1Password File Infected!

Issue 1: The old version of your software wasn’t removed when I upgraded to the new version. Why? So I’ve been allowing the old version to sit there for a while. Maybe if you months. I was too afraid to delete it, cause I didn’t know if it would end up deleting stuff from the new version.

  1. BitDefender identified that a 1Password file was infected today. I immediately disconnected my laptop from the internet because I have a lot of crypto stuff and too many people are getting their balances stolen. Here is the message:

INFECTED FILE DETECTED

The file C:\Users\Me\AppData\Local\1Password\app\7\00014897.tmp has been detected as infected. Bitdefender blocked this item. Your device is not threat-free. Threat name: Gen:Variant.Cerbu.25355

I was not sure if this was the old install or the new install. So I went to “add remove programs” and uninstalled the old one.

Then I manually navigated to this folder. All the files are still there but there are no temp files. So I’m concerned that it infected the new one since that’s the only one left on my hard drive, and this path still does exist.

I assume that if I had deleted the one that was infected, I wouldn’t be able to manually navigate to this path.

So I’m concerned that the new version of your software got infected, and obviously I’m concerned that my password information was transmitted somewhere.

What kind of Intel can you come up with on this to give me some confidence as to what just happened on my computer and the risks, and steps I should be taking, if any?

Comments

  • I checked with our development team, @AgileBurger, and we don't use any .tmp files in that directory. Whatever BitDefender caught, it wasn't from us. It is, of course, BitDefender's job to identify these sort of potentially suspicious behaviors, so in this case it looks to be doing what it's meant to. I'd suggest trashing the entire app folder, doing a full system anti-virus scan, then reinstalling a clean copy of 1Password 7 from our website. Don't use an installer you've got saved from before – get a fresh one, just to be safe.

    As for not removing old versions of 1Password, the reason for this is that 1Password 7 wasn't a direct upgrade from 1Password 4. You did need to import your data from 1Password 4, so if we removed it out of the gate, you'd have found yourself without access to your data until you imported it and we didn't want that to happen, especially if you weren't planning to set things up right away. That said, in both 1Password 4 and 1Password 7, your data stored separately from your 1Password app. With 1Password 4, it was stored either on your filesystem or your sync service, depending on your setup. With 1Password 7, you can actually uninstall and reinstall and your data will be waiting for you to unlock it with your Master Password when the reinstall is done. We know losing your data would be super scary, so we do our best to ensure it's not something you can easily do on accident. :+1:

  • Colins2
    Colins2
    Community Member

    In a similar vein, the previous version of MalawareBytes flagged 1Password, along with about 11 other applications, as being 'back doors'.
    Other apps included NordVPN, Embarcadero C++, X-Plane etc., all good applications downloaded direct from the publishers' sites.
    I had an upgrade a couple of days ago (MB) and these apps are no longer flagged up.

  • Greg
    Greg
    1Password Alumni

    Hi @Colins2,

    I am glad to hear that those false positives were fixed in the latest Malwarebytes update. :) If there is anything we can help you with, please let us know. Thank you!

    Cheers,
    Greg

This discussion has been closed.