"Compromised Website" warning about my 1Password support forum account

@Bikr - thanks for the kind words! And I completely get where you're coming from -- it is disquieting to see a site that's related to the app where you store your most important data, having experienced a vulnerability. As a more-sophisticated user, you're also aware that these two things are not "one and the same," though -- it's just unfortunate that not all 1Password users may be able to make that same distinction.

To be clear (and to address @royimous' reply), the "Vulnerable Passwords" section of Watchtower in 1Password for Mac is what uses the haveibeenpwned.com service. Right now, your password for this forum won't be on that list unless you used a password for this forum that was part of an existing breach that Have I Been Pwned was already tracking (I hope you didn't!). The "Compromised Websites" section of Watchtower is where you'd see the message in 1Password for Mac regarding this current issue with this forum, and that part of Watchtower is one we maintain ourselves, unconnected to haveibeenpwned.

When we learn of a confirmed vulnerability of any specific website (the owner of the site confirms its existence, not just a rumor in the tech press), we will post it in Watchtower, and you'll see this warning:

We could potentially have crafted an exception to our policy of notifying users via the Compromised Websites section of Watchtower by simply not adding discussions.agilebits.com to the Watchtower database...but then we'd have gotten a not-insignificant number of alert users who would have seen the password-change requirement from Vanilla and wondered if something was amiss. I definitely agree it's not ideal either way, but I'm not certain there was a solution that would've avoided all worry/confusion. We try to err on the side of privacy and caution, so we added this forum to Watchtower as soon as we were made aware of the issue. Thanks for asking -- and for listening to our response. :)

I would also note as you host the forum on the same site as the vault login.

@bestlem: That is not the case. discussions.agilebits.com is completely separate from my.1password.com, etc., which is where 1Password memberships are hosted.

My master password is now marked as compromised. This should have been told to me as soon as any possibility of it happening. This is very worrying as it is not easy to remember another very secure password. No matter that you say the master password has not been compromised but your software says it has. What should I believe

It depends how you've set things up. Please make sure that

1. you don't mistakenly have both URLs saved in a single Login. Your credentials from one will not work on the other anyway; and
2. you are not using the same password for different things, 1Password-related or not.

You don't need to remember passwords other that your Master Password since 1Password can do that for you. :+1:

This looks like a security failure perhaps the forum should not be on the same site. If you can't do that it seems a reason not to use your site with your software ie go back to how other versions of 1password were used.

As mentioned in the announcement,

Again, that potential exposure is about accounts on this discussion forum. Your 1Password data and account is entirely separate.

We've always kept the support forum separate to ensure that an issue like this has no impact on 1Password itself. Please let me know if you have any additional questions.

@kai1pwd: It's not a coincidence. We intentionally added make forum users aware that a password change was needed, so we added it to Watchtower. I agree that it's a bit confusing, but this is how Watchtower works currently. I think it would be good to expand on the feature, and this is a good example we can keep in mind as we develop it going forward. Thanks for taking the time to share your perspective.

But I have to disagree wholeheartedly about your "risk management" comments. This forum has always been completely separate from 1Password itself. That's, frankly, a nuisance for customers who just want to contact us here to get help and have to sign up for another account in order to do that. We get complaints about it. And I don't disagree with them. But we've always stuck to our principles on this because it ensures that exactly this sort of issue has no impact on the security of 1Password itself -- confusion and optics notwithstanding: absolutely it is not a good look...but I'd rather we do the right thing than make decisions based solely on appearances.

@kai1pwd: Thanks for your reply. :)

not every user is checking on the forums frequently. Me for example I only check in when I have noticed some malfunction in 1PWD I would get solved. As long as 1PWD works, my visits to the discussion forum are zero.

I understand that. I think that there is still confusion about the situation. I apologize for that, and will try to clarify: if you have a 1Password support forum account, and its password has been reset, and you don't do anything with it for a year or whatever, nothing happens: your old password will not work for you or anyone else; and in order to access your forum account you or anyone else would need to create a new password through your forum account's registered email address. So while there is no connection to your 1Password data anyway, this isn't a situation where your forum account is at risk in the short term until you take action; it's simply a matter of fact that in order to login to the forum again after the password reset, you will need to create a new password. Hence the Watchtower notice, so that people will see that their password needs to be changed when viewing their Login item for the 1Password support forum.

it's the first time yesterday I heard about Watchtower. Apparently I am not up-to-date, but as less as I frequent the discussion forums, I also usually don't visit your product website. I'm simply using 1PWD.

Totally! Odds are you've been seeing and using Watchtower every day and just not been aware of it, since it lives in the sidebar in the desktop apps, and will show up in items as you use them. I think there's room for us to do more with it, though we are cautious about having it too "in your face" since annoying users may encourage them to disable it and therefore not benefit from it. It's a difficult balance to strike, and I don't think we've found it exactly, so we'll keep trying. :)

I understand that you have to deal with a very heterogeneous group of customers with varying backgrounds. That there are some complaining about the need for an account on the discussion forum, is interesting, but hasn't been questioned from me. For me the technical distinction from your product, product website, discussion forum, etc. is (mostly) clear and that is not my concern and was not the topic of my previous post.

Nevertheless, it's ours; and I offer it as an example of where we've stuck to our principles with compartmentalizing things even in the face of frustration it causes customers, because the alternative is worse for everyone. Sorry if this is not exactly what you wanted to talk about, but it is relevant. More on that below.

Thanks for reconfirming that all your web-based services and operations are strictly separated, so we can understand that - for now as a theoretical scenario: even if the discussion forum server(s) get compromised, that there is no connection to other servers and zero operational risk for all your other services (may it be out- or inbound). Is this a correct understanding?

