Hey Folks,

Decade+, happy 1password user here, however, my underpants clenched up when I read this on the WSJ today A Disney Worker Downloaded an AI Tool. It Led to a Hack That Ruined His Life. - WSJ

At the heart of it, was them gaining access to his 1Password's.  I didn't think folks could get access to your passwords without having the Secret Key you need in addition to the username/pw.

Would love to hear from folks and 1Password (post-mortem/RCA), about what happened, and what we can do to secure our 1Password so this can't happen to us!

I have just enabled 2FA for the first time, but it looks like you only need it to get updated PW's?  and that you can still see the old ones.  Scary!

Thanks,

Kyle

Why do they need to respond? The guy downloaded something he shouldn’t have. Once an attacker gets control over your computer, nothing, even 1Password, can save you. This is why you need to pay attention what you’re installing on your computer. 

2FA on his 1Password account wouldn’t have saved this person, because the 1Password is on the computer. 2FA is only needed when the app is 1st installed. 

Why do they need to respond? The guy downloaded something he shouldn’t have. Once an attacker gets control over your computer, nothing, even 1Password, can save you. This is why you need to pay attention what you’re installing on your computer. 

2FA on his 1Password account wouldn’t have saved this person, because the 1Password is on the computer. 2FA is only needed when the app is 1st installed. 

Hey everyone! I totally understand why this story raised concerns, but I'd like to assure you that 1Password was not hacked and remains secure. 

In this particular case, the attacker compromised the individual’s local device. They intercepted his password using a keylogger, which allowed them to log into 1Password. Once a device is compromised, an attacker has nearly unrestricted access. 

To help protect against attacks that target compromised devices, we recommend:

\n
• Ensure device integrity — keep your devices free from malware by installing security updates, enabling built-in security features, and using endpoint protection tools that actively detect and prevent threats.
\n
• Trust only verified sources — download software exclusively from trusted providers. Avoid unverified applications that could contain hidden malware.
\n
• Strengthen authentication for critical accounts —use phishing-resistant authentication methods like hardware security keys (e.g., YubiKey) or a separate authenticator app to reduce the risk of credential compromise.
\n
• Limit exposure from browser extensions — review and disable unnecessary or untrusted extensions, as they can introduce vulnerabilities that attackers may exploit.
\n

For more details on how 1Password protects information on your devices (and when it can’t), I would recommend reading our blog linked below. 👇

🔗 How 1Password protects information on your devices (and when it can’t)

I posted about this as well, in the context of passkeys.  The article is short of some details regarding exactly what happened and where his 1PW vaults were accessed from.  But that said, it stated the victim DID NOT have 2FA enabled for his 1PW account.

So what are the takeaways?  I think there a couple.  First, enable 2FA authentication on your 1PW account, either with an authenticator or a Yubikey.  Then if your username, password AND secret key are compromised, the bad guys STILL cannot get into your account.

The second is for critical accounts - email, bank, credit card, health care, retirement, etc. - don't store all the authentication bits in 1PW.  That is, put 2FA somewhere else.  And this is exactly what happens when you use a Yubikey.  The reason is obvious enough, if a compromise occurs, one last bit of protection.

My question had to do with passkeys, and I would like 1P_Blake or 1P_Dave or someone from 1PW to comment.  In the event of a compromise, if a login has a passkey in 1PW, that is all that's needed to get into the account, as there is no 2FA with passkeys (as far as I know) and the private key stored is all that is needed to authenticate.  Is that a true statement?

I look forward to 1PW's response and other Community comments.

I posted about this as well, in the context of passkeys.  The article is short of some details regarding exactly what happened and where his 1PW vaults were accessed from.  But that said, it stated the victim DID NOT have 2FA enabled for his 1PW account.

So what are the takeaways?  I think there a couple.  First, enable 2FA authentication on your 1PW account, either with an authenticator or a Yubikey.  Then if your username, password AND secret key are compromised, the bad guys STILL cannot get into your account.

The second is for critical accounts - email, bank, credit card, health care, retirement, etc. - don't store all the authentication bits in 1PW.  That is, put 2FA somewhere else.  And this is exactly what happens when you use a Yubikey.  The reason is obvious enough, if a compromise occurs, one last bit of protection.

My question had to do with passkeys, and I would like or or someone from 1PW to comment.  In the event of a compromise, if a login has a passkey in 1PW, that is all that's needed to get into the account, as there is no 2FA with passkeys (as far as I know) and the private key stored is all that is needed to authenticate.  Is that a true statement?

I look forward to 1PW's response and other Community comments.

To JAC3467

I'll try to explain.

I trust 1Password (the product and the people) and I don't think they \"need\" to respond because, as you said, the article didn't say the hacker was able to crack 1PW.

But as someone who tries to be careful, I'd like to hear the experts at 1PW tell me /us what it really means to \"be careful\" about what you download from the Internet. What exactly does that mean?  

I think I'm careful. Apple has built in virus detection and I have malware detection on my laptop. I've set 1PW to open with Touch ID on my laptop and face recognition on my iPhone. Does this qualify as \"paying attention\" or \"being careful\"?

If you have an answer, I'd honestly love to hear it but I also think hearing it from the professionals at 1PW would be appreciated but they don't \"owe\" it to us.

My set up:

I have 3 users for my MacBook. I have an Admin side where never use and the other 2 users for just Standard users (work and personal), so they don’t have any admin rights. 

 I have the free version of MalwareBytes that I run once a day at least. I have AdGuard (life time) to block ads and has a pretty cool DNS settings that some options help prevent malware. 

I also use the Screen Time settings to put a PIN so my account settings has an extra later (I honestly don’t know if it will work, but why not?) 

If you’re interested in the AdGuard Lifetime, I can send you a link where go to (many people on Reddit got it from here and where I got the idea from). 

Thanks prime 

Thanks for the offer on AdGuard. I don't have AdGuard but I have other utilities that limit ads to the point that I'm not bothered by them. The latest version of Safari has an interesting feature that allows me to click on an element on a webpage and remove it. Poof -- it goes away. 

I use CleanMyMac to scan for bad stuff but not as often as I should.

Thanks again for your reply.

The answer to your question is to hopefully learn something.

The article is vague on exactly what happened with 1PW specifically.  I am constantly looking at my security practices and where I might improve them - and that's the case here.  I get it when you download malware that gets privileged access, that's a pretty big problem.  But we are using a cross-platform, cloud-based password management solution.  

I think our looking at how we configure and use 1PW and thinking about best practices should be an ongoing activity. 

How is it vague? He downloaded something that the attacker got access to his computer. He said this in the article.