I fear someone has access to my 1Password vault ... due to PayPal issue.

Options
edcroteau
edcroteau
Community Member
in Mac
  1. I have PayPal SMS security code 2 factor login setup.
  2. I was getting texts from PayPal when I was NOT trying to login, nor anyone else.
  3. I changed the password yesterday with a secure one from 1P and stored it in 1P.
  4. Overnight I got another text at 2am.
  5. PayPal has confirmed that someone tried to login to my PayPal account WITH the "new" password (not me) at exactly that time.
  6. They said although rare - that it could be a comprised Password Manager.
  7. I'm going to change my email address for PayPal, setup a new password again, and save it in 1P as always.

Please advise on any know issues with 1P, PayPal or Mac viruses that might be causing me to be comprised. My 1P database has my entire life savings in there, I'm very concerned.

Thanks,

Ed

1Password Version: 6.0
Extension Version: 4.5.2.90
OS Version: 10.11.2
Sync Type: iCloud

Comments

  • jpgoldberg
    jpgoldberg
    1Password Alumni
    Options

    Thanks for reporting this @edcroteau, and I'm sorry for the problem that you are having.

    I can certainly see why from what you describe you would think that there has been a compromise of your 1Password data. It does, indeed, look very suspicious. I'm not going to rule it out, but I'm also going to look elsewhere because on the whole 1Password is probably the strongest part of your password security, and so is the least likely to be the actual point of attack.

    Lots of annoying questions

    It is really hard to diagnose these things, so I am going to have to ask lots of questions. Please don't take them as attempts to shift blame. I need to ask them to rule things out.

    Browser and network attacks

    Malware in the browser you are using, or a highjacked network and TLS session could capture your Paypal log ins, including your password change behavior.

    • What web browser and OS do you use for Paypal?
    • Is your browser version up to date?

    • When you go to the paypal site, does its certificate (click on the lock in the location bar and click "Show Certificate" look something like this: PayPal Certificate info in Safari

      Be sure to double check the "issued by" portion.

    • Look at the extensions and plug-ins set for your browser. Do any look unfamiliar?

    • Do you have any kind of "security" software installed that attempts to "monitor/inspect/optimize" your web traffic.
    • What sort of network were you connected to when you changed your Paypal password? Is it the same one you have checked the TLS certificate from above?
    • If you have 1Password running on an iOS device, what happens if you change your Paypal password from 1Browser in 1Password on iOS. (You don't have to try this right away, but I do want to list this as a possible experiment to possibly try at one point.)

    As you can see, I'm more inclined to suspect that a capture of your PayPal password is coming from a compromised web browser than through an attack on 1Password, but as I said, I do not want to rule anything out. So ...

    Attacks through 1Password

    Let's look at the most plausible ways an attacker could get your paypal password from 1Password. I'm going to need to know a lot about your setup to be able to know which avenues are most likely:

    • What devices/platforms do you use 1Password on?
    • How do you sync it your 1Password data?
    • Is your Master Password unique? (Only used for 1Password)
    • Is your Master Password reasonably strong? (Do not say anything that reveals your Master Password).
    • Is your password for your sync service (Dropbox, iCloud, etc) unique and reasonably strong?
    • If you have set up a Master Password hint, is it too big of a hint?
    • Have you had previous Master Passwords that might have been exposed?

    Quite frankly, the only way someone can get your data out of 1Password itself is if they can capture both your 1Password data and your Master Password. But ...

    Attacks through your computer/devices

    If your computer has malware on it, then it is possible for some malware to get data from 1Password once you unlock it.

    • Do you keep your system and software up to date?
    • Do you download and run software from dubious sources? (There is no nice way to put this question, sorry.)
    • Do you heed browser warnings about SSL./TLS certificate problems. (Again, I'm not trying to shift blame, I'm just looking at avenues of attack.)

    I'm sorry for all of this interrogation, but because 1Password with a decent and unique Master Password is probably the strongest part of your password security, I do need to ask about all of these other things as well.

  • edcroteau
    edcroteau
    Community Member
    Options

    Wow - thanks so much for the detailed response.

    I'm not going to respond to everything at this point because this is what I did --

    1. Yes, all of my passwords are really good unique, long, etc for iCloud/1Password/Google/etc
    2. Yes, all software and OS's are up to date (my normal M.O.)
    3. Checked SSL cert in problem browser (work iMac) - it looks fine by your screenshot
    4. Reset PayPal password on another Mac (laptop)
    5. Setup 2 factor authentication on Google as I'm using Chrome
    6. Changed Google password
    7. Flushed all caches on Google Chrome on all 3 computers I have
    8. Deleted and deactivated all Chrome extensions that I don't use / need (note that Buffer indicated that it might be corrupted .... )
    9. Reset iCloud keychain where 1Password is synced

    I'll repost here if I have any more trouble and certainly get more detailed with responses to your very valid (and many) questions !

    Thanks again,

    Ed

  • Jacob
    Jacob
    Options

    @edcroteau It sounds like you have things well covered on the accounts front. Please do let us know if you have any other issues with the PayPal account, or anything else. We're always happy to help out. And if you need to talk a bit more privately, feel free to email us at support+forums@agilebits.com. We'll be there, and here, whenever you need us.

  • AGAlumB
    AGAlumB
    1Password Alumni
    Options

    @edcroteau: I'm really sorry to hear about this. I also wanted to add a few points:

    • PayPal accounts are frequently the target of phishing scams, for example where you'll get an email purporting to be from PayPal (or a website popup) that purports to be PayPal but is actually a different, often similarly named site (for example, www.paypal.com.e.give.me.ur.login.info). This isn't PayPal's fault; but with so many people's financial info (and money!) they're simply a huge target.
    • If your 1Password vault were compromised, I'd expect the attacker to go after your other valuable info there as well (banks, credit cards, etc.) As Goldberg suggested, it would be much more feasible for an attacker to compromise your computer and collect login info on the fly, rather than trying to attack 1Password directly.

    Please let us know how things turn out, and if there's anything we can do to help!

  • edcroteau
    edcroteau
    Community Member
    Options

    Made it through the night with no further issues ... I'll try to remember to post in a week if still nothing. The only suspicious thing was that Buffer extension (deleted now). Don't remember any phishing scams that I didn't just delete (pretty aware of that stuff but you never know ...) Yes, I thought maybe my whole vault would be comprised and it doesn't appear to be ...

    One thing of note is that I never typed my new PayPal password that day - it was copy/pasted from 1P password generator. That's another troubling thing ...

    Thanks for all the help. Love 1P and have already recommended to many people who bought it :-)

  • Jacob
    Jacob
    Options

    @edcroteau Buffer is quite a reliable company and product, so I don't expect there would be any trouble from their extension. But the choice of removing it is up to you. :)

    One thing of note is that I never typed my new PayPal password that day - it was copy/pasted from 1P password generator. That's another troubling thing ...

    Where did you paste that password? Just the form where you changed it?

  • edcroteau
    edcroteau
    Community Member
    Options

    Yes. I do use Flycut which stores copy items in a buffer ...

  • AGAlumB
    AGAlumB
    1Password Alumni
    Options

    Don't remember any phishing scams that I didn't just delete (pretty aware of that stuff but you never know ...)

    @edcroteau: Hey, I have totally clicked on something stupid from time to time — sometimes without thinking, but often just accidentally when I was trying to click something else.

    Yes. I do use Flycut which stores copy items in a buffer ...

    Not to say that Flycut might strictly be to blame (I'm not familiar with it myself), but it's important to note that if the 'buffer' is accessible to other apps the way the clipboard is, that would be a great way for something malicious to harvest data over time. Securing a password inside your 1Password vault won't help if it's placed in a system-readable area. Even if it's not logging and writing to disk, unless it's encrypted, other apps may be able to simply hang out and collect information one piece at a time. Definitely something to look into if you're going to continue using it, if for no other reason than to understand the risks and make an informed decision about if and when to use it.

  • edcroteau
    edcroteau
    Community Member
    Options

    I don't know if the buffer of Flycut is accessible to other system apps (not easily seen by google search). Do people NOT copy / paste passwords in and out of 1Password ? Seems like a critical thing to me and be doing it for many years.

  • danco
    danco
    Volunteer Moderator
    Options

    From time to time I need to copy and paste passwords, but for the most part I just use 1PW to fill in username and password, which is technically (and also in terms of user experience) a different procedure.

  • Jacob
    Jacob
    edited January 2016
    Options

    @edcroteau I copy and paste passwords quite often actually. I also have a clipboard history manager, which is a wonderful tool in many cases, but in the case of passwords it can be harmful since most managers store things in plain text. I've simply excluded 1Password from the history so things copied to my clipboard don't get logged. If Flycut has that option, I'd suggest enabling it. If not, CopyClip is a great alternative. :)

  • edcroteau
    edcroteau
    Community Member
    Options

    Thanks for the CopyClip tip - already installed - great feature to disable 1P ! Thanks again.

    FYI, no more trouble with the PayPal 2-factor texts. I haven't seen one since I did the steps outlined earlier. Also this caused me to delete a bunch of Chrome extensions I wasn't using.

    Note that the Buffer extension showed up (the only one) on all of my computers as "possibly corrupted" or something similar. I was given the option to "Repair" it ... just deleted for now but had my worried.

  • Drew_AG
    Drew_AG
    1Password Alumni
    Options

    I'm very happy to hear that everything seems to be ok for you now! I do hope everything continues to work well for you from now on and that you don't run into something like this again in the future. But if you do have more questions about 1Password or need help, please don't hesitate to let us know. We're here for you! :)

This discussion has been closed.