Extreme emergency - my fault is under the control of hackers

brendanb
brendanb
Community Member
edited August 2016 in iOS

I just received a notice from Royal Bank of Canada that someone used my username and password but failed the test questions. There is only one way they could have access to my username and password. Someone has broken into one of my devices via a stealth hack. I NEVER Let anyone use my iPhone, iPad or MacBook Pro. From the very beginning of using online banking, I have used password to save my information. Although I have reset my usernames and passwords for all banking, I have now discovered a second problem. Somehow my settings have been altered to never require entry of my master password. This has been synced across all devices and I am unable to change my master password.

I do not know what to do at this point. I am requesting a call immediately for phone support and possible investigation. I can be reached at the number below.

My original license information is attached for confirmation. However, this seems pointless since whoever broke into my vault also has the same information.

[Edited by moderator to remove personal information and license details]

I do not know what to do at this point. I am requesting a call immediately for phone support and possible investigation. I can be reached at the number below.

I have included no contact information in this post. However, I would very much appreciate and email reply as soon as possible with a contact number. I need advice as soon as humanly possible on how to deal with the situation.

Comments

  • AGAlumB
    AGAlumB
    1Password Alumni

    @brendanb: First and foremost, I'm sorry to hear of the troubles you're having! But please be aware that this is a public forum, so all of the sensitive information you posted about yourself and your purchase details could be seen here by anyone until I edited your post to remove it. :(

    We don't have a call center, but we're happy to help here in the forums or via email. However, given the sensitive nature of the issue, I'll reply there and we can continue the conversation via email. But I did want to address a few things here in case it helps you or anyone else:

    Your 1Password data is encrypted unless you're actively accessing it. An attacker would need to have both the vault and your Master Password in order to access it without your help. So, to compromise 1Password, someone would need to either need to compromise you to get your Master Password, or compromise your computer and wait to collect data as you accessed it — for example, taking screenshots as you view an item, keylogging, etc.

    But since you're posting in the iOS category of the forums, I'm not sure that applies to your situation. In the case of iOS, it isn't possible for any apps to access each other's data, as each keeps data in its own sandbox, and this is enforced by system-level encryption. Malware is common on the PC, rarer on the Mac and Android, and effectively nonexistent on iOS (apart form the occasional vulnerability or rogue app in the App Store).

    So how does this happen then? There are actually a number of ways that someone can get your login credentials.

    It's often impossible to say for certain after the fact, but if you're reusing a password for multiple sites and one is compromised, it can be used elsewhere. And it isn't necessary for you to give someone physical access to your devices; you simply need to open a maliciously crafted file, download something shady, or fall prey to an exploit in a plugin like Java or Flash when surfing the web. Or if the browser or network has been compromised or simply has lax security settings, someone may perform a person-in-the-middle attack between you and websites, which would allow them to collect data as it is transmitted and received. 1Password is designed to store your data securely. It cannot defend against malicious software being installed or against someone accessing your devices. Only you can. But the good news is that even if your machine is compromised, no one will have access to your vault unless you grant it to them.

    In the case of the Master Password, 1Password requires one. You can't have a "blank" Master Password. However, if you're using Touch ID on your iOS device(s) you may opt to have you Master Password stored in the system Keychain to use Touch ID to unlock 1Password instead — usually temporarily, depending on your settings.

    It's weirdly comforting that "security questions" actually helped in this case, though I'm surprised that those weren't known as they're often based on publicly available information. I'll reply via email shortly to get some additional information to see if we can get a better sense for what's happened, and how you can recover from this situation.

    ref: NPX-96149-332

This discussion has been closed.