Did 1Password get hacked? The Disney Employee said hackers got into his 1password account.

Thank you Member: 1P_Blake | 1Password Community for your reply.   Your explanation I feel “assumes” the hackers used his device ONLY for access to 1PW (ie. had his password), and not a 2nd “hacker” owned device.  My reasoning for this is the hacker would have needed his encryption key and password to setup another device.   Do you / 1PW know for a fact there was not outside access (2nd hacker device) to his 1PW account?   Thank you.  

I'm using a lot of passkeys these days which doesn't require a second device. 1password just dishes them out via browser pop up . Easy peasy. Makes me wonder if that's not a good thing 

I tried activating 2FA but it asked for a code every time, so I turned it back off.  My employer has it only request 2FA every few days for my work vault, and it just sends a push notification via Duo after an initial login.  For my personal account, there was no option to select a push notification for an app like Okta Verify.  Could this be added as a future option so it is easier to adopt 2FA?

I appreciate all the comments here from people far more knowledgeable about security than I am. I was thinking,  I use touch id but occasionally still need to enter my password to use 1PW, would using Authy on my iPhone for access to 1PW be another layer of security that would benefit me? Thank you for any assistance you can provide.  

I think 1P needs to provide an explanation of how this occurred.  Was it a stolen session key?  Was the Secret Key stolen in some way?  I for one really want to know what vulnerabilities exist and what errors on the user's part might have occurred so we can understand the risk and take any actions needed.

I posted about this as well, in the context of passkeys.  The article is short of some details regarding exactly what happened and where his 1PW vaults were accessed from.  But that said, it stated the victim DID NOT have 2FA enabled for his 1PW account.

So what are the takeaways?  I think there a couple.  First, enable 2FA authentication on your 1PW account, either with an authenticator or a Yubikey.  Then if your username, password AND secret key are compromised, the bad guys STILL cannot get into your account.

The second is for critical accounts - email, bank, credit card, health care, retirement, etc. - don't store all the authentication bits in 1PW.  That is, put 2FA somewhere else.  And this is exactly what happens when you use a Yubikey.  The reason is obvious enough, if a compromise occurs, one last bit of protection.

My question had to do with passkeys, and I would like 1P_Blake or 1P_Dave or someone from 1PW to comment.  In the event of a compromise, if a login has a passkey in 1PW, that is all that's needed to get into the account, as there is no 2FA with passkeys (as far as I know) and the private key stored is all that is needed to authenticate.  Is that a true statement?

I look forward to 1PW's response and other Community comments.

I see this development very alarming.  If they key logged his encryption key and password then they had full access.   He would have had to use his encryption key at some point on his personal computer after the hack, for them to gain access to 1PW.   Otherwise how did they get full access to 1PW???

Further, with 2FA for all his accounts in 1PW the hackers had full access to all his logins.   My question is, if you put on 2FA for your login to 1PW, where do you store/keep that token?  You do not want to keep that in 1PW as the that defeats the purpose.  Of course you could use a Yubikey, but if you loose that or it gets destroyed in a house fire or other means, you are out of luck on 1PW access.   I would love further thoughts and additional guidance from 1PW on this as was  requested  earlier.  

I agree that this is an important question that I would like 1Password address directly. I've been a 1Password user for a long time and I trust it. I still do but I'd like to know what settings (in 1Password) I should use to be as safe as possible.

If the hack was basically a keylogger, did that give the hacker the ability to see the Disney employee's login to 1Password? I use touchid to login to 1PW but even with this setting, I sometimes need to enter my 1PW password. Can a keylogger capture this to bypass the 1PW safeguards? 

I consider 1Password to be an excellent product that I have relied upon for a very long time and I trust them to stay ahead of the bad guys so this isn't meant as a criticism. It's meant as a genuine request to address this specific incident and their advice to us to prevent something similar from happening to us / me.

As an aside, I sometimes download things from Github or other sources I judge to be safe. It's subjective.  I have malware software but who knows if it's ahead of the hackers? Advice about "being careful" when downloading from GitHub (or elsewhere) isn't specific enough to be actionable. 

The guy was hacked because he installed a program that exfiltrates session cookies and probably also provided remote access to his computer. Some people who have no idea what they're doing, and will just follow steps/run code from the internet. OpSec is very important as far as your online life goes, and hopefully we'll get better cybersecurity options in the coming years since folks will be able to code better programs using AI to help prevent things like this from happening.