account deletion bot [memberships are not immediately purged]

gazugazu
edited February 1 in Memberships

The announcement that you can now delete your own account to start over is really great but I'm concerned.

I'm a 1Password cloud customer and use the service because I trust you'll keep my data safe.

With the new account deletion bot, introduced to expedite requests and reduce support tickets, I'm concerned that a malicious individual could delete my valuable account! :(

You might suggest I secure my email, but it is secure and has 2SV in place.

DNS cache poisoning and a multitude other email vulnerabilities (unauthorised forwarding, server breach) mean that an evil person could potentially initiate a deletion request and I'd lose my critical data irrevocably. :'(

To mitigate this I'd like to suggest any of the following:

  • Allow a user to disable the automatic deletion service
  • Retain a user's data for 30 days but allow immediate deletion
  • Don't delete a user's account for 7 days and send multiple scary emails
  • Require a user input their 1Password 2SV code to delete the account (if 2SV forgotten then support ticket)
  • Introduce a security question at account signup to use only in the event of account reset (this might cause confusion)

I don't dare 'test' the process so maybe some of these safeguards are in place but I'd like reassurance as to what 1Password are doing to protect their customer's important data.

Comments

  • brentybrenty

    Team Member
    edited January 29

    @gazu: Thanks for reaching out, and for the suggestions. Can you tell me what you mean by this exactly, though?

    DNS cache poisoning and a multitude other email vulnerabilities (unauthorised forwarding, server breach) mean that an evil person could potentially initiate a deletion request and I'd lose my critical data irrevocably. :'(

    I'm aware of DNS poisoning and phishing scams, but it's quite a jump from that to "initiate a deletion request" and "los[ing] critical data irrevocably". I don't really think it's helpful to worry aimlessly, but rather to define the specific threat(s) you're concerned about. That's much more productive, as it allows you to focus your energy on doing what you can to defend yourself. And it allows us to better address your concerns as well.

    In case it helps in the mean time, account deletion is a multi-step process (whether you do it yourself or contact us to help you with that), and the account deletion email expires. So someone malicious (or you, on a bender) would need to have access to your email for a fair amount of time and back and forth to successfully do this. And, of course, that's also been true before this user-accessible account deletion option was ever available: anyone with access to your email could pose as you to contact us and request an account deletion email -- which they of course could also follow through on in that scenario.

    So while I understand your concern, this doesn't introduce a new risk as far as I can tell: if your email is compromised, the attacker would not have had to wait for us to add this option, as they could have deleted your account anyway. The difference now is that people who do want to delete their accounts, for whatever reason, can do so more conveniently. At the end of the day, if your email account is secure, only you will be able to complete the account deletion process. If it's not...well, you will have many other issues in addition to the new "owner" of your email being able to delete your 1Password account. Financial fraud would be a much more appealing enterprise for the attacker in that case. That's not much consolation, but we should be realistic.

    Anyway, I totally understand that you don't want to test the process with the account with all of your data, but I'd encourage you to create a throwaway account and delete it to see how it works. And we'll be happy to discuss it more once we've got a better sense of what you have in mind. :)

  • gazugazu
    edited January 29

    Can you tell me what you mean by this exactly, though?

    A malicious individual could temporarily (for 1-2 hours) poison the DNS by re-routing the MX records from "good.com" to "evil.com". He then assumes control of the email account for the duration.

    ...but it's quite a jump from that to "initiate a deletion request" and "los[ing] critical data irrevocably"

    Once the deletion requested has been initiated and confirmed then user data is lost forever.

    I don't really think it's helpful to worry aimlessly, but rather to define the specific threat(s) you're concerned about.

    A malicious individual initiating and confirming a deletion request.

    One other obvious threat is a malicious individual inside 1Password support - like what happened with Donald Trump's Twitter account.

    Or, an honest insider may make a genuine mistake. I accept this is unlikely but if you're going to implement robust security on other parts of the product then you need to mitigate the more likely human threat.

    So someone malicious (or you, on a bender) would need to have access to your email for a fair amount of time and back and forth to successfully do this.

    Not with the new process - your account can be wiped from the face of the earth in less than 60 seconds.

    With the old process, yes, a "fair amount of time and back and forth" would be required.

    And, of course, that's also been true before this user-accessible account deletion option was ever available: anyone with access to your email could pose as you to contact us and request an account deletion email...

    Yes but they'd need protracted not momentary access. That to me is a monumental difference.

    You could choose to blame users who leave their computers unlocked (I don't) but it's not acceptable for a customer to lose all of their valuable data so quickly, easily and permanently.

    If companies are trusting you to keep their data safe (Teams/Business) then a more robust safety mechanism needs to be introduced.

    You owe a duty of care to keep data safe, you shouldn't just irreversibly delete accounts straightaway. None of the major cloud providers do (Google, Microsoft) - your data is retained for a period of time to remedy mistakes.

    ...this doesn't introduce a new risk as far as I can tell: if your email is compromised, the attacker would not have had to wait for us to add this option, as they could have deleted your account anyway.

    Not so.

    With email there are many technologies such as SPF, DMARC and DKIM which support records set with an intentionally high time which take a considerable period to propagate worldwide.

    Use of those technologies would prevent a person who has temporarily poisoned the DNS from emailing you. You'd never see the email in your inbox - that's the point of SPF and DMARC - they'd have to wait several days before being able to send authenticated outbound mail. Anything else would be 'hard failed' and deleted by your email servers before it ever came to the attention of your support staff.

