The part that caught my attention was how not enabling two-factor authentication in 1Password led to a real disaster:
The next few days passed in a blur; Van Andel reset the hundreds of credentials stored in his 1Password.
The hacker made good on his threat the next morning and published online every 1Password login credential Van Andel had stored.
His children’s Roblox accounts were hijacked. His online social-media accounts were filled with offensive language from strangers who used the leaked credentials.
Many of these accounts, including email, were protected by two-factor authentication. The hacker needed more than a username and password to break into two-factor accounts. People often use a text message or a mobile phone app, but Van Andel’s second factor was 1Password.
As he investigated his break-in, Van Andel realized that the key to his kingdom—the 1Password account—wasn’t itself protected by a second factor. It required just a username and password by default, and he hadn’t taken the extra step of turning on two-factor authentication.
I’ve used 1Password for years (more than a decade…), but I’m not even sure I was aware it had two-factor authentication.
As a password manager becomes more popular, its attack surface is more attractive and becomes a specific target for threat actors.
What I find most disturbing is that, while obviously the blame is going to be on the guy because he didn’t use 2FA, well, I could personally have easily been a victim of this attack: downloading uncontrolled “open source” software from Github.
BTW this vindicates Apple’s tight control on the Stores.
So could I. 1PW doesn’t ask for its “Secret Key” once the app has authenticated to 1Password.com, so username and password is all that protects it. And “Once someone has a keylogging Trojan program on his or her computer, “an attacker has nearly unrestricted access,” a 1Password spokesman said.” (from WSJ)
So what’s the solution? My first thought is to delete 1Password and only store passwords in the Apple Passwords app on my Mac that are protected by 2FA. And keep 1PW on my iPad, iPhone 16, and WiFi only iPhone 11.
Interesting problem
That doesn’t help me. The only thing I have installed from the Mac App Store is Kindle,
Drafts, GoodLinks, Numbers, and a few utilities.
So how would that have prevented this guy losing his data? It sounds like his data got slurped off his device by malware. Am I missing a piece, or does this not connect for you too?
I don’t get it either. I suppose if the thief stole the secret key out of unlocked 1Password, he could set up a new device and secretly use it for awhile. But the thief made his presence known quickly.
Without 2FA for 1Password the hacker can obtain the username and password from the infected PC and then silently install 1Password on another system and secretly get all information from there (instead of only the information accessed by the victim on the infected PC)
With 2FA for 1Password the victim would get a notification if the hacker tried to log in with the victim’s credentials on another system (for the first time).
I always thought the protection against that was the Secret Key (the one that 1PW generates). Although I guess a hacker could theoretically have access to that given sufficient permissions on the client computer.
That’s indeed a scenario that 1Password does not list as protected by a Secret Key:
Your 1Password account password protects your data on your devices. Someone who has access to your devices or backups won’t be able to unlock 1Password without your account password, which only you know.
Your Secret Key protects your data off your devices. Someone who attempts a brute-force attack on our servers won’t be able to decrypt your data without your Secret Key, which we never have.
I’m not quite sure what you’re trying to say. This summary:
isn’t the case. They need the username, password, and Secret Key. You can’t install a new 1PW copy without it. This is actually covered by your second point above:
When you’re setting up a new device, it’s not one of “your devices.” The Secret Key is what authenticates a device as yours, and allows access to the data on 1PW’s servers.
I was trying to say that “given sufficient permissions on the client computer” (quoting you ) the attacker might have access to username, password, and secret key. Without 2FA (s)he then has all (s)he needs to exploit the entire 1Password vault at a different system.
The secret key only protects against installation on a new system in case it’s still a secret, i.e., hackers attacking the 1Password servers won’t get the Secret Key, but a hacker on a compromised local PC might obtain the Secret Key.
@WayneG, can you expand on why this is the solution?
The story is frightening on so many levels, including how Disney just abandoned him. I’m assuming that he wasn’t dumb enough to put porn on his work computer and the hacker did it to him.
I’m just getting my mom and family to use Apple Passwords (so I switched from 1p to be part of the family). These phishing schemes are getting more ingenious. I just got one pretending to ask for unpaid tolls. The only give-away is the top-level domain, www.tollway.xin.
I’m just getting my mom and family to use Apple Passwords (so I switched from 1p to be part of the family).
How is that going? It was a multi-year process for me to get my mom to use 1Password, and now she relies on it. We share a number of passwords as well. I’ve used it myself since 2009, so I have a lot of investment in using 1Password, but I would consider switching to Apple Passwords if it seemed sensible to do so.
Sorry, I was thinking “out loud”. And an hour of so of testing proved my idea to be veryinconvenient.
In general, a keylogger captures everything you type and sends it to the hacker. But, in this case, unless the hacker had remote control of the victim’s computer I couldn’t think how they could access 1PW without the secret key (i.e open 1PW on the victim’s Mac, and read or export the data). Unless they had captured his iCloud credentials, logged into iCloud as the victim, then installed their own copy of 1PW on one of their devices. And even that would have not been possible if 2FA was used on iCloud.
) the attacker might have access to username, password, and secret key. Without 2FA (s)he then has all (s)he needs to exploit the entire 1Password vault at a different system.