What else do I need to do after a breach?

codeknight

Context

Sorry this isn't specific to 1Password, but I'm looking anywhere I can for support.

Around the 26th August, my Windows 11 PC detected two ransomware / trojan infections. Initially they were allowed to run as I thought they were false positives, and they were removed shortly afterwards by Windows Defender. My passwords have been randomly generated 20 character strings for years, all in 1Password. My 1Password vault contain(ed) passwords, passport details, credit cards and bank account details. All my accounts have 2FA enabled (I use 1Password for the TOTP).

Chronological order of events

• On the 29th I had an email from Microsoft that a new app had been added to my account (called a "google authenticator" or similar) which wasn't me. I already had 2FA on my Microsoft account. I didn't receive a login alert (which is set up). I logged in and removed the new app and changed my password.

• That morning I reformatted my PC using a fresh USB bootable media created from Microsoft's website, by deleting all partitions and doing a fresh install.

• I ran all the virus scanners from https://www.reddit.com/r/antivirus/comments/jh3s0g/comment/g9v2n1k which all came back clean (they still show clean today).

• Sept 1st - I woke up to find my Google account removed from my phone. I logged in on my PC and saw that at 3am, Google signed me out of all devices because my account was accessed from a device with a "suspicious app" AFTER the format, and while the PC was switched off. Google doesn't say what the suspicious app actually is. Again, I had 2FA enabled before this occured.

• I'd ordered 2 Yubikeys which arrived and added them to 1Password as required extra authentication + other services that support them.

• I enrolled in the Advanced Protection Program from Google, so it's now impossible to access my account without one of my Yubikeys

• I cycled my 1Password security keys by recovering my account using a Family Organizer

• I cycled the Secret Key for my 1Password account, then changed my master password

• I've changed all my important passwords

• 2nd Sept I had a notifcation on my phone that someone was trying to log in to my Apple account (AFTER I'd changed my password and added Yubikeys). No location data in the popup, just “your apple ID is being used to sign in”. Didn’t think to take a screenshot, just immediately tapped “It’s not me”

• Every day I've checked, Microsoft, Google, Apple & 1Password are showing no unrecognised devices, no failed or successful login attempts that aren’t me.

• Today I cancelled all my bank cards

Questions

1. What might that "suspicious app" be in Google?
2. How did any of this happen with 2FA enabled on all of those accounts?
3. How was an authenticator added to my Microsoft account without it triggering a login alert, or showing any login activity?
4. How was someone able to "try to login" to Apple after I changed my password and added yubikeys as authenticators?
5. What else do I need to do? I feel like I've locked everything down, but as I can't work out how that authenticaor was added, how someone knew the Apple login details after they were changed, or what that "suspicious app" might be, I'm very paranoid about it.

---

1Password Version: 8
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Tertius3

You can go to your Microsoft account and open its security dashboard. There is a login activity, and there you should be able to see what machines did login from what location (location is guessed from the ip address). Unless you're travelling, you should always see the same addresses and locations (within some range, ip geolocation isn't perfect). Should be easy to identify any external access. If there is none, access has been only from one of your devices, remotely controlled.

If you miss a notification from your Microsoft account, it either has not been sent at all or it has been deleted before you was able to see it. You didn't write know what notification type exactly you're referring to, but if it's email, and the attacker also had access to your email, it might have deleted that notification before you saw it.
If it has not been sent at all, then there was no login (also check the activity log, see above), and all account operations have been done from a machine already logged in. For example from some trojan running on one of your devices, or that device has somehow been remote controlled. Or some device has been logged in some time ago and you didn't notice. Go back and check the login activity for the last 1-2 months.

It boils down to the question, if you was actually able to remove the attacker from all of your devices (trojan apps) and from all accounts (compromised credentials). What has been actually compromised depends on the kind of trojan you got. As long as the attack stayed automated and was not targeted, you should consult some of the virus databases and check what kind of activity this trojan was doing. You wrote "ransomware", but make sure you exactly learn what this specific kind of malware is able to do. Depending on that research, you should focus on these things and check how you mitigated those kind of malware actions.

codeknight

I appreciate your response, thank you. I can see on my Instagram history that hundreds of images were liked (presumably by a bot) and a Story was posted to a crypto scam. I'm currently assuming that my browser was session-jacked. I've also got to assume that someone had access to my 1Password vault, though I don't understand how that was possible - as I got a notification that someone logged in to my Apple iCloud account, after the password was changed.

Dave_1P

@codeknight

I'm sorry to hear that your Window PC and some of your accounts may have been compromised.

Commenting on the security of services other than 1Password is outside the scope of this community and I recommend reaching out to the manufacturer of your devices (Microsoft Support since you're using a Windows PC, and Apple Support if you're using an iPhone) so that they can help you secure your devices and make sure that they aren't compromised. I also recommend reaching out to the services that you use so that they can answer your questions about how to secure your Microsoft, Google, and Apple accounts.

It sounds like you did everything right from the 1Password end of things: regenerating your Secret Key and changing your account password. Double-check that you don't see any unknown devices under Trusted Devices and Browsers when you log in to your 1Password account on 1Password.com (in the browser, not the app) and click your name and then My Profile.

The following guides from Apple, Google, and Microsoft have some good advice:

• If you think your Apple ID has been compromised - Apple Support (CA)
• Secure a hacked or compromised Google Account - Google Account Help
• How to help keep your Microsoft account safe and secure - Microsoft Support

If you see any sign that your 1Password account has been compromised or have any other questions then please reach out directly to our security team via email: support+security@1password.com

-Dave

Goldfinger

Codeknight - I appreciate Daves point, about 1P being unable to formally help with the other services, AND, I hope that they would allow non-1p people /staff to assist you via this board.

If its allowed: Sorry that this happened to you. i agree you did follow good steps, but the ongoing tenacity depends likely on your profile and what they discovered. Ie you are busy selling a house/business. assume they read your email via a keyword search.
Also, please confirm if they _attempted _to get into your appleID , as you wrote initially, or if they _did _manage to login. (your 2 statements conflict).

You are likely to see sim card swaps attempted now. so anything still on sms/text, try to move that to google voice or the efani simcard service, or an eSim. Specifically banks and twitter (bluechecks are ironically **more **vulnerable to account takeover via simswap on Twitter) still doing old style 2fa.

Since your instagram hack post was for crypto, make sure any digital assets you might have, are key'd analogue/offline where possible.

Lastly, check the google and MS accounts for apps that are authorised. remove them all, even if you recognize them.

1P mods- if you object to the continued discussion here, please suggest a forum for us to have it. I try not to reddit much about this.

LMK,
M.

codeknight

Thanks for the replies everyone. Yes, I wasn't specifically looking for support from 1Password, just posting here for visibility from people who might care about security. I also posted this on Reddit.

In the last week, I haven't seen any addition attempts to get into anything. I've been checking the important accounts every day and am not seeing any additional activity.

The message I had on my phone was "Your Apple account details are being used to sign into your account", which is the message you get when someone IS signing into your account, not attempting to reset the password. I've since changed the password, and my device passwords, and my recovery email address.

As I've changed all my passwords, set up security keys, reset all the backup codes and changed the TOTP secrets, I'm pretty sure everything is locked down again now.

Dave_1P

@codeknight

I'm happy to hear that you're locking things down and working to make sure that all of your devices and accounts are safe to use. It sounds like you're doing the right things but I would still recommend reaching out to the venders in question (Apple, Google, Microsoft, etc..) so that they can help you make sure that everything is secure.

-Dave