My Authy account was hacked. I have 1Password as an Authy account. Is my 1PW account compromised?

securityplease
securityplease
Community Member

I recently changed my phone number. My Authy account was registered on my old phone number and I did not remember to change it to my new number. Today, I got an Authy alert (SMS) telling me a new device was added to my Authy account and that they were adding Core BackOffice. I didn't understand what was going on and thought perhaps my wife had done something so I was slow to react. About four hours later I noticed Authy had sent me an email security alert that the device had been added and I spoke with my wife who confirmed she had not done anything. I have a number of accounts on my Authy app including 1Password. Does this mean that my 1Password account may have been compromised? I have since gone into Authy and disabled the multiple device function (which I was not aware of) switched the phone number to my new number and enabled the PIN. Any help is appreciated.


1Password Version: 1Password 7 Version 7.9.2 (70902005) 1Password Sto
Extension Version: Not Provided
OS Version: macos 10.15.7
Referrer: forum-search:My Authy account was hacked. I have 1Password as an Authy account. Is my 1PW account compromised?

Comments

  • Hi @securityplease

    I'm sorry to hear about the trouble you've had with Authy. In order to access a 1Password account someone would need:

    • The email address associated with the account
    • The unique Secret Key
    • The account password

    In addition, if 2FA is enabled (it sounds like in your case it is), they'd also need to authenticate with 2FA. Having the 2FA code without the other data is not sufficient. Unless you have reason to believe the other items were also compromised, I wouldn't assume there is reason for concern, as related to 1Password, here. I'd also point out that an email is sent to the account holder when a device that either hasn't previously signed into 1Password, or needs to be reauthorized, signs into the account.

    Lastly I'd say if you're still nervous, out of an abundance of caution, you could change your 1Password account password:

    How to change your 1Password account password

    You could also disable 2FA and re-enable it, which will create a new 2FA secret, invalidating the old one. I hope that helps!

    Ben

  • securityplease
    securityplease
    Community Member

    Thanks Ben. Appreciate your help.

  • You're welcome. :) Happy to help. If we can be of further assistance, please don't hesitate to contact us.

    Ben

This discussion has been closed.