No email to notify customers about forum data breach. Why?

Options
sbits
sbits
Community Member
in Lounge

I am a happy customer who loves your product very much but I am also very surprised and disappointed that I had to find out about this breach myself when I happened to open 1Password today and happened to look at the Watchtower.

You are not a shady company who don't know better. Please do the right thing next time.

On a side note, I think all new Watchtower entries should come with an eye-catching banner at the top of the main window so that we must see it whenever we launch 1Password. Maybe even give us outside-of-app notifications about them.

1Password Version: 7.3.1
Extension Version: Not Provided
OS Version: macOS 10.15.1
Sync Type: Not Provided

Comments

  • Lars
    Lars
    1Password Alumni
    Options

    @sbits - thank you, both for being a happy user of 1Password and also for taking the time to share your concern about the recent vulnerability in the forum software we use. It means a lot to us that our users are not only invested enough in their security but also have enough confidence and trust in us to let us know when they think something's amiss or at least could be done better.

    Responding to incidents isn't always an exact science (though there are definitely best practices to follow that apply to certain situations). In this particular case, there are a few factors that went into why we responded the way we did (and didn't pursue some other options, such as trying to email everyone proactively). I hope you won't mind a little copy/paste; I just wrote this in another similar thread, so rather than re-phrasing everything here...

    1. Regarding the vulnerability itself, it affected other forums powered by Vanilla's software besides just this one, which makes this Vanilla's vulnerability to disclose, not ours. And Vanilla did disclose it, quickly and responsibly. It's also worth mentioning here that Vanilla says in their disclosure that they have no evidence this vulnerability was exploited.
    2. Although this particular incident may initially appear more alarming than other sites appearing in Watchtower might because it involves an agilebits.com subdomain, there was not and is not any "crossover" between your account here on this forum and your 1Password account. Your 1Password data is entirely separate from your Agilebits Support forum account. To elaborate a bit, if you have a 1password.com account, then even if you used the same password to register for this forum that you used for your Master Password, your 1Password data could not be accessed on the 1password.com servers with only that Master Password, because accessing your data on 1password.com would require your Secret Key and also 2FA, if you have that enabled. (note: if you did use the same password for your forum account as you used for your Master Password, you should change your Master Password to something unique).
    3. We followed our usual protocol for when we receive confirmation (disclosure) of a vulnerability or breach from the owner of a site: we added it to Watchtower. In the sidebar of 1Password for Windows or Mac, users with accounts on this forum would see their discussions.agilebits.com Login item listed under the Compromised Websites section of Watchtower. This is how we provide users notice of vulnerabilities at sites for which they have one or more Login items saved in 1Password.
    4. Our Chief Defender Against the Dark Arts, jpgoldberg, posted a top-level announcement thread right here, in the wee hours of November 16, so anyone visiting this forum could see our thoughts on the issue, as well as our recommendations.

    I hope that clears up the reasons behind why we took the steps we did. Thanks again for taking the time to share your concerns with us, and feel free to ask any follow-ups. :)

  • jeidd
    jeidd
    Community Member
    Options

    Yeah same here. Kinda funny that I get notified about it by the 1Password software itself, but not via mail. Not everyone keeps up with what's happening on the forums regularly.

  • AGAlumB
    AGAlumB
    1Password Alumni
    Options

    @sbits: That's just it: If you didn't come here for another year and changed your password then, there would still be no risk since there was no breach, the bug was fixed by Vanilla, they reset passwords, and no one is able to get into to a forum account without access to the registered email address anyway. That said, I do think we could perhaps do more with Watchtower in the future. But it wouldn't make any difference in this case since, unlike most website issues Watchtower warns us about, you not noticing and/or not acting on it immediately is absolutely fine, since your forum account was locked down until you setup a new password.

  • AGAlumB
    AGAlumB
    1Password Alumni
    Options

    @sbits: It seems like the insinuation is that that is the case, when it is not. That's my point. If it were, we'd likely do things differently.

  • Ben
    Ben
    Options

    Vanilla says in their disclosure that they have no evidence this vulnerability was exploited.

    Please see this statement. I think we've beat this horse to death. Thanks. :)

    Ben

This discussion has been closed.