Popular password manager 1Password caused its users a scare when it sent them a message saying their password had been changed, leading them to speculate the worst – that they’d been hacked.
However, CTO Pedro Canahuati has clarified that the messages were sent in error, and came as a result of a brief service outage, not a breach of the best password manager for families.
The scheduled maintenance report (opens in new tab) on the company’s website states that the messages “[appear] to be an unintended side effect of the maintenance. Please ignore this message – neither your account password nor your Secret Key has been changed.”
Fearing the worst
Canahuati further reassured customers that the message, which read ‘Your Secret Key or password was recently changed. Enter your new account details to continue,’ did not mean that “customer data was not affected in any way.”
1Password was migrating its backend databases, which triggered a surge in sync requests which the servers responded to by rejecting the sign-ins. The user client apps then mistakenly interpreted the error code from the servers and sent out password change alerts to US customers instead.
The traffic to the servers became stable again on April 27 in the evening, with no more failed sign-in attempts detected after this point. The next day, no more error messages were showing.
A similar incident occurred in December last year, as users were getting the same password change message. Little is known about the cause of this issue, but users were directed to contact the support team and 1Password, and since no more has been heard on the issue, it is assumed that it was once more only a minor error. Far fewer customers were affected too.
Canahuati said 1Password will be looking into the cause of this error from last week’s incident to improve database migration and error handling, adding that: “we take the integrity of your data and the stability of our systems very seriously and will continue to work hard every day to earn the trust you’ve placed in us.”