Use 1Password? Watch for These Dangerous Phishing Emails
Fake Password Manager Notifications Try to Steal Your Secret Key and Passwords
tl;dr
A phishing email posing as the popular password manager 1Password urges users to reset their password via a fake link. The bogus page asks for your email, secret key, and old password. This may be enough for scammers to hijack your 1Password account and access all stored logins. 1Password will never request your secret key through an online form.
Overview
Scammers are sending out emails that falsely claim to be from the 1Password Password Manager. The messages warn that your password may have been compromised in a supposed security incident and urge you to reset it via a provided link.
Here’s a screenshot of the scam email:
What Happens If You Click
Clicking the link opens a bogus password reset page designed to steal your credentials. The page asks for:
Your 1Password email address
Your secret key
Your old password
Your new password
If you enter this information, criminals could set up 1Password on their own devices and link it to your account, thereby gaining access to all your saved logins and sensitive data.
Here’s a screenshot of the bogus web page:
Red Flags
The scam email was sent from an email address that is not associated with 1Password. The company lists the email and marketing domains that it uses on its website.
The scam website also does not use a genuine 1Password domain.
Why This Scam is so Dangerous
By requesting your email address, secret key, and old password, scammers obtain all the necessary information to compromise your account. Once inside, they could steal your passwords, banking details, and other private information stored in your 1Password application.
How to Stay Safe
Never click links in unsolicited security alerts. Always visit the official 1Password website or app directly.
1Password will never ask you to supply your secret key via an online form. Your secret key is only ever used when setting up your account. 1Password notes on its website:
You’ll use your Secret Key when you sign in to your 1Password account for the first time on a new device. Your Secret Key works with your 1Password account password – which only you know – to encrypt your data and keep it safe.
Report suspicious emails to 1Password and delete them immediately.
1Password Has Not Been Compromised
Thankfully, the fake website linked in these scam emails has now been taken down.
Despite the claim in the scam email, there is no indication that 1Password has been compromised. The company has an excellent security record and would certainly notify its customers if a breach were to occur. Instead, scammers have randomly distributed very large numbers of scam emails in the hope that at least a few recipients will:
Be 1Password users
Fall for the ruse and supply the requested information.
This is a common phishing technique. It only takes a few people to fall victim to the scams for the mass email distribution to pay off for the criminals responsible.
This phishing attack is quite similar to an earlier phishing campaign that occurred back in March 2025. During that incident, Pedro Canahuati, 1Password’s chief technology officer, told Forbes:
Recently, we became aware of a phishing campaign in which malicious actors attempted to trick recipients into resetting their account password and providing their Secret Key. We have confirmed that this incident was not the result of any breach of our systems, and 1Password’s services remain secure.
We Humans Are The Weakest Link
Despite targeted phishing attacks like this, I maintain that high-quality password managers, such as 1Password, are the safest and most effective way to handle your passwords and enhance your online security.
But, no matter how secure a system is, it is often us humans who are the weakest link in the security chain. Even the most secure system can be breached if we let our guard down and inadvertently supply sensitive information to criminals or download malware.
I am a 1Password user and, when I saw this email, I was tired and a bit distracted. If I hadn’t been analysing scams for so long, I may well have fallen for the ruse and clicked.
Thankfully, I’ve trained myself to automatically check for red flags in such emails.
Look at the sender address. Does it look legit? Hover over the link or button in the email and look at the URL that should be displayed at the bottom of your email program. Does THAT look legit? Are there glaring spelling or grammatical errors that you would not expect to see in a professional message? Does the email invoke a sense of urgency or have a threatening tone that implies that you should take action immediately? Does something feel a bit off with the message?
You can develop this skill as well. It only takes a few seconds to check for such red flags.
Better still, get into the habit of never clicking on email links that ask you to log in to an account or provide personal information. Instead, navigate to the company’s website or official app and log in as you usually would. If the email was genuine, you will likely receive a notification after logging in, and you can then address any issues that arise.
Stay safe!