1Password Confirms No Security Breach After “Password Changed” Alerts Panicked Users

The password management service 1Password assured users of no security breach after accidentally sending “Secret key or password changed” alerts. As explained, the glitch happened due to technical database maintenance.

1Password Sent Erroneous “Password Changed” Alerts

A few days ago, 1Password users became panicked after receiving abrupt alerts from the service notifying them about some password changes.

Interestingly, it turned out to be a mere technical glitch instead of a severe security issue, as 1Password confirmed no data breach.

Explaining the matter in a blog post, Pedro Canahuati, 1Password’s Chief Technology Officer, stated about the database migration activity that triggered the glitch. During the maintenance time period, the service received multiple sync requests from the users, and instead of correctly addressing those requests, the app erroneously responded with sign-in rejections. As stated,

Our US servers returned an error code that was interpreted on our client applications incorrectly. The client applications displayed an incorrect message stating: “Your Secret Key or password was recently changed. Enter your new account details to continue.” In reality, neither the Secret Key or password had changed.

The glitch existed between 9:03 PM and 9:26 PM ET, affecting the service’s US environments. After this time window, the traffic returned to normal, halting any further sign-in rejections.

Besides sharing the details via the blog post, 1Password has earlier posted updates on its status page to inform users about the matter.

As evident from the timeline shared on the page, 1Password first informed the users about scheduled maintenance planned for April 27, 2023, on April 11, 2023. On April 27, the service posted a short message regarding the maintenance to be ongoing.

Then, within a few minutes of this stats update, the service posted another update informing users about the erroneous messages sent to them. It labeled the glitch as an “unintended side effect” of the activity, assuring the users no change in their passwords or Secret Keys.

Canahauti assured users of thorough safety, explaining that no security breach hit the service. Nor did the event expose any user information.

Nonetheless, since the erroneous messages stressed users, the CTO apologized for the inconvenience.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil