Notification via email about login from a different location. Spurious or Pwnd?

I received an email today telling me that my 1Password account was used to sign in from a location where I haven't been in years.

The email says:

Hi, Grant. Your 1Password account was just used to sign in to from 1Password for Android.

British Columbia, Canada (208.98.223.3)
Monday, July 27, 2020 at 10:38am PDT

etc.

Email headers appear legit, so I don't think it's phishing:

Authentication-Results: vade-backend19.dreamhost.com; dkim=pass
reason="1024-bit key; unprotected key"
header.d=1password.com header.i=@1password.com header.b=ZaCEe7WM;
dkim-adsp=pass; dkim-atps=neutral

The name of the device that signed in is the same as my legitimate one, but I"m sure that's just an alias and not how you actually identify a device.

But is it possible that a new device belonging to someone in Vancouver accessed my account? Or is it just a spurious issue with routing or something that made it look like the device was in Vancouver?

Scary guys. Appreciate your help.


1Password Version: N/A
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: 1Password for Families
Referrer: forum-search:login from different location

Comments

  • ag_yaron
    ag_yaron
    1Password Alumni

    Hey @gmcinnes ,

    This would be best handled if you send an email to our security support at support+security@1password.com
    Send all the details there and I'm sure they'll be able to investigate the matter with you properly.

  • jmjm
    jmjm
    Community Member

    This is an example of a thread that I hope gets another post from a "Team Member" providing some follow-up so that _others _can benefit from @gmcinnes inquiry.

  • There's not much benefit to be had from the specific results for the original poster, @jmjm, because any case where a new sign in looks off deserves its own investigation. This could be due to how the traffic was routed in this case, but that doesn't mean all sign-ins from abnormal locations should be treated that way. With that said, I do think it's valuable to be aware of how this stuff works so you can make your own informed decisions about when you need to reach out so I'll go ahead and give a rundown there to help those who might find themselves in a similar situation.

    These locations are IP-based, which means we look at the IP associated with the authorization request and determine its location based on that. Those are not always accurate. To give an example, my sign-ins always said they came from a town about 30 minutes north of me with my old ISP. I considered that normal so I never asked about new sign-ins from that city. When I switched ISPs earlier this year, they started coming from the city I actually live in and I ended up asking about that. I didn't make our security team dig in too much – just asked if it was reasonable for that to change when I changed ISPs (it is) – but it's an example where an accurate location could be cause for concern. These locations also can be way off and be totally fine. How your traffic is being routed matters and sometimes an IP normally located in Vancouver might send traffic from somewhere else entirely.

    Personally, I ask about anything that's different from normal when it comes to location, but the best thing to do is look at the totality of the circumstances and also consider your own security needs. Some folks are more or less paranoid than others and that's okay. Did you sign in from a device of that type at about that time? Is the device familiar to you? Is the location pretty darned close or way off? If, in total, you feel comfortable that email was generated by you signing in, given what you know/remember, you're probably right. But, if the answer to any of those questions makes you uncomfortable, always ask. In my opinion, it's always better to ask about something that turns out to be no big deal than miss something malicious so we'll never be upset to hear from you if you're concerned. We do investigate each of these on request and we want you to be comfortable your account is safe. We're always happy to help you get that peace of mind.

  • jmjm
    jmjm
    Community Member

    I do think it's valuable to be aware of how this stuff works so you can make your own informed decisions about when you need to reach out so I'll go ahead and give a rundown there to help those who might find themselves in a similar situation.

    A learned lots @bundtkate so thanks for taking the time to post a follow-up.

  • ag_yaron
    ag_yaron
    1Password Alumni

    On behalf of bundtkate, you're most welcome :)
    We're here if you have anymore questions.

This discussion has been closed.