Credit card (debit) was hacked. Card data was stored only in 1Password. Data breach?

Hi,
I've stored all credit card data in 1Password: number, pin and related phone number. This card wasn't used often, I thought it will be save. But wrong. Someone in Seoul took all money in an ATM (I still in Europe, never was in Seoul). Before that I got strange text messages on the phone belonging to the card.

Due to all card data was stored only in 1Password on iPhone 7 Plus, I think it's somehow involved. Not sure. It could be skimmed somewere in an ATM, but they knew also moble number which is not communicated in an ATM.

Is 1Password data breached recently?

Comments

  • No breach. In order to access your 1password account, they would need your private key and your password. Hacking 1password itself would not give them access to any of your information. Your card was probably compromised at some point independently of 1password. As for them having access to the phone number associated with the card, for most people that's their cell phone number, and cell phone numbers are easily obtained through companies that sell such information.

  • Pretty sure it wasn't 1Password. Going on pubic wifi, skimmers, malware in your computers, other sites got compermised (a LOT of that happening), or anything else.

    @TDK1044 is correct, tenure need you master password and secret key to get this info.

  • Thanks for your reactions.
    I hope than 1Password wasn't the source for hackers. I have there other important data stored. Except for this card, no other bank accounts or cards were (tried to) accessed by them.
    Some details:

    • my master password is really unique, I do not use it anywere else
    • Card is from a forein bank, use it not even monthly
    • Phone number is not from country I'm located in. I do not use this phone number now, only for text messages as from / to a bank. However, in the past I did in that country.
    • card data incl pin is only listed in 1Passw app on iPhone 7, nowere else (not on pc, etc)
    • text messages came two days before they cashed. One was a fake bank confirmation they creadit a small amount (Bank which issued the card). The other message from a person who said she make a mistake and requested return the money. I didn't do anything, of cource.

    These text messages could be related to hack or not, don't know. If yes, then how did they got the card number + pin + phone. This data is only in 1Password and as hard copy bank contract. I thought maybe they hacked 1Password database somehow. I do not belive they hacked iPhone app.

    They tried to cash from my card also the next day (today), but I blocked the card already. Really strange. I thought it will not happen to me.
    The bank is investigating this case now, will report in a few days.

  • wow my spelling.... oops

  • I bet @brenty, @Frank, @Ben, or anyone else can confirm this, but I doubt 1Password was the issue. It's quit scary how people can get this info.

  • brentybrenty

    Team Member
    edited June 2017

    @prime: Totally. It's tough (arguably impossible) to keep our information private if we're participating in really any part of society these days. :(

    Hi, I've stored all credit card data in 1Password: number, pin and related phone number. This card wasn't used often, I thought it will be save. But wrong. Someone in Seoul took all money in an ATM (I still in Europe, never was in Seoul). Before that I got strange text messages on the phone belonging to the card.

    @mcneff: Thanks for reaching out. That's terrible. I’m sorry to hear that's happened to you! :(

    Due to all card data was stored only in 1Password on iPhone 7 Plus, I think it's somehow involved. Not sure. It could be skimmed somewere in an ATM, but they knew also moble number which is not communicated in an ATM. Is 1Password data breached recently?

    TDK1044 is right on, but I wanted to elaborate on some of this. First and foremost, the answer to your question is no.

    However, it's important to keep in mind that this essentially doesn't matter. We certainly don't want 1Password users' data to be stolen, but we've designed its security with the assumption that it will be at some point. So your 1Password data is always encrypted on your device, even before you sync it anywhere. And we only have your encrypted data if you're using 1Password.com, and never have your Master Password (or Secret Key).

    Now, there are potentially many ways an attacker could get your encrypted 1Password data, but it's important to remember that literally the only two ways they could decrypt are:

    1. You gave the attacker your Master Password
    2. You use a weak and/or easily guessable Master Password

    To get the encrypted data, they'd probably have to go through you. However, if you're syncing your 1Password data, it could potentially be captured in transit, or if the account you stored it in was compromised.

    And then, once they capture your encrypted data, it's useless to them unless they have the keys to decrypt your data. And unless 1 or 2 are true, they won't have that option. If you're using a long, strong, unique Master Password, this is infeasible on it's own. But 1Password also uses PBKDF2 to strengthen your Master Password further, so that each guess takes much longer. And with a 1Password.com account, the Secret Key is an additional 128-bit, randomly-generated string which is also used to encrypt your data. So at that point a brute force attack is futile.

    So, given that we never have the keys to the data even if it were stolen from us (and therefore an attacker cannot gain access to your information through AgileBits), let's explore more likely possibilities:

    1. Your credit card information was captured either when you used it online, or was stolen later on from the company who you gave your purchase information (or an affiliate)
    2. You credit card information was guessed, either completely (unlikely) or partially (it is possible to run through all 3-digit CVV codes very quickly, for example)
    3. It was stolen outright in person (say, at a restaurant or other retailer) or over the phone

    The phone number is definitely a tough one to puzzle out; but unless this is a burner phone which has no association with you personally (and you haven't used it to contact anyone who could be connected to you), someone with all of your credit card information will have your name and can find your phone number using that.

    Thanks for your reactions. I hope than 1Password wasn't the source for hackers. I have there other important data stored. Except for this card, no other bank accounts or cards were (tried to) accessed by them. Some details:

    • my master password is really unique, I do not use it anywere else

    That's really good to hear. While it doesn't help your situation, it certainly means that you have a lot less to worry about.

    • Card is from a forein bank, use it not even monthly
    • Phone number is not from country I'm located in. I do not use this phone number now, only for text messages as from / to a bank. However, in the past I did in that country.