That is correct.

customers not necessarily can (or even have to) differentiate between the forum and your product/solutions. Your forum is operated in a customized and branded way, which makes it for many customers certainly difficult to see the difference respectively it makes it less obvious.

I think that's a fair point.

customers are putting trust in Agilebits since many years, so do I, and because you operate basically in the domain of "security you-name-it domain", customers can expect a certain standard - if not actually a higher one for a company like yours - when it comes to risk management (and connected procedures).

That's why these systems are separate -- and not even on the same domain.

You wrote, you (Agilebits) did the right thing. Please elaborate on what do you mean by the right thing you did, because this is quite unclear.

What I said was this:

This forum has always been completely separate from 1Password itself. That's, frankly, a nuisance for customers who just want to contact us here to get help and have to sign up for another account in order to do that. We get complaints about it. And I don't disagree with them. But we've always stuck to our principles on this because it ensures that exactly this sort of issue has no impact on the security of 1Password itself -- confusion and optics notwithstanding: absolutely it is not a good look...but I'd rather we do the right thing than make decisions based solely on appearances.

You seem to agree that we did the right thing in that our "web-based services and operations are strictly separated". And as I mentioned we've done that at the expense of some ease of use and convenience for our customers.

IMHO, it would have been much better if you (Agilebits) would have just simply notified your customers (the ones registered on the discussion forum, as the ones without accounts apparently are not affected) with an email, explaining the situation (to whatever granularity sufficient at that moment in time), and the call for action to reset/change the forum password. That's all. That would be pro-active, and that would be a reasonable countermeasure once you and your 3rd party provider were aware of the security breach.

It isn't completely clear to me what the specific concern you have which you think this would help with is. But I believe that there may just be a misunderstanding, and my comments above may be relevant here:

this isn't a situation where your forum account is at risk in the short term until you take action; it's simply a matter of fact that in order to login to the forum again after the password reset, you will need to create a new password.

This risk has already been mitigated by Vanilla a) fixing the bug and b) resetting passwords. If that addresses your concern, then I can still agree that we could do better if that was unclear. But please let me know either way.

Me, as "forum user", I'm disappointed to only get to know about it, the first time I try to login into the discussion board after the incident. And that could have been somewhere between 1 day after the breach to never-ever-again as long as I don't face issues in the 1PWD app. I hope I could clarify the point of my first post better and hope for a response from you with an emphasis on the main topic, which is the risk communication bit. Thanks.

Likewise, thanks for taking the time to elaborate. I agree with you completely on that point: none of us really have the tools to communicate about this sort of thing well, the way we can about a DDoS or remote code execution. There aren't a lot of website security issues (well, at least not ones that we hear about) which you and I can use as a mental model where they 1) exclusively impact a peripheral site separate from the service people are actually using and 2) have been fixed and mitigated quickly and proactively.

Usually when there is password that needs to be changed/reset, there's an urgency because an attacker could access the account before you get to. Fortunately that's not the situation in this instance.

@kai1pwd: Since we don't collect user data/analytics, and I have no idea who you are, I wasn't aware that you were using an old version of 1Password. That would definitely change things as far as how Watchtower works. Sorry for causing unnecessary confusion there. And indeed, regardless of which version of 1Password you use, disabling Watchtower would prevent you from seeing any of its notices. That's a choice only you can make.

Anyway, I think we're talking past each other here. I'm not sure I understand the specific risk/threat that you have in mind, as you haven't been explicit. If you're just thinking of "potentially exploited credentials", speculation isn't productive. Everything we know at present is in the aforementioned announcement. Is it possible that someone using the same password for the forum on other sites could be affected if it were stolen? Yes. But we don't have any evidence that any passwords were actually stolen, and we of course offer a software product that people on this forum are self-selecting to possess which makes it easy for them to not reuse passwords in the first place, and to generate strong ones to change them where they are. It is not, however, possible for us to know if any user is reusing passwords, nor does it seem reasonable for us to spam all users about an issue that does not affect them, causing unnecessary anguish much greater than what we're seeing here. I don't think it's okay for us to make thousands of others feel worse to make you feel better. If someone had broken into the forum and exfiltrated data, that would be a different story, and we'd need to respond differently, but that isn't the case. So if and when someone comes to the forum and tries to sign in, much as you did, they will be told that they need to complete the password reset, and we're here to answer any questions they have about that, as we have been for you.

To clarify, Watchtower is the means by which we “take responsibility and proactively inform [our] users” about instances where website passwords need to be changed. You've chosen to use outdated software and explicitly disable a security feature -- Watchtower -- which would have made you aware of this, as it has others. That's your prerogative, but please keep in mind that there are serious website issues which you will not be aware of because of doing so (Watchtower downloads the full database periodically to be checked against locally on your device), and you've assumed responsibility to seek out this information yourself, like you have here. To be made aware of situations in the future where a website password change is needed, I'd suggest updating 1Password and using Watchtower. I appreciate that you're passionate about this, but we're just going around in circles. At the end of the day those are two very actionable things you can do (and not do, as far as not opting out of security features) to ensure that you get the message next time; and we'll keep working to improve Watchtower's flexibility and messaging as well -- and you'll benefit from all of that should you choose to do so.

@Orado: 1Password does not use notifications for this, but you can see Watchtower notices in affected items. If we can find a nice way to do it, hopefully we have have a separate "Watchtower" section in the mobile apps in the future too, like their desktop counterparts. :+1: