Skip to main content
February 27, 2025
Solved

Did 1Password get hacked? The Disney Employee said hackers got into his 1password account.

  • February 27, 2025
  • 10 replies
  • 6125 views

Hey Folks,

Decade+, happy 1password user here, however, my underpants clenched up when I read this on the WSJ today A Disney Worker Downloaded an AI Tool. It Led to a Hack That Ruined His Life. - WSJ

At the heart of it, was them gaining access to his 1Password's.  I didn't think folks could get access to your passwords without having the Secret Key you need in addition to the username/pw.

Would love to hear from folks and 1Password (post-mortem/RCA), about what happened, and what we can do to secure our 1Password so this can't happen to us!

I have just enabled 2FA for the first time, but it looks like you only need it to get updated PW's?  and that you can still see the old ones.  Scary!

Thanks,

Kyle

 

Best answer by 1P_Blake

Hey everyone! I totally understand why this story raised concerns, but I'd like to assure you that 1Password was not hacked and remains secure. 

In this particular case, the attacker compromised the individual’s local device. They intercepted his password using a keylogger, which allowed them to log into 1Password. Once a device is compromised, an attacker has nearly unrestricted access. 

To help protect against attacks that target compromised devices, we recommend:

  • Ensure device integrity — keep your devices free from malware by installing security updates, enabling built-in security features, and using endpoint protection tools that actively detect and prevent threats.
  • Trust only verified sources — download software exclusively from trusted providers. Avoid unverified applications that could contain hidden malware.
  • Strengthen authentication for critical accounts —use phishing-resistant authentication methods like hardware security keys (e.g., YubiKey) or a separate authenticator app to reduce the risk of credential compromise.
  • Limit exposure from browser extensions — review and disable unnecessary or untrusted extensions, as they can introduce vulnerabilities that attackers may exploit.

 

For more details on how 1Password protects information on your devices (and when it can’t), I would recommend reading our blog linked below. 👇

🔗 How 1Password protects information on your devices (and when it can’t)

10 replies

February 27, 2025

The guy was hacked because he installed a program that exfiltrates session cookies and probably also provided remote access to his computer. Some people who have no idea what they're doing, and will just follow steps/run code from the internet. OpSec is very important as far as your online life goes, and hopefully we'll get better cybersecurity options in the coming years since folks will be able to code better programs using AI to help prevent things like this from happening.

prime
February 27, 2025

Correct, once a hacker has access to your computer, it’s game over. Nothing, even 1Password, can save you. 

1Password wasn’t hacked. 

February 27, 2025

I agree with prime.  Where 2FA helps you in this scenario is not with preventing 1PW access, it's with preventing access to your other sites (provided you have 2FA activated on those sites).  That's why you shouldn't use 1PW to provide the second factor.  It is also why you should not have your authenticator app (like authy) accessible on the same computer.

February 27, 2025

I agree that this is an important question that I would like 1Password address directly. I've been a 1Password user for a long time and I trust it. I still do but I'd like to know what settings (in 1Password) I should use to be as safe as possible.

If the hack was basically a keylogger, did that give the hacker the ability to see the Disney employee's login to 1Password? I use touchid to login to 1PW but even with this setting, I sometimes need to enter my 1PW password. Can a keylogger capture this to bypass the 1PW safeguards? 

I consider 1Password to be an excellent product that I have relied upon for a very long time and I trust them to stay ahead of the bad guys so this isn't meant as a criticism. It's meant as a genuine request to address this specific incident and their advice to us to prevent something similar from happening to us / me.

As an aside, I sometimes download things from Github or other sources I judge to be safe. It's subjective.  I have malware software but who knows if it's ahead of the hackers? Advice about "being careful" when downloading from GitHub (or elsewhere) isn't specific enough to be actionable. 


February 27, 2025

Thanks for this note.  I too am a very, very long time and dedicated user.  As was said by others, this article shattered my confidence.  While I understand that 1P wasn't hacked, I was worried about exactly what you asked about - keylogging.  I found some old articles which said 1P had tightened things up to prevent that but I, too, would think 1P should make some comment about this.  

Many thanks, 

AmNo

February 27, 2025

I see this development very alarming.  If they key logged his encryption key and password then they had full access.   He would have had to use his encryption key at some point on his personal computer after the hack, for them to gain access to 1PW.   Otherwise how did they get full access to 1PW???

Further, with 2FA for all his accounts in 1PW the hackers had full access to all his logins.   My question is, if you put on 2FA for your login to 1PW, where do you store/keep that token?  You do not want to keep that in 1PW as the that defeats the purpose.  Of course you could use a Yubikey, but if you loose that or it gets destroyed in a house fire or other means, you are out of luck on 1PW access.   I would love further thoughts and additional guidance from 1PW on this as was  requested  earlier.  

February 28, 2025

 

Is there a way to require 2FA along with the Master PW to open 1PW?  I appreciate that it adds another step to accessing passwords and then likely (if you're smart) having to also use 2FA for the actual website you're accessing.  But I cannot find where you could use 2FA for 1PW itself.  Can anyone please direct me? Or help me work through other ways to prevent keylogging from allowing complete access to my Vault? 

Many thanks, 

AmNo

February 28, 2025

2FA for 1PW is available only for a New Device; when you first set it up.   

https://support.1password.com/two-factor-authentication/?ios

February 27, 2025

I posted about this as well, in the context of passkeys.  The article is short of some details regarding exactly what happened and where his 1PW vaults were accessed from.  But that said, it stated the victim DID NOT have 2FA enabled for his 1PW account.

