1Password forum is a compromised website?

doray
doray
Community Member

I was truly surprised to see that the 1Password forum (discussions.agilebits.com) came up as a Compromised Website in Watchtower. The warning says, "This website was affected by a security breach since you last changed your password." Is that true?


1Password Version: 7.3.2
Extension Version: 1.16.2
OS Version: macOS 10.15.1
Sync Type: Not Provided
Referrer: forum-search:1Password forum is a compromised website?

Comments

  • MerryBit
    MerryBit
    Community Member

    Yes, see this post by jpgoldberg at the top of the forum: https://discussions.agilebits.com/discussion/109038/forum-password-reset#latest

  • doray
    doray
    Community Member

    Thank you very much for your prompt response, @MerryBit! I'll go ahead and change my password.

  • ag_ana
    ag_ana
    1Password Alumni

    Sounds good @doray! If you have any other questions, please feel free to reach out anytime.

    Have a wonderful day :)

  • ag_ana
    ag_ana
    1Password Alumni

    And thank you for the assist @MerryBit! :+1:

  • prime
    prime
    Community Member

    Ok, that explains the warning I got :lol:

    I will say this, this was fast. How many companies have issues and we find out months or even years later?

  • XIII
    XIII
    Community Member

    I did not get a password reset email. Others?

    Also https://watchtower.1password.com/report/agilebits.com (as shown in the red Watchtower alert to learn more about the breach) says "No password breaches for agilebits.com have been found."...

  • doray
    doray
    Community Member

    I didn't get a password reset email either. I only learned about the breach through my personal Watchtower (in 1Password.com).

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    I will say this, this was fast.

    Indeed it was, @prime. Their timeline really is impressive. Take a look at their report from earlier today: https://status.vanillaforums.com/incidents/2zdqxf3bt7mj

    How many companies have issues and we find out months or even years later?

    Speaking generally and not about this incident, it is worth noting that sites and services don't become aware of a breach until well after the fact (if ever). There is an adage along the lines of, "there are two kinds of services. Those who know they've been breached and those who don't know it yet." While that is too pessimistic (and I honestly don't believe that we fit into either of those), it is why we've designed 1Password to keep you safe in the event of a breach of our systems. This was there from the very start of our first sketches of the service: Users must be protected in the event of a compromise of the servers. Another way I like to put it is, "we don't plan on being breached, but we definitely plan for the possibility."

    I did not get a password reset email. Others?

    I haven't either, @XIII. I've got no specific knowledge or insight into this incident, but some fixes and mitigations can be deployed more quickly than others.

  • blaxxz
    blaxxz
    Community Member
    edited November 2019

    I was shocked when i saw this message ^^

    But in the Options Watchtower is not active but i got the vulnerable Message in 1P X.
    Or do I understand the option wrong?

    (Hope this text will soon be translated into German.)

    @prime
    I agree with you 1000%. If only everyone handled our data that way.

  • Hi @blaxxz

    haveibeenpwned is only one component of Watchtower. This warning is coming from our Watchtower database directly, rather than from haveibeenpwned.

    Ben

  • blaxxz
    blaxxz
    Community Member

    Oh.. Ok i understand.

    For Security:
    Would it be worth considering integrating 2 factor authentication into the forum?

  • AGAlumB
    AGAlumB
    1Password Alumni

    I'm not sure that's even an option, or that it makes sense in this case, but it's something we can look into.

  • koraykupe
    koraykupe
    Community Member

    Why does https://watchtower.1password.com/report/agilebits.com page says "No password breaches for agilebits.com have been found."?

  • AGAlumB
    AGAlumB
    1Password Alumni

    To clarify, there have been no password breaches for agilebits.com or discussions.agilebits.com; but in the latter case the precaution of password resets has been taken because of potential exposure of user information, as outlined in the announcement.

  • Fairgame
    Fairgame
    Community Member

    FYI, I happen to be on this forum on 15Nov2019. While logging in using iPad, I noticed big red bar on top of AgileBits forum login in 1Password, basically saying to change my password.

    So I did, on my iPad, with few clicks. No big deal.

    No big deal, except, thanks to the watchtower I knew to change the password. I would have never noticed that there was a breach without watchtower notification. I did not even know that this forum runs on vanilaforums. And thanks to 1Password I do not need to know. Just changed my password. Simple. New 19 or so random character password was set for this forum.

    Thanks for making this easy.

  • Thanks for the kind words, @Fairgame. Glad it went smoothly.

    Ben

This discussion has been closed.