{“lastseen”:”2025-10-06T18:40:29″,”description”:”In a very recent and well-targeted phishing attempt, scammers tried to get hold of the 1Password credentials belonging to a Malwarebytes\u2019 employee.\\n\\nStealing someone\u2019s 1Password login would be like hitting the jackpot for cybercriminals, because they potentially export all the saved logins the target stored in the password manager.\\n\\nThe phishing email looked like this:\\n\\n\\n\\n\\u003e \u201cYour 1Password account has been compromised\\n\\u003e \\n\\u003e Unfortunately, Watchtower has detected that your 1Password account password has been found in a data breach. This password protects access to your entire vault.\\n\\u003e \\n\\u003e Take action immediately\\n\\u003e \\n\\u003e To keep your account secure, please take the following actions:\\n\\u003e \\n\\u003e – Change your 1Password account password\\n\\u003e \\n\\u003e – Enable two-factor authentication\\n\\u003e \\n\\u003e – Review your account activity\\n\\u003e \\n\\u003e Secure my account now\\n\\u003e \\n\\u003e If you need help securing your account, or have any questions, contact us. Our team is on hand to provide expert, one-on-one support.\u201d\\n\\nWhile the email looks convincing enough, you can spot a few red flags.\\n\\n * The sender’s address `watchtower@eightninety[.]com` does not belong to 1Password, which typically use the domain` @1password.com`.\\n * If you hover over the \u201cSecure my account now\u201d button you\u2019ll notice that it points to: `https:\/\/mandrillapp[.]com\/track\/click\/30140187\/onepass-word[.]com?p={long-identifier}`\\n\\n\\n\\nAlthough 1Password’s Watchtower feature can send alerts about compromised passwords, it does so by checking its database of known data breaches and then notifying you directly within the 1Password app or through very specific emails about the breach\u2014not by sending a generic message like this.\\n\\nObviously, the `onepass-word[.]com` is a feeble attempt to make it look legitimate. I guess all the good typosquats were already taken or protected. What’s interesting is that the \u201cContact us\u201d link goes to the legitimate `support.1password.com`, although it also flows through a redirect through mandrillapp.\\n\\nMandrillapp is a transactional email API and delivery service provided by Mailchimp. It enables organizations to send automated, event-driven emails like order confirmations, password resets, and shipping notifications. Mandrill also provides delivery tracking and statistics to their customers.\\n\\nWhat the scammers may not have realized is that Mandrillapp doesn’t forward people to known phishing websites.\\n\\n\\n\\nShortly after the emails went out on October 2, the domain was already classified as a phishing site by several vendors. By October 3, anyone that clicked the button would end up viewing an error message on `mandrillapp[.]com` saying `bad url – reference number: {23 character string}`.\\n\\nBut early birds would have seen this form:\\n\\n\\n\\nAnyone who fell for this scam would have sent their 1Password credentials straight to the phishing crew.\\n\\nOn September 25, 2025, Hoax-Slayer reported about a very similar phishing expedition. This might indicate that this was the first\u2014and probably is not the last\u2014attempt, so be warned.\\n\\nWith the key to your password vault, cybercriminals could take over all your important accounts and potentially steal your identity, so be very careful about where and when you use these credentials.\\n\\n## **Our advice:**\\n\\n * **Do not** click any links or buttons in an unsolicited email\\n * **Do not** provide any of your 1Password credentials or personal information.\\n * If you are concerned about your 1Password account, go directly to the official 1Password website or app and check your account status there.\\n * Use up-to-date real-time protection which includes a web protection module.\\n\\n\\n\\n## Indicators of compromise (IOCs)\\n\\nEmail address:\\n\\n`watchtower@eightninety[.]com`\\n\\nDomain Phishing website:\\n\\n`onepass-word[.]com`\\n\\n* * *\\n\\n**We don ‘t just report on threats – we help safeguard your entire digital identity**\\n\\nCybersecurity risks should never spread beyond a headline. Protect your\u2014and your family’s\u2014personal information by using identity protection.”,”published”:”2025-10-06T17:24:42″,”modified”:”2025-10-06T17:24:42″,”type”:”malwarebytes”,”title”:”Phishers target 1Password users with convincing fake breach alert”,”source”:””,”references”:””,”id”:”MALWAREBYTES:979DD33A430ADD4884BB57A667FD209A”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2025\/10\/phishers-target-1password-users-with-convincing-fake-breach-alert”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-10-06T18:40:29″,”description”:”In a very recent and well-targeted phishing attempt, scammers tried to get hold of the 1Password credentials belonging to a Malwarebytes\u2019 employee.\\n\\nStealing someone\u2019s 1Password login…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-20398","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n