Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
Solved
Passkeys in a compromised account
In today's (2/26) Wall Street Journal is an article about someone whose 1Password account was hacked via Github malware with the hacker gaining access to the poor guy's vault(s). He did not have 2FA...
Hey JAC3467! đź‘‹
First, to address the core concern that some folks might have upon jumping into this thread: 1Password itself was not hacked. In this case, the attacker compromised the individual’s local device and intercepted their Account Password using a keylogger, which allowed them to log into 1Password. Once a device is compromised, an attacker can gain nearly unrestricted access.
While enabling 2FA on your 1Password account is a great security measure, it would not have prevented this specific attack. 2FA on your 1Password account helps protect against unauthorized access from new or untrusted devices—but since the attacker was logging in from the victim’s already-authorized device, 2FA wouldn’t have applied in this scenario.
To guard against attacks that exploit compromised devices, you should:
- Ensure device integrity — keep your devices free from malware by installing security updates, enabling built-in security features, and using endpoint protection tools that actively detect and prevent threats.
- Trust only verified sources — download software exclusively from trusted providers. Avoid unverified applications that could contain hidden malware.
- Strengthen authentication for critical accounts —use phishing-resistant authentication methods like hardware security keys (e.g., YubiKey) or a separate authenticator app to reduce the risk of credential compromise.
- Limit exposure from browser extensions — review and disable unnecessary or untrusted extensions, as they can introduce vulnerabilities that attackers may exploit.
1P_Blake
Community Manager
Community ManagerHey JAC3467! đź‘‹
First, to address the core concern that some folks might have upon jumping into this thread: 1Password itself was not hacked. In this case, the attacker compromised the individual’s local device and intercepted their Account Password using a keylogger, which allowed them to log into 1Password. Once a device is compromised, an attacker can gain nearly unrestricted access.
While enabling 2FA on your 1Password account is a great security measure, it would not have prevented this specific attack. 2FA on your 1Password account helps protect against unauthorized access from new or untrusted devices—but since the attacker was logging in from the victim’s already-authorized device, 2FA wouldn’t have applied in this scenario.
To guard against attacks that exploit compromised devices, you should:
- Ensure device integrity — keep your devices free from malware by installing security updates, enabling built-in security features, and using endpoint protection tools that actively detect and prevent threats.
- Trust only verified sources — download software exclusively from trusted providers. Avoid unverified applications that could contain hidden malware.
- Strengthen authentication for critical accounts —use phishing-resistant authentication methods like hardware security keys (e.g., YubiKey) or a separate authenticator app to reduce the risk of credential compromise.
- Limit exposure from browser extensions — review and disable unnecessary or untrusted extensions, as they can introduce vulnerabilities that attackers may exploit.
This is a decent enough reply, but it doesn't address 1Password's bizzare article where they claim to be taking all the steps and to always choose security.. but NOT to be implementing RASP techniques on Windows, where the protections are weakest and users most vulnerable.
Other than having to pay a 3rd party , the excuses around usability fall flat as these types of solutions are transparent (other than sometimes being flagged as malware). 1P_Blake , would 1Password consider making this at least an optional extra security measure/layer that Windows users could turn on to help make 1Password more resistant to malware that DOES happen to infect a PC? I understand it's not perfect, but RASP mechanisms to protect applications do exist
