Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
Solved
Did 1Password get hacked? The Disney Employee said hackers got into his 1password account.
Hey Folks,
Decade+, happy 1password user here, however, my underpants clenched up when I read this on the WSJ today A Disney Worker Downloaded an AI Tool. It Led to a Hack That Ruined His Life. - W...
Hey everyone! I totally understand why this story raised concerns, but I'd like to assure you that 1Password was not hacked and remains secure.
In this particular case, the attacker compromised the individual’s local device. They intercepted his password using a keylogger, which allowed them to log into 1Password. Once a device is compromised, an attacker has nearly unrestricted access.
To help protect against attacks that target compromised devices, we recommend:
- Ensure device integrity — keep your devices free from malware by installing security updates, enabling built-in security features, and using endpoint protection tools that actively detect and prevent threats.
- Trust only verified sources — download software exclusively from trusted providers. Avoid unverified applications that could contain hidden malware.
- Strengthen authentication for critical accounts —use phishing-resistant authentication methods like hardware security keys (e.g., YubiKey) or a separate authenticator app to reduce the risk of credential compromise.
- Limit exposure from browser extensions — review and disable unnecessary or untrusted extensions, as they can introduce vulnerabilities that attackers may exploit.
For more details on how 1Password protects information on your devices (and when it can’t), I would recommend reading our blog linked below. 👇
🔗 How 1Password protects information on your devices (and when it can’t)
I see this development very alarming. If they key logged his encryption key and password then they had full access. He would have had to use his encryption key at some point on his personal computer after the hack, for them to gain access to 1PW. Otherwise how did they get full access to 1PW???
Further, with 2FA for all his accounts in 1PW the hackers had full access to all his logins. My question is, if you put on 2FA for your login to 1PW, where do you store/keep that token? You do not want to keep that in 1PW as the that defeats the purpose. Of course you could use a Yubikey, but if you loose that or it gets destroyed in a house fire or other means, you are out of luck on 1PW access. I would love further thoughts and additional guidance from 1PW on this as was requested earlier.
Is there a way to require 2FA along with the Master PW to open 1PW? I appreciate that it adds another step to accessing passwords and then likely (if you're smart) having to also use 2FA for the actual website you're accessing. But I cannot find where you could use 2FA for 1PW itself. Can anyone please direct me? Or help me work through other ways to prevent keylogging from allowing complete access to my Vault?
Many thanks,
AmNo
- 1P_Blake
Community Manager
Hey AmNo,
1Password does not support requiring 2FA alongside your Account Password to unlock your vault, and there’s a good reason for that—it wouldn’t actually add any security benefit.
Here’s why:
-
Unlocking 1Password is different from signing in
When you sign in to a new device, 1Password requires authentication—including your account password, Secret Key, and (if enabled) 2FA. This is because you’re proving your identity to 1Password’s servers.
But when you unlock 1Password on a device that’s already been set up, there’s no server authentication happening—just decryption. Your vault is stored locally on your device, and your Account Password is what decrypts it. Since nothing is being transmitted or verified online, 2FA wouldn’t serve any purpose at this stage.
- If your device is compromised (e.g., via a keylogger), 2FA wouldn’t help.
If an attacker can capture your keystrokes, they would get both your Account Password and any 2FA code you enter. That means adding 2FA at unlock wouldn’t actually prevent access—it would just add an extra step for you, not the attacker.
-
2FA for 1PW is available only for a New Device; when you first set it up.
https://support.1password.com/two-factor-authentication/?ios
