My Gmail was hacked using a 1password password. WHY?

mschaner
mschaner
Community Member
in iOS

My gmail was hacked today using a 1password generated password. How is this possible and how can I be sure that it won't happen again?

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: kb-search:gmail hacked, kb-search:chat

Comments

  • Ben
    Ben
    edited March 2016

    Hi @mschaner,

    Thanks for taking the time to write in! Sorry to hear about the scare. Could you please tell me what leads you to believe your Gmail account was hacked? What were the symptoms?

    Also: do you have 2-Step Verification turned on for your Gmail account? You can read about 2-Step Verification here:

    Google 2-Step Verification

    As Google points out, a password can be stolen by:

    Using the same password on more than one site
    Downloading software from the Internet
    Clicking on links in email messages

    Even if the password is one that 1Password generates for you, if you use it on multiple sites, and one of those other sites is compromised...

    Enabling 2-Step Verification wherever available is a great way to further protect your accounts. Many popular sites & services are starting to allow for 2-Step Verification, including Facebook, Google (Gmail, YouTube, etc), Dropbox, Wordpress, and Microsoft (Live), to name a few.

    2-Step Verification may help for some accounts for the future, but it isn't a silver bullet. Good security habits (including making sure your computer isn't infected with malware) are still necessary to protect your accounts.

    If you have the Pro features for 1Password for iOS, 1Password can manage these 2-Step Verification codes for you:

    Set up one-time passwords | 1Password for iOS

    Any further details you can provide us about what you saw may help in providing some clues as to what may have happened.

    Thanks!

    Ben

  • prime
    prime
    Community Member
    edited March 2016

    How was it hacked? If they phished for you password, or something, no password is safe. It's still on the user end to make sure you're aware of this. Did you use a friends or public computer to access you email? Did you get an email asking to update or confirm your password? Marlware, Trojan, or a virus on a computer?

    As @bwoodruff said, use 2 step verification and use this on every account that offers it. Dropbox, Facebook, Twitter, outlook/hotmail, Apple ID, snapchat, and others all use 2 step verification.

    You can use this to see what services uses 2 step verification
    https://twofactorauth.org

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited March 2016

    @mschaner: Indeed, there are a few ways someone could get your password:

    • You gave it to them indirectly (by giving them access to your vault).
    • You reused the password elsewhere, and the secondary location was compromised.
    • You gave them access to your system and they were able to capture it.
    • You gave it to them directly (as part of a phishing attack).
    • They guessed it (effectively impossible with a long, strong, random password).

    Without knowing the specifics of the situation it's hard to say which is most likely. Anecdotally I'll say that one risk of using something like a Google account as a single sign on for multiple sites is that it desensitized me to using it just about anywhere. Behaviourally it made me more apt to fall for a phishing scam, so I had to put a stop to that. 1Password can encrypt our most sensitive data to keep us secure, but that means that ultimately we become the weakest link in our own security, so we have to be vigilant.

This discussion has been closed.