Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
Solved
Passkeys in a compromised account
In today's (2/26) Wall Street Journal is an article about someone whose 1Password account was hacked via Github malware with the hacker gaining access to the poor guy's vault(s). He did not have 2FA...
Hey JAC3467! đź‘‹
First, to address the core concern that some folks might have upon jumping into this thread: 1Password itself was not hacked. In this case, the attacker compromised the individual’s local device and intercepted their Account Password using a keylogger, which allowed them to log into 1Password. Once a device is compromised, an attacker can gain nearly unrestricted access.
While enabling 2FA on your 1Password account is a great security measure, it would not have prevented this specific attack. 2FA on your 1Password account helps protect against unauthorized access from new or untrusted devices—but since the attacker was logging in from the victim’s already-authorized device, 2FA wouldn’t have applied in this scenario.
To guard against attacks that exploit compromised devices, you should:
- Ensure device integrity — keep your devices free from malware by installing security updates, enabling built-in security features, and using endpoint protection tools that actively detect and prevent threats.
- Trust only verified sources — download software exclusively from trusted providers. Avoid unverified applications that could contain hidden malware.
- Strengthen authentication for critical accounts —use phishing-resistant authentication methods like hardware security keys (e.g., YubiKey) or a separate authenticator app to reduce the risk of credential compromise.
- Limit exposure from browser extensions — review and disable unnecessary or untrusted extensions, as they can introduce vulnerabilities that attackers may exploit.
Anyone with remote access to your machine while 1Password is authenticated could result in stolen credentials via export or otherwise. Not much that could be done about this. Need better spyware protection on Windows.
Well, to some degree Windows offers lower inter-process protection and hardening than is available on other platforms like iOS/Android/MacOS. 1Password themselves even cites this. They also cite that they could be doing in theory more programmatic hardening on windows but choose not to do the obfuscation because it sometimes makes things hard to debug (a bit of a cop-out IMO): https://blog.1password.com/local-threats-device-protections/
The article sounds sane but then ends with some pretty air-headed contradictory commentary "When security restrictions clash with convenience and we have to make choices, we’ll always choose to give your secrets the best fighting chance." -- Except they explicitly disclaim making this choice in the prior paragraph:
Runtime Application Self-Protection frameworks, for example, would allow us to make even root level attackers suffer. But these third-party products often have serious performance, reliability, and privacy considerations. The implications are serious enough that we’ve decided not to use them.
Translation: We arn't experts in DRM and malware style obfuscation of code, and we don't want to pay someone else to do it, because that would cost money and make debugging hard.
Such products exist and DO work to make attacker's lives hard, with relatively small or negligible performance hits most of the time. The best of them do use more aggressive kernel drivers and such. Since they don't say what usability issues would be caused by using such tools, it feels like a bit of handwaving from a 1password on this product management perspective. Ultimately it could be compromised too, of course, but it's utterly ridiculous to then follow this up with we’ll always choose to give your secrets the best fighting chance, right after you've said that you made the opposite choice.
