2FA on your 1Password account helps protect against unauthorized access from new or untrusted devices—but since the attacker was logging in from the victim’s already-authorized device, 2FA wouldn’t have applied in this scenario.
To guard against attacks that exploit compromised devices, you should:
- Ensure device integrity — keep your devices free from malware by installing security updates, enabling built-in security features, and using endpoint protection tools that actively detect and prevent threats.
- Trust only verified sources — download software exclusively from trusted providers. Avoid unverified applications that could contain hidden malware.
- Strengthen authentication for critical accounts —use phishing-resistant authentication methods like hardware security keys (e.g., YubiKey) or a separate authenticator app to reduce the risk of credential compromise.
- Limit exposure from browser extensions — review and disable unnecessary or untrusted extensions, as they can introduce vulnerabilities that attackers may exploit.
My understanding is also that passkeys would be compromised in this case .
What I DONT understand about this article is how the secret key didn’t serve as a second factor of sorts and how they exfiltrated the 1Password data . I suspect they didn’t login to it remotely (they would have needed the secret key to add a new device , which they were unlikely to get from a keylogger ), but instead got to the data via the unlocked 1Password app on the guy’s home computer .. in which case the second factor like a yubikey or Authenticator wouldn’t have saved him.. this article and others are lacking here on what precisely happened.
