No Email-Notification

pb59ma
pb59ma
Community Member

Hello,

After the last post regarding the question, Why the forums users were not informed about the data leak, was closed after unsatisfactory attempts at explanation, I would like to give you some more input.

1password as a company that offers software that must meet the highest standards of IT security should also act in an ethical appropriate manner. It is simply a matter of always ensuring the highest level of transparency. Exactly that did not happen in this case. The statement: "Vanilla says in their disclosure that they have no evidence this vulnerability was exploited." simply offers no security whatsoever. It can never be ruled out that the vulnerability has been exploited, even if there is no evidence. Trust no one, that's the motto. For this reason alone, users should have been actively informed about this data breach. It is simply not a matter of how likely it is whether data has really been stolen or not. The possibility was definitely given and that must simply be enough to justify a statement. It is an ethical question and as a user I expect not only a high degree of security from a technical point of view but also a correct behaviour if something went wrong.

Even if this was not the intention, as a user it feels as if one had tried to keep the thing as small as possible in order to attract little attention. I think that many people will agree with this opinion. I hope that there will not be more leaks in the future, but I expect them to be handled more transparently than in this case.

Kind regards


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @pb4072: As mentioned in the announcement, the potential data leak was mitigated by a bug fix and password reset by the forum software provider. Bearing in mind that this is a public forum, that it is not at all connected to your 1Password data, and that a data breach did not occur, what information would you be concerned about being exposed specifically? I'll be happy to follow up with Vanilla about it.

  • AGAlumB
    AGAlumB
    1Password Alumni

    To clarify, the implicit question seems to be, "Why didn't [we] send out an email about the forum bug?" The answer is that, unlike most website issues we post notices for in Watchtower, this was not a situation where anyone needs to take action; the forum provider already fixed the bug and reset passwords, so forum accounts are not at risk whether a user sets up a new password now or a year from now: no one can access it except by setting up the new password through the account's registered email address. More often it's the case that the user not taking action leaves an account "open" in the interim. That is not the case with the support forum issue. Whether someone never sets up a new password or does so immediately, their forum account is not at risk.

This discussion has been closed.