Forum Discussion

racerx_2502's avatar
racerx_2502
New Contributor
3 months ago
Solved

Did 1Password get hacked? The Disney Employee said hackers got into his 1password account.

Hey Folks,

Decade+, happy 1password user here, however, my underpants clenched up when I read this on the WSJ today A Disney Worker Downloaded an AI Tool. It Led to a Hack That Ruined His Life. - WSJ

At the heart of it, was them gaining access to his 1Password's.  I didn't think folks could get access to your passwords without having the Secret Key you need in addition to the username/pw.

Would love to hear from folks and 1Password (post-mortem/RCA), about what happened, and what we can do to secure our 1Password so this can't happen to us!

I have just enabled 2FA for the first time, but it looks like you only need it to get updated PW's?  and that you can still see the old ones.  Scary!

Thanks,

Kyle

 

  • Hey everyone! I totally understand why this story raised concerns, but I'd like to assure you that 1Password was not hacked and remains secure. 

    In this particular case, the attacker compromised the individual’s local device. They intercepted his password using a keylogger, which allowed them to log into 1Password. Once a device is compromised, an attacker has nearly unrestricted access. 

    To help protect against attacks that target compromised devices, we recommend:

    • Ensure device integrity — keep your devices free from malware by installing security updates, enabling built-in security features, and using endpoint protection tools that actively detect and prevent threats.
    • Trust only verified sources — download software exclusively from trusted providers. Avoid unverified applications that could contain hidden malware.
    • Strengthen authentication for critical accounts —use phishing-resistant authentication methods like hardware security keys (e.g., YubiKey) or a separate authenticator app to reduce the risk of credential compromise.
    • Limit exposure from browser extensions — review and disable unnecessary or untrusted extensions, as they can introduce vulnerabilities that attackers may exploit.

     

    For more details on how 1Password protects information on your devices (and when it can’t), I would recommend reading our blog linked below. 👇

    🔗 How 1Password protects information on your devices (and when it can’t)

25 Replies

  • cssmith07's avatar
    cssmith07
    New Contributor

    Thank you Member: 1P_Blake | 1Password Community for your reply.   Your explanation I feel “assumes” the hackers used his device ONLY for access to 1PW (ie. had his password), and not a 2nd “hacker” owned device.  My reasoning for this is the hacker would have needed his encryption key and password to setup another device.   Do you / 1PW know for a fact there was not outside access (2nd hacker device) to his 1PW account?   Thank you.  

    • 1P_Blake's avatar
      1P_Blake
      Icon for Community Manager rankCommunity Manager

      Hey cssmith07

      I appreciate the follow-up, and I want to clarify this point -- once an attacker fully compromises a device, they don’t need a “second hacker-owned device” to access 1Password.

      If malware like a keylogger is installed, it can capture everything the victim types—including their 1Password account password. Since the attacker is controlling the legitimate user’s session on their own device, they can log in and access data just as the legitimate user would.

      To be clear: there was no need for an attacker to set up a new device. They simply used the victim’s already-authenticated session on their own compromised machine.

      This is why keeping your device secure is the most critical step in protecting your data. No password manager—1Password or otherwise—can prevent an attacker from accessing data if they already have full control over the device where it’s stored.

  • I'm using a lot of passkeys these days which doesn't require a second device. 1password just dishes them out via browser pop up . Easy peasy. Makes me wonder if that's not a good thing 

    • chris__hayes's avatar
      chris__hayes
      Occasional Contributor

      This made me wonder if an attack could use both your password and 2FA to login on a separate computer before the 2FA code changes. I looked it up and they cannot! So, if you're generating 2FA codes on a separate device, you should be safe from 2FA code reuse!

      RFC 6238 - "[...] Note that a prover may send the same OTP inside a given time-step window multiple times to a verifier. The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP. [...]"

      However, an important caveat like 1P_Blake mentioned—hacker access to your device still opens up a million doors:

      • The hacker can still take your browser cookies and use those to log into on a separate computer.
      • Not to mention, they could literally just open a browser on your computer and do what they want. A key logger is basically game over.
  • MASTERNC's avatar
    MASTERNC
    New Contributor

    I tried activating 2FA but it asked for a code every time, so I turned it back off.  My employer has it only request 2FA every few days for my work vault, and it just sends a push notification via Duo after an initial login.  For my personal account, there was no option to select a push notification for an app like Okta Verify.  Could this be added as a future option so it is easier to adopt 2FA?