So what are the takeaways?  I think there a couple.  First, enable 2FA authentication on your 1PW account, either with an authenticator or a Yubikey.  Then if your username, password AND secret key are compromised, the bad guys STILL cannot get into your account.

The second is for critical accounts - email, bank, credit card, health care, retirement, etc. - don't store all the authentication bits in 1PW.  That is, put 2FA somewhere else.  And this is exactly what happens when you use a Yubikey.  The reason is obvious enough, if a compromise occurs, one last bit of protection.

My question had to do with passkeys, and I would like @1P_Blake or @1P_Dave or someone from 1PW to comment.  In the event of a compromise, if a login has a passkey in 1PW, that is all that's needed to get into the account, as there is no 2FA with passkeys (as far as I know) and the private key stored is all that is needed to authenticate.  Is that a true statement?

I look forward to 1PW's response and other Community comments.

prime
February 27, 2025

Why do they need to respond? The guy downloaded something he shouldn’t have. Once an attacker gets control over your computer, nothing, even 1Password, can save you. This is why you need to pay attention what you’re installing on your computer. 

2FA on his 1Password account wouldn’t have saved this person, because the 1Password is on the computer. 2FA is only needed when the app is 1st installed. 

February 27, 2025

The answer to your question is to hopefully learn something.

The article is vague on exactly what happened with 1PW specifically.  I am constantly looking at my security practices and where I might improve them - and that's the case here.  I get it when you download malware that gets privileged access, that's a pretty big problem.  But we are using a cross-platform, cloud-based password management solution.  

I think our looking at how we configure and use 1PW and thinking about best practices should be an ongoing activity. 

February 27, 2025

I think 1P needs to provide an explanation of how this occurred.  Was it a stolen session key?  Was the Secret Key stolen in some way?  I for one really want to know what vulnerabilities exist and what errors on the user's part might have occurred so we can understand the risk and take any actions needed.

February 27, 2025

I appreciate all the comments here from people far more knowledgeable about security than I am. I was thinking,  I use touch id but occasionally still need to enter my password to use 1PW, would using Authy on my iPhone for access to 1PW be another layer of security that would benefit me? Thank you for any assistance you can provide.  

1P_Blake
1P_BlakeAnswer
Community Manager
February 27, 2025

Hey everyone! I totally understand why this story raised concerns, but I'd like to assure you that 1Password was not hacked and remains secure. 

In this particular case, the attacker compromised the individual’s local device. They intercepted his password using a keylogger, which allowed them to log into 1Password. Once a device is compromised, an attacker has nearly unrestricted access. 

To help protect against attacks that target compromised devices, we recommend:

  • Ensure device integrity — keep your devices free from malware by installing security updates, enabling built-in security features, and using endpoint protection tools that actively detect and prevent threats.
  • Trust only verified sources — download software exclusively from trusted providers. Avoid unverified applications that could contain hidden malware.
  • Strengthen authentication for critical accounts —use phishing-resistant authentication methods like hardware security keys (e.g., YubiKey) or a separate authenticator app to reduce the risk of credential compromise.
  • Limit exposure from browser extensions — review and disable unnecessary or untrusted extensions, as they can introduce vulnerabilities that attackers may exploit.

 

For more details on how 1Password protects information on your devices (and when it can’t), I would recommend reading our blog linked below. 👇

🔗 How 1Password protects information on your devices (and when it can’t)

February 27, 2025

I tried activating 2FA but it asked for a code every time, so I turned it back off.  My employer has it only request 2FA every few days for my work vault, and it just sends a push notification via Duo after an initial login.  For my personal account, there was no option to select a push notification for an app like Okta Verify.  Could this be added as a future option so it is easier to adopt 2FA?

February 28, 2025

I'm using a lot of passkeys these days which doesn't require a second device. 1password just dishes them out via browser pop up . Easy peasy. Makes me wonder if that's not a good thing 

chris__hayes
February 28, 2025

This made me wonder if an attack could use both your password and 2FA to login on a separate computer before the 2FA code changes. I looked it up and they cannot! So, if you're generating 2FA codes on a separate device, you should be safe from 2FA code reuse!

RFC 6238 - "[...] Note that a prover may send the same OTP inside a given time-step window multiple times to a verifier. The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP. [...]"

However, an important caveat like 1P_Blake mentioned—hacker access to your device still opens up a million doors:

  • The hacker can still take your browser cookies and use those to log into on a separate computer.
  • Not to mention, they could literally just open a browser on your computer and do what they want. A key logger is basically game over.
February 28, 2025

Thank you Member: 1P_Blake | 1Password Community for your reply.   Your explanation I feel “assumes” the hackers used his device ONLY for access to 1PW (ie. had his password), and not a 2nd “hacker” owned device.  My reasoning for this is the hacker would have needed his encryption key and password to setup another device.   Do you / 1PW know for a fact there was not outside access (2nd hacker device) to his 1PW account?   Thank you.  

1P_Blake
Community Manager
February 28, 2025

Hey @cssmith07

I appreciate the follow-up, and I want to clarify this point -- once an attacker fully compromises a device, they don’t need a “second hacker-owned device” to access 1Password.

If malware like a keylogger is installed, it can capture everything the victim types—including their 1Password account password. Since the attacker is controlling the legitimate user’s session on their own device, they can log in and access data just as the legitimate user would.

To be clear: there was no need for an attacker to set up a new device. They simply used the victim’s already-authenticated session on their own compromised machine.

This is why keeping your device secure is the most critical step in protecting your data. No password manager—1Password or otherwise—can prevent an attacker from accessing data if they already have full control over the device where it’s stored.