{"id":5230,"date":"2025-10-07T11:54:27","date_gmt":"2025-10-07T11:54:27","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5230"},"modified":"2025-10-07T11:54:27","modified_gmt":"2025-10-07T11:54:27","slug":"phishers-turn-1passwords-watchtower-into-a-blind-spot","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5230","title":{"rendered":"Phishers turn 1Password\u2019s Watchtower into a blind spot"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Malwarebytes has flagged a new phishing campaign that weaponized user trust in 1Password\u2019s breach notification system, adding that an employee nearly handed over their vault credentials to scammers.<\/p>\n

The lure was an email notifying recipients that their master password had been found in a data breach, mimicking a familiar alert from the company\u2019s \u201cWatchtower\u201d feature.<\/p>\n

\u201cStealing someone\u2019s 1Password login would be like hitting the jackpot for cybercriminals, because they potentially export all the saved logins the target stored in the password manager,\u201d Malwarebytes\u2019 Peter Arntz said in a blog post.<\/p>\n

Incident analysis revealed the use of 1Password\u2019s branding, phrasing, and urgency cues, including legitimate support links, leading to the \u201csecure my account now\u201d button that landed victims on a credential-stealing page on a typosquatted domain.<\/p>\n

<\/a>Flawed yet a convincing fake<\/h2>\n

The fake email came from \u201cwatchtower@eightninety[.]com,\u201d an address that at first glance looked authentic. The embedded link even used Mandrillapp, a Mailchimp service often seen in genuine corporate emails, before redirecting users to \u201conepassword[.]com\u201d, a deceptive look-alike domain.<\/p>\n

Adding a layer of realism, the \u201cContact us\u201d link routed to the real 1Password support page via the same Mandrill redirect. The fake email shared by Malwarebytes displayed generic alert messages like \u201dYour 1Password account password has been compromised\u201d and \u201cTake action immediately\u201d.<\/p>\n

\u201cAlthough 1Password\u2019s Watchtower feature can send alerts about compromised passwords, it does so by checking its database of known data breaches and then notifying you directly within the 1Password app or through very specific emails about the breach \u2014 not by sending a generic message like this,\u201d Arntz warned<\/a>.<\/p>\n

However, the ruse didn\u2019t last long. By October 2, the malicious domain had been tagged as phishing by multiple vendors, and Mandrill began blocking redirection to it. Clicking the button by October 3 resulted in only a \u201cbad URL\u201d error, instead of a credential prompt.<\/p>\n

While the effort may have saved hundreds of thousands of potential victims, it is unclear how many had already fallen for the trick by then, as a similar (likely the same) campaign was previously reported by Hoax-Slayer<\/a>.<\/p>\n

<\/a>Vault keys at stake<\/h2>\n

Those who clicked on the phishing link earlier had too much to lose. The cloned landing page reportedly asked users for their 1Password login details, potentially giving attackers access to entire password vaults. With that single breach, everything from social accounts to banking credentials could be compromised.<\/p>\n

Malwarebytes urged users to remain skeptical of unsolicited alerts, especially those demanding immediate password resets. When faced with such alerts, the safest move is to open the 1Password app directly or navigate to 1Password.com for checking account status, it added. The 1Password lure is part of a larger wave of smarter, cleaner phishing operations<\/a>. Similar campaigns have recently abused link-wrapping by URL security services to hide malicious redirects and disguise payloads behind fake CAPTCHAs<\/a> that tricked users into pasting commands on their systems.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Malwarebytes has flagged a new phishing campaign that weaponized user trust in 1Password\u2019s breach notification system, adding that an employee nearly handed over their vault credentials to scammers. The lure was an email notifying recipients that their master password had been found in a data breach, mimicking a familiar alert from the company\u2019s \u201cWatchtower\u201d feature. […]<\/p>\n","protected":false},"author":0,"featured_media":5231,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5230","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5230"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5230"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5230\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5231"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5230"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5230"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5230"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}