The password is 64 digits, randomly generated, and unique. And somehow they still got it. Google’s Titan Product just stopped my campaign emails from leaking. Take infosec seriously, everybody. If not for yourself, then for your colleagues.
161
717
83
3,516
Are you still able to log into it with your password? Curious if the password was reset somehow to a value the attacker knows.
2
5
Yes, I could before I changed it.
1
1
That doesn’t bode well, it means it was captured via phishing, sniffed via MitM, stolen via keylogger/malware, stolen from a place that has it stored, observed if you typed it in, or perhaps brute-forced. Regardless, that’s what 2FA is for, so congrats on excellent OpSec!
1
6
It is nearly impossible to brute-force 64 bits password.
1
2
64-bits is not the same as 64-characters, but I agree, highly improbable, including if there’s a known weakness with how the password was chosen.
2
I have wondered though, if someone downloaded the 1Password hash itself (Dropbox, iCloud) could they brute force it? That password is non-trivial, but it’s not 64-characters.
2
Question: @BriannaWu, have you ever done a manual copy/paste of your password to log in? If not, unlikely it was phishing and more likely it was a compromised device. Or perhaps someone has access to your 1Password account, especially if that password is weaker and lacks 2FA.

Jul 11, 2020 · 12:03 PM UTC

1
1
Replying to @bilcorry @BriannaWu @_herley_
Not to mention copy/paste is literally the attack vector of TikTok, iirc. So clipboard scraping could be a primary possibility if manual copy/paste.