  • 1P_Blake's avatar
    1P_Blake
    Icon for Community Manager rankCommunity Manager

    Hey everyone! I totally understand why this story raised concerns, but I'd like to assure you that 1Password was not hacked and remains secure. 

    In this particular case, the attacker compromised the individual’s local device. They intercepted his password using a keylogger, which allowed them to log into 1Password. Once a device is compromised, an attacker has nearly unrestricted access. 

    To help protect against attacks that target compromised devices, we recommend:

    • Ensure device integrity — keep your devices free from malware by installing security updates, enabling built-in security features, and using endpoint protection tools that actively detect and prevent threats.
    • Trust only verified sources — download software exclusively from trusted providers. Avoid unverified applications that could contain hidden malware.
    • Strengthen authentication for critical accounts —use phishing-resistant authentication methods like hardware security keys (e.g., YubiKey) or a separate authenticator app to reduce the risk of credential compromise.
    • Limit exposure from browser extensions — review and disable unnecessary or untrusted extensions, as they can introduce vulnerabilities that attackers may exploit.

     

    For more details on how 1Password protects information on your devices (and when it can’t), I would recommend reading our blog linked below. 👇

    🔗 How 1Password protects information on your devices (and when it can’t)

  • I appreciate all the comments here from people far more knowledgeable about security than I am. I was thinking,  I use touch id but occasionally still need to enter my password to use 1PW, would using Authy on my iPhone for access to 1PW be another layer of security that would benefit me? Thank you for any assistance you can provide.  

  • MikeA01730's avatar
    MikeA01730
    Frequent Contributor

    I think 1P needs to provide an explanation of how this occurred.  Was it a stolen session key?  Was the Secret Key stolen in some way?  I for one really want to know what vulnerabilities exist and what errors on the user's part might have occurred so we can understand the risk and take any actions needed.

  • JAC3467's avatar
    JAC3467
    Occasional Contributor

    I posted about this as well, in the context of passkeys.  The article is short of some details regarding exactly what happened and where his 1PW vaults were accessed from.  But that said, it stated the victim DID NOT have 2FA enabled for his 1PW account.

    So what are the takeaways?  I think there a couple.  First, enable 2FA authentication on your 1PW account, either with an authenticator or a Yubikey.  Then if your username, password AND secret key are compromised, the bad guys STILL cannot get into your account.

    The second is for critical accounts - email, bank, credit card, health care, retirement, etc. - don't store all the authentication bits in 1PW.  That is, put 2FA somewhere else.  And this is exactly what happens when you use a Yubikey.  The reason is obvious enough, if a compromise occurs, one last bit of protection.

    My question had to do with passkeys, and I would like 1P_Blake or 1P_Dave or someone from 1PW to comment.  In the event of a compromise, if a login has a passkey in 1PW, that is all that's needed to get into the account, as there is no 2FA with passkeys (as far as I know) and the private key stored is all that is needed to authenticate.  Is that a true statement?

    I look forward to 1PW's response and other Community comments.

    • prime's avatar
      prime
      Dedicated Contributor

      Why do they need to respond? The guy downloaded something he shouldn’t have. Once an attacker gets control over your computer, nothing, even 1Password, can save you. This is why you need to pay attention what you’re installing on your computer. 

      2FA on his 1Password account wouldn’t have saved this person, because the 1Password is on the computer. 2FA is only needed when the app is 1st installed. 

      • scottC28773's avatar
        scottC28773
        New Contributor

        To JAC3467

        I'll try to explain.

        I trust 1Password (the product and the people) and I don't think they "need" to respond because, as you said, the article didn't say the hacker was able to crack 1PW.

        But as someone who tries to be careful, I'd like to hear the experts at 1PW tell me /us what it really means to "be careful" about what you download from the Internet. What exactly does that mean?  

        I think I'm careful. Apple has built in virus detection and I have malware detection on my laptop. I've set 1PW to open with Touch ID on my laptop and face recognition on my iPhone. Does this qualify as "paying attention" or "being careful"?

        If you have an answer, I'd honestly love to hear it but I also think hearing it from the professionals at 1PW would be appreciated but they don't "owe" it to us.




