Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
Solved
Did 1Password get hacked? The Disney Employee said hackers got into his 1password account.
Hey Folks,
Decade+, happy 1password user here, however, my underpants clenched up when I read this on the WSJ today A Disney Worker Downloaded an AI Tool. It Led to a Hack That Ruined His Life. - W...
Hey everyone! I totally understand why this story raised concerns, but I'd like to assure you that 1Password was not hacked and remains secure.
In this particular case, the attacker compromised the individual’s local device. They intercepted his password using a keylogger, which allowed them to log into 1Password. Once a device is compromised, an attacker has nearly unrestricted access.
To help protect against attacks that target compromised devices, we recommend:
- Ensure device integrity — keep your devices free from malware by installing security updates, enabling built-in security features, and using endpoint protection tools that actively detect and prevent threats.
- Trust only verified sources — download software exclusively from trusted providers. Avoid unverified applications that could contain hidden malware.
- Strengthen authentication for critical accounts —use phishing-resistant authentication methods like hardware security keys (e.g., YubiKey) or a separate authenticator app to reduce the risk of credential compromise.
- Limit exposure from browser extensions — review and disable unnecessary or untrusted extensions, as they can introduce vulnerabilities that attackers may exploit.
For more details on how 1Password protects information on your devices (and when it can’t), I would recommend reading our blog linked below. 👇
🔗 How 1Password protects information on your devices (and when it can’t)
I'm using a lot of passkeys these days which doesn't require a second device. 1password just dishes them out via browser pop up . Easy peasy. Makes me wonder if that's not a good thing
This made me wonder if an attack could use both your password and 2FA to login on a separate computer before the 2FA code changes. I looked it up and they cannot! So, if you're generating 2FA codes on a separate device, you should be safe from 2FA code reuse!
RFC 6238 - "[...] Note that a prover may send the same OTP inside a given time-step window multiple times to a verifier. The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP. [...]"
However, an important caveat like 1P_Blake mentioned—hacker access to your device still opens up a million doors:
- The hacker can still take your browser cookies and use those to log into on a separate computer.
- Not to mention, they could literally just open a browser on your computer and do what they want. A key logger is basically game over.
