Do check the above link. I've shared details there. I'm surprised with the response from 1password team. If this is the thinking then why should we water or money on you?
I've tried to share the complete communication through screenshot too.
@vishalsheth Accusing a company of having a data breach is a big step if they haven't acknowledged it themselves and their data hasn't been added to haveibeenpwned. I can understand why 1Password would not want to declare this unilaterally. Is Troy Hunt aware of this breach?
@missingbits I’m not accusing the company for data breach. I’m saying that when things are learnt that there’s news of breach then inform customers to do they can change their details. It has happened in the past that companies didn’t acknowledge earlier but later they did. Idea is we keep our things as secure as possible. On such news change details to be safe. That’s where 1password takes action and is helpful.
@vishalsheth I'm saying it would be a big step for 1Password to accuse a company of a data breach when that company has not acknowledged it. I don't think it would be wise for 1Password to claim that there has been a breach without some independent research and analysis. Troy Hunt spends a lot of time investigating data found on the dark web and trying to contact the suspected source of the leak. Only after he has done this will he add data to haveibeenpwned. He outlines the process in the following blog post:
Similar discussion here:
(Difference: breach is added to HIBP, but Facebook refuses to take responsible actions)
@missingbits I understand. But when listed then it’s breached and of news then like probable breach or similar can be shown. So we as users can take a call if need to change details.
If you have reason to believe that an account of yours has been compromised, you can and should act accordingly. But as mentioned above, we do not want to have our software notify users of rumours and hearsay, only concrete, confirmed security breaches.
Something you may not be considering is that if users were notified of every rumoured breach (e.g. this or this), they would be inundated with notifications, so they would not be actionable, not only from a practical perspective just due to sheer volume, but also it's impossible to know if changing the password would help at all ("personal data" can usually not be changed, and changing a password after the data has already been stolen will not help with that), at what point it would need to be changed, and when it is safe to keep it as is (as opposed to changing it every day, if it hasn't been determined that any security holes have been patched, that attackers already inside have been eliminated, etc.)
Given all of that, I'm not sure what you're proposing we even do. Notify all 1Password users with that URL saved that something may have happened to their account? And that they should...do what exactly about it? That's the dilemma. I don't think it's beneficial to anyone to be alarmist without clear purpose based on facts. If and when there is confirmation and something actionable for 1Password users (e.g. passwords were stolen, security flaw addressed, and users changing their passwords at this point will be able to secure their accounts), then we'll be happy to add that information to 1Password.