"Add these logins" in Watchtower's Breach Report is blank

When I log in to my.1password.com, go to Watchtower -> Breach Report and click on "Run report", it opens up a dialog box that says "Your data was found in 9 breaches ... We've searched the haveibeenpwned.com database..." Below that, in the same dialog box, it says "Add these logins to your vault & change passwords", but below that there's nothing. The dialog box just ends there.

Is this a bug? Does it mean none of my passwords need changing, or that all the breached logins are already in my vault?


1Password Version: Not Provided
Extension Version: 1.14
OS Version: Ubuntu 18.04
Sync Type: 1Password
Referrer: forum-search:Breach report blank

Comments

  • beyerbeyer

    Team Member
    edited April 14

    Hey @smtchahal!

    I've just recreated your issue and do believe this is a bug. Thanks so much for bringing this to our attention! ❤️

    I don't personally work on the 1Password web app, but I've opened a new issue (5589) with that team on your behalf. Until that get's resolved, you can manually search for your email address in the haveibeenpwned.com (HIBP) database. You should see the same nine breaches listed there that the 1Password Web App found when using the HIBP API, but if you don't, please let us know. I highly recommend changing your password for anything site listed in the HIBP database if you haven't already.

    Have a great week and thanks for using 1Password! 💙

    Beyer

    ref: b5/b5#5589

  • Hi @beyer,

    I should've mentioned, I was already aware of the breaches and I've already taken the necessary steps.

    But haveibeenpwned.com does report 12 breaches sites instead of 9. Might this be a bug in haveibeenpwned's API?

  • smtchahalsmtchahal
    edited February 21

    @beyer Also, I should mention: two of those are "unverified" breaches, and one breach didn't leak passwords at all, so maybe that's why 1Password reports nine?

  • beyerbeyer

    Team Member

    @smtchahal: That sounds about right. Some breaches don't provide us enough actionable information for users to do anything. For example, if HIBP doesn't know the website that the breach occurred on or if it was only personal information and not a password related breach, we can't suggest for users to change their password.

    For example, when I look at one of my older email addresses, it indicates that it was found in the
    "River City Media" and the "B2B USA Businesses" spam lists.

    This is a relatively new feature, so perhaps @Jasper can stop in and give us all of the details on what we do and don't include in Watchtower. He will likely be the one fixing the bug you found as well. 😉

    Cheers,

    Beyer

  • JasperJasper

    Team Member
    edited February 21

    Yeah we filter the HIBP breach list a little bit, for us to show them they need to include:

    • a domain (if it's not tied to a specific website there's not really an action that can be taken in terms of adding that site to 1Password)
    • passwords leaked in the breach (again, the only action 1Password suggests is changing your password)
    • the verified flag (just to be sure that they're 100% legitimate)

    And we'll get that bug with no breaches being listed fixed up, thanks for the report!

  • Good to know, thanks!

  • I learnt something from this as well :smile:

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file