    However being able to 'click and delete' an account only requires a malicious individual compromise the MX servers for a very short period of time.

    I hope you don't think I'm being provocative but I really care about the safety of my data and I think the 1Password security team should seriously discuss the unintended implications of this new feature.

    Even if the following clause were added to the terms and conditions it would allay my concerns;

    Your encrypted 1Password data will be retained for the duration of your subscription and indefinitely thereafter unless and until a deletion request is received. Upon receipt of such a request we will delete your data after 90 days of the request being made to safeguard user data from inadvertent or malicious deletion.

    1Password should not be relying on a single point of failure (email) to protect user data from deletion.

    The cost implications are minimal and will save 1Password from the inevitable shower of brown sticky stuff and terrible publicity if a user has their account irreversibly deleted using this new 'feature'.

    There's no easy way to backup your complete 1Password vault and this makes it difficult for prudent users to keep a backup which 1Password would ordinarily say is "unnecessary".

    Apple don't rely on 1Password's data governance - that's why they host their 1Password data on premises (and not in your cloud). I don't want to have to revert to the old manual syncing method in order to achieve greater integrity of my data but I may have to.

  • jin_dhaliwaljin_dhaliwal

    Team Member

    Hello @gazu,

    I want to reassure you that we do retain account data for a period after an account is marked for deletion by a user. A user that has had their account deleted accidentally or maliciously can request the account be restored and the data can be recovered.

    Data backups are a feature that we are looking into.

    We appreciate the feedback, and totally understand your passion for data security.

  • @jin_dhaliwal Can you define "a period" ? A week? 30 Days? ... :-)

  • jin_dhaliwaljin_dhaliwal

    Team Member

    Hello @Manaburner,

    I don't want to go into the details here, as the timeframe is variable based on a number of account factors. The important thing to note is that we do have the the ability to recover deleted account data if it is needed.

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    We very much considered your concern @gazu. You are correct to ask about it. And we very much considered the threat of malicious deletion.

    Accounts can be undeleted (purging is a different matter). And so @jin_dhaliwal point holds. Over the past few years, we've seen extremely few malicious deletion requests/attempts, and so if that doesn't change our move here is safe. We are, of course, going to keep an eye on this. If it turns out that malicious or accidental deletions become a problem, then we will adjust the procedure as needed.

  • Thanks for the replies @jin_dhaliwal and @jpgoldberg

    The fact that 1Password do retain user's vaults for an undisclosed period of time is good to hear although I'm still somewhat concerned.

    • Security by obscurity is bad. There may be legitimate reasons for keeping retention periods secretive but users do need informing as to the minimum period of time that you'll hold onto vaults for.
    • AgileBits could potentially end up answering to the Office of the Privacy Commissioner of Canada by not being straight with users as to how long their data is retained for. GDPR is a big thing now - especially as you're servicing customers within the EU. Including a boilerplate clause like the one I suggested above would resolve this.

    After reading JP's reply I am reassured that thought was given to the threat of malicious deletion. I would however like clarification on what the following sentence means;

    Accounts can be undeleted (purging is a different matter).

    What does this mean in relation to the deletion bot?
    At what point do accounts become "purged"? (Can a user do this himself or is it after an undisclosed period of time?)

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    I fully understand that you would like clarification on what purging means and when it happens, but we are vague about it, because it is something we are continually tuning

    At what point do accounts become "purged"? (Can a user do this himself or is it after an undisclosed period of time?)

    Users can request purging only after they have deleted the account through an authenticated session. We will not purge an account via an unauthenticated request. (Our commitments under the GDPR require that we do honor purge requests, but control of an email address is not sufficient for such actions.)

    As for when we purge deleted accounts (without a corresponding request to purge), that shifts around. It's somewhere between a year from deletion to never. We really, really, don't want to remove anyone's data without their consent. So the answer at the moment is "at least one year since deletion."

    In cases of authenticated deletion and a request for erasure, it is any time between seven and 30 days, just depending on scheduling. (Note that at this point the scheduling of purges is not fully automated. A human does a dry run get a sense of what would be purged before actually pulling the trigger, but this may change.)

    Again, the details of when purging occurs may change. Part of that will depend on whether we see signs of malicious deletion attempts. We are much happier to keep things "deleted" and "unpurged" than to unrecoverably remove user data against the clear wishes of the legitimate owner of the data.

  • Users can request purging only after they have deleted the account through an authenticated session. We will not purge an account via an unauthenticated request.

    Thank you. This allays my concerns that an account 'deleted' via the bot isn't wiped off the face of the earth - at least not until 'between a year and never'. :)

    ...control of an email address is not sufficient for such actions.

    Excellent - this was one of my main concerns.

    I was worrying that I could go on vacation, come back and find my account permanently deleted. :'(

    In cases of authenticated deletion and a request for erasure, it is any time between seven and 30 days, just depending on scheduling.

    Understandably so. I was worried that a malicious non-authenticated individual could permanently delete my account.

    I accept that a genuine (logged-in) user should be able to delete their account and that a safety catch of 7-30 days is a reasonable compromise.

    After reading your response, assuming I've understood it correctly, @jpgoldberg I am fully reassured. :)

    Thanks for taking the time to explain as I couldn't find the answer in any of the documentation.

  • BenBen AWS Team

    Team Member

    I'm glad to hear we were able to relieve some of the concern about this subject. If there is anything else we can do, please don't hesitate to contact us.

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file