Possibly hacked

kenryanjr

Is there a way to tell if my account has been somehow compromised? Maybe by IP address? I have had fraudulent activity on one of my cards. They even were able to call Discover and change the address on the card.

---

1Password Version: 7.0.7
Extension Version: 4.7.2.90
OS Version: OS x 10.13.6
Sync Type: Not Provided

AGAlumB

@kenryanjr: I'm sorry to hear that. If you sign into your account on 1Password.com, you'll be able to view your authorized devices and recent logins on your profile page:

https://start.1password.com/profile

You'll also get email notifications when your account is logged into on a new device. But the only way someone could do that is if you gave them your account credentials. Even if you are using a Master Password that isn't super strong, your Secret Key will be impossible to guess. It would be easier for an attacker to skim your credit card or guess its number, unfortunately. But the good news is that they're generally good about dealing with fraud and you should be able to get it sorted out with them easily. Just be sure to contact them if you haven't already so they can cancel the card to avoid any further trouble!

dguskov

Hello!

Could you clarify the next point. I trust the 1Password app, but in order to gain access to the account I have to enter the Master Password (and the Secret Key, of course) in the browser.

How to understand that the browser itself is not compromised? Can any content (script, injection or something else) running in the next tab get access to the input field where I type Master Password?

Lars

@dguskov - in general, no. We use multiple layers of security including one not in that previous link called Secure Remote Password (SRP), which make this nearly impossible. If you'd like the nitty-gritty of how 1Password works to keep you safe in a 1password.com account, there's our 1Password security white paper.

That said, if your computer was previously compromised by an attacker, and they're able to execute arbitrary code running as root, they can do pretty much anything they wish. Read process memory, sniff your passwords as you enter them, you name it. There's an old saying that if someone gains root access to your computer, it is no longer your computer. That's one of the reasons we don't recommend people access their 1Password data via the web interface from unknown/untrusted computers: not because we don't trust our own security, but because if the security of the machine from which you try to access your 1Password data is already compromised, there would be little we could do to prevent some very bad outcomes.

However, in such a situation, as brenty mentioned above, you would still receive notification via email that your account had been accessed from a new device -- unless the compromised device is your own. Have you received any such notifications recently?

dguskov

@Lars - no, I did not receive such notifications. Because DropBox actually discontinues Linux support, I'm thinking of migration synchronization from the DropBox service to iCloud or 1Password membership.

I'm not really sure how well iCloud works (I use only Mac and iOS devices for 1Password).

About 1Password membership, a little paranoid inside me says - do not trust the browser, it's insecure and buggy.

I do not consider the option when the device is completely compromised, or it's not my device. everything is clear here

Lars

@dguskov - you're right to be suspicious of the browser; it's by far the top vector for infection/attack that you have on your computer -- or at least, that most people have. The opportunities for exploit are numerous. If you're using only Apple devices, iCloud is a good option for sync, provided you have only a single vault (multiple vaults cannot be synced via iCloud). But a 1password.com account is really the way to go for most people. However, it's your choice! :)