  • cssmith07's avatar
    cssmith07
    New Contributor

    I see this development very alarming.  If they key logged his encryption key and password then they had full access.   He would have had to use his encryption key at some point on his personal computer after the hack, for them to gain access to 1PW.   Otherwise how did they get full access to 1PW???

    Further, with 2FA for all his accounts in 1PW the hackers had full access to all his logins.   My question is, if you put on 2FA for your login to 1PW, where do you store/keep that token?  You do not want to keep that in 1PW as the that defeats the purpose.  Of course you could use a Yubikey, but if you loose that or it gets destroyed in a house fire or other means, you are out of luck on 1PW access.   I would love further thoughts and additional guidance from 1PW on this as was  requested  earlier.  

    • AmNo's avatar
      AmNo
      New Contributor

       

      Is there a way to require 2FA along with the Master PW to open 1PW?  I appreciate that it adds another step to accessing passwords and then likely (if you're smart) having to also use 2FA for the actual website you're accessing.  But I cannot find where you could use 2FA for 1PW itself.  Can anyone please direct me? Or help me work through other ways to prevent keylogging from allowing complete access to my Vault? 

      Many thanks, 

      AmNo

      • 1P_Blake's avatar
        1P_Blake
        Icon for Community Manager rankCommunity Manager

        Hey AmNo,

        1Password does not support requiring 2FA alongside your Account Password to unlock your vault, and there’s a good reason for that—it wouldn’t actually add any security benefit.

        Here’s why:

        • Unlocking 1Password is different from signing in

          When you sign in to a new device, 1Password requires authentication—including your account password, Secret Key, and (if enabled) 2FA. This is because you’re proving your identity to 1Password’s servers.


          But when you unlock 1Password on a device that’s already been set up, there’s no server authentication happening—just decryption. Your vault is stored locally on your device, and your Account Password is what decrypts it. Since nothing is being transmitted or verified online, 2FA wouldn’t serve any purpose at this stage.

        • If your device is compromised (e.g., via a keylogger), 2FA wouldn’t help.
           
          If an attacker can capture your keystrokes, they would get both your Account Password and any 2FA code you enter. That means adding 2FA at unlock wouldn’t actually prevent access—it would just add an extra step for you, not the attacker.
  • I agree that this is an important question that I would like 1Password address directly. I've been a 1Password user for a long time and I trust it. I still do but I'd like to know what settings (in 1Password) I should use to be as safe as possible.

    If the hack was basically a keylogger, did that give the hacker the ability to see the Disney employee's login to 1Password? I use touchid to login to 1PW but even with this setting, I sometimes need to enter my 1PW password. Can a keylogger capture this to bypass the 1PW safeguards? 

    I consider 1Password to be an excellent product that I have relied upon for a very long time and I trust them to stay ahead of the bad guys so this isn't meant as a criticism. It's meant as a genuine request to address this specific incident and their advice to us to prevent something similar from happening to us / me.

    As an aside, I sometimes download things from Github or other sources I judge to be safe. It's subjective.  I have malware software but who knows if it's ahead of the hackers? Advice about "being careful" when downloading from GitHub (or elsewhere) isn't specific enough to be actionable. 


    • AmNo's avatar
      AmNo
      New Contributor

      Thanks for this note.  I too am a very, very long time and dedicated user.  As was said by others, this article shattered my confidence.  While I understand that 1P wasn't hacked, I was worried about exactly what you asked about - keylogging.  I found some old articles which said 1P had tightened things up to prevent that but I, too, would think 1P should make some comment about this.  

      Many thanks, 

      AmNo

  • Vincent's avatar
    Vincent
    New Contributor

    The guy was hacked because he installed a program that exfiltrates session cookies and probably also provided remote access to his computer. Some people who have no idea what they're doing, and will just follow steps/run code from the internet. OpSec is very important as far as your online life goes, and hopefully we'll get better cybersecurity options in the coming years since folks will be able to code better programs using AI to help prevent things like this from happening.

    • prime's avatar
      prime
      Dedicated Contributor

      Correct, once a hacker has access to your computer, it’s game over. Nothing, even 1Password, can save you. 

      1Password wasn’t hacked. 

      • wab's avatar
        wab
        New Contributor

        I agree with prime.  Where 2FA helps you in this scenario is not with preventing 1PW access, it's with preventing access to your other sites (provided you have 2FA activated on those sites).  That's why you shouldn't use 1PW to provide the second factor.  It is also why you should not have your authenticator app (like authy) accessible on the same computer.