Password managers have been struggling with security breaches in recent months, with LastPass suffering a particularly bad hack as a notable example. So when 1Password users got an alert last week saying their Secret Keys and passwords had been changed without their knowledge, they were understandably panicked. Luckily, all was not what it seemed.
That’s because AgileBits, the company behind 1Password, has just explained exactly what went wrong during that event. And while it wasn’t as bad as everyone first thought, it still doesn’t paint AgileBits in a particularly good light.
In a blog post on the 1Password website, the company’s Chief Technology Officer (CTO) Pedro Canahuati explained that the incident occurred shortly after a period of planned maintenance was completed. After the maintenance work finished, “our service received an unexpected spike in sync requests from client devices to the servers,” Canahuati explained.
The CTO clarified that when that happened, “users erroneously received a message indicating that their Secret Key or password had changed.” More specifically, 1Password’s servers in the U.S. sent an error code to users’ apps, which those apps interpreted incorrectly, leading to the worrisome message.
So @1Password was undergoing maintenance, so the app wasn't connecting to the server. And it decided the best error message to show people was "your secret key or password was recently changed". 🤡🤡🤡
Bruh can you not give me a damn heart attack, thanks.
— ThioJoe (@thiojoe) April 28, 2023
Fortunately, Canahuati noted that no user passwords or Secret Keys had been changed and that all user data was safe throughout the incident. Still, it would no doubt have been an anxious period for many users as they wondered whether their passwords, credit card info, and other sensitive data had been compromised.
It also raises questions over how the 1Password app could have misinterpreted the error code they received. Canahuati said 1Password will analyze what went wrong, “refine our migration process and error handling,” and “ensure that we properly plan for these scenarios in the future.”
Password manager woes
The incident is not the first time a password manager has been on the hook for a security breach, real or otherwise. For the past few months, LastPass has been embroiled in a scandal surrounding a data breach it suffered, wherein user data appears to have been accessed and stolen by nefarious actors.
When news of the breach first surfaced, LastPass played it down, claiming there was nothing to worry about. Over time, however, the company revealed more and more damning information, leading to severe criticism of the way it handled the security failure.
Hopefully, we won’t see a similar situation play out with 1Password. Password managers are a lucrative target for hackers given the highly sensitive data they safeguard, and so any perceived lapse can cause a great deal of consternation among worried users.
If you want to tighten up your security, though, there are plenty of things you can do. We’ve analyzed the best password managers on the market to help you find the right one for your needs, and there are also ways to improve your passwords and keep your data safe. That should help keep your important data as safe as can be.