    That's a bit scary. Not to alarm you, especially without knowing the details, but text messages are not secure, and it's unfortunately common practice for banks to use these as part of a security strategy.

    • card data incl pin is only listed in 1Passw app on iPhone 7, nowere else (not on pc, etc)
    • text messages came two days before they cashed. One was a fake bank confirmation they creadit a small amount (Bank which issued the card). The other message from a person who said she make a mistake and requested return the money. I didn't do anything, of cource. These text messages could be related to hack or not, don't know. If yes, then how did they got the card number + pin + phone.

    This is pure speculation with regard to your situation, but in the past I've seen security holes introduced by 3rd parties. The best example I can easily fit in this post is concerning CVV codes. A while back it was found that a website's checkout process had no security measures in place to prevent repeated charge attempts. So attackers who had some partial credit card information were able to use trial and error to correctly guess the CVV codes for credit cards and make a insignificant purchase (which would not trigger fraud detection), and then use the (now-known) full account details for much bigger purchases. The "bank confirmation" sounds like they may have been testing if they got the account number right.

    This data is only in 1Password and as hard copy bank contract. I thought maybe they hacked 1Password database somehow. I do not belive they hacked iPhone app.

    Based on what you've told me, it would be effectively impossible for them to try to break into your 1Password data, even if they had it on their own machine.

    They tried to cash from my card also the next day (today), but I blocked the card already. Really strange. I thought it will not happen to me. The bank is investigating this case now, will report in a few days.

    I hear you. I think we all sometimes feel like these are things that happen to "other people". Anyway, while we can't rewind this, if it were me, I'd be asking the bank questions about whether password reset, phone calls, or text communications were involved. Getting a contact list would allow you to confirm which contact points (if any) were you and which were the attacker, which could help figure out what happened exactly. Definitely let us know what you find out.

  • @brenty
    I appreciate your detailed reaction. Thank you!

    I'm getting more confident it wasn't 1Password hack but can't figure out were they could get my card number incl. pin and phone number data. Card holder name wasn't stored in the app. I don't know that they need to make a plastic card with my data (I assume they made a card to use it in ATM).

    I do not have 1Password.com account, as I see it now. App data is stored in iCloud only.

    To get you idea: it's a saving bank account which offers a 'free' MasterCard, debit. The card was used only ones for online purchase (train tickets) aprox. 6 months ago. And let say used monthly at ATM in two countries, last time two weeks before this incident, in a big EU-city. The card itself is still in my posession.

    They could skim it at an ATM, agree. But I can't place that they knew the phone number, as you mentioned it as well.

    Many banks use text messages in their services. And some take it seriously: ones, after changing sim-card (format) with the same phone number, all important bank services stopped to finctioning. Banks use some kind of sim card ID along with phone number. After personal verification and my confirmation I've changed sim card, they have activativated the services again.
    I think it is pretty secure. I can be wrong but anyway I have to accept and use bank services as they offer them.

    Everything from login to payments is recorded and being sent to my phone as a text message (otherwise I should not have a clue that someone used my card in Seoul). And very important bank confirmations appear on phone screen as an operator message. But this a story from another bank I use, not that from the incident. However it's the biggest one.

    Thanks for your attention. I'll keep you posted when I'll get report from my bank.

  • rickfillionrickfillion Junior Member

    Team Member

    I recently had my credit card stolen (not physically, but a duplicate card appeared the other side of the country much like in your scenario), and it's such a frustrating experience. In the end I wasn't able to figure out how it happened, sadly.

    Best of luck on the hunt.

    Rick

  • It does suck. It's getting to the point I'm really tempted to look into a service like ID Sheild.

  • @rickfillion
    Thank you, Rick.

    I'm afraid they have stolen my other bank /cc accounts data. However, no other cc numbers are stored anywere (execpt for that card), only some banks online credentials. If 1 password wasn't their source - I'm safe I hope. To be sure I've doubled security everywere.
    Indeed, I need try to get to the bottom of how it has happend. To be realistic, I' m not expecring much from the bank jnformation. The bank didn't ever confiscated that doublicated card in ATM when they 2x tried to use their card version after the real one was blocked by me alteady. So, I still get text messages 'withdraw refused' + amount and ATM' place in Seoul.

    Best wishes

    Mcneff

  • rickfillionrickfillion Junior Member

    Team Member

    If you find anything, let us know.

    Rick

  • Sure

  • brentybrenty

    Team Member

    A horrible thing to have to go through, to be sure. Good luck with your investigation!

  • Update: bank has returned all money, said needs another 10 days for investigation.
    No idea yet how it could happend.

  • Good luck! It's a scary world out there.

  • Very happy to hear that your bank did right by you.

  • FrankFrank

    Team Member

    I'll 2nd that! It's great to hear the bank returned the money. Like Rick said, keep us posted @mcneff if you find out anything and best of luck to you. :+1:

  • brentybrenty

    Team Member

    Wow! That's awesome! I was floored to read this update, as I try to expect the worst while hoping for the best...but it does make some sense that they can do that. I'll be the first to admit that I often give banks a hard time because it seems like they're stuck in the last century in a lot of ways...but this is one situation where the kinds of regulation and institutional rigidity can really pay off: old fashioned paper trails and bureaucratic red tape can protect consumers by making it possible to trace these sorts of things. So glad to hear that they came through for you when you needed them to. :chuffed:

  • Thank you all for compassion and info!

    I'm not sure but think that bank aknowleeges its shortcomings like not blocking the card when multiple attemps are made to withdraw cash within very short period of time (with failed attemps in between).

    I hope bank will thurhly tell me how it has happened.
    I'll keep you posted.

  • FrankFrank

    Team Member

    Thank you @mcneff and I hope they let you know how this happened. :+1:

This discussion has been closed.