The latest Cure53 audit of 10.2020 states the following:
It was found that changing the master password for the 1Password vault does not reset its underlying RSA key-pair. The latter provides the set of secret keys used to encrypt individual vault items. Therefore, this flaw means that in the event of a vault RSA key compromise (to which multiple vectors are offered through 1PW-01-015), it is impossible to restore the vault to a “safe” state.
I assume this means that a compromised key pair will allow an attacker to get into your account even though you have changed the password. The report does not mention a changed secret key. In this example, if you update your secret key, is the underlying RSA key-pair reset?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided