Notification via email about login from a different location. Spurious or Pwnd?
I received an email today telling me that my 1Password account was used to sign in from a location where I haven't been in years.
The email says:
Hi, Grant. Your 1Password account was just used to sign in to from 1Password for Android.
British Columbia, Canada (208.98.223.3)
Monday, July 27, 2020 at 10:38am PDT
etc.
Email headers appear legit, so I don't think it's phishing:
Authentication-Results: vade-backend19.dreamhost.com; dkim=pass
reason="1024-bit key; unprotected key"
header.d=1password.com header.i=@1password.com header.b=ZaCEe7WM;
dkim-adsp=pass; dkim-atps=neutral
The name of the device that signed in is the same as my legitimate one, but I"m sure that's just an alias and not how you actually identify a device.
But is it possible that a new device belonging to someone in Vancouver accessed my account? Or is it just a spurious issue with routing or something that made it look like the device was in Vancouver?
Scary guys. Appreciate your help.
1Password Version: N/A
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: 1Password for Families
Referrer: forum-search:login from different location
Comments
-
There's not much benefit to be had from the specific results for the original poster, @jmjm, because any case where a new sign in looks off deserves its own investigation. This could be due to how the traffic was routed in this case, but that doesn't mean all sign-ins from abnormal locations should be treated that way. With that said, I do think it's valuable to be aware of how this stuff works so you can make your own informed decisions about when you need to reach out so I'll go ahead and give a rundown there to help those who might find themselves in a similar situation.
These locations are IP-based, which means we look at the IP associated with the authorization request and determine its location based on that. Those are not always accurate. To give an example, my sign-ins always said they came from a town about 30 minutes north of me with my old ISP. I considered that normal so I never asked about new sign-ins from that city. When I switched ISPs earlier this year, they started coming from the city I actually live in and I ended up asking about that. I didn't make our security team dig in too much – just asked if it was reasonable for that to change when I changed ISPs (it is) – but it's an example where an accurate location could be cause for concern. These locations also can be way off and be totally fine. How your traffic is being routed matters and sometimes an IP normally located in Vancouver might send traffic from somewhere else entirely.
Personally, I ask about anything that's different from normal when it comes to location, but the best thing to do is look at the totality of the circumstances and also consider your own security needs. Some folks are more or less paranoid than others and that's okay. Did you sign in from a device of that type at about that time? Is the device familiar to you? Is the location pretty darned close or way off? If, in total, you feel comfortable that email was generated by you signing in, given what you know/remember, you're probably right. But, if the answer to any of those questions makes you uncomfortable, always ask. In my opinion, it's always better to ask about something that turns out to be no big deal than miss something malicious so we'll never be upset to hear from you if you're concerned. We do investigate each of these on request and we want you to be comfortable your account is safe. We're always happy to help you get that peace of mind.
0 -
I do think it's valuable to be aware of how this stuff works so you can make your own informed decisions about when you need to reach out so I'll go ahead and give a rundown there to help those who might find themselves in a similar situation.
A learned lots @bundtkate so thanks for taking the time to post a follow-up.
0 -
On behalf of bundtkate, you're most welcome :)
We're here if you have anymore questions.0