EXTREME HEADS UP
I just go phished on my 1Password account from an email talking about unconfirmed users. Clicked a link to:
httpx://mkt-lnk.1password.co/n/
And it's on a Family Account that's managed by my wife who's currently in Kuwait.
FUCK!
/cc @1password
I've been getting a lot of those "your parcel couldn't be delivered" phishing attacks lately and if you're a human with a phone, you probably have been too. Just as a brief reminder, they look like this: These get through all the technical controls that exist at my telco and
So the “phishing link" with the .co domain was a valid link and documented as such:
https://support.1password.com/email-domains/
But I still find it inexcusable.
That link caused 30 minutes of complete panic. I know enough about how phishing works to know how absolutely fucked I'd be if that link hadn’t just been to track my click in the email.
I am just now starting to recover from the episode.
Which brings up another question: why is a company I pay to protect my private information using tracking links in the emails it sends me?
Privacy should be a part of all operations at 1Password.
When one of the leading products that protects your passwords encourages you to use a phish-like link, it's pretty much game over.
FedEx has legacy systems, arcane government regulations, and a bunch of weird infrastructure. Their phish-like links are understandable, at least.
1Password using a phish-like link just so they can track my fucking click makes no sense at all.
And the irony here?
I got this email about unconfirmed users, but can't do anything about it because I'm not the family organizer.
After 30 minutes of panic, I got nothing to show for it.
And thanks to all the folks who let me know about the .co link being legit.
If you've ever been phished, you know how much relief I felt by seeing these messages.
@chockenberry Sorry about the scare! I pinged our team to get this fixed.
FWIW, I purchased as many 1password and 1password-like domains as I could find to make the phishing attacks more difficult.
Not sure if we bought 1password.xxx though 🤔
@chockenberry sometimes I consider 1Password because it looks like the experience is nicer, but then I remember the corporate-owned, closed nature of it probably means stuff like this that I won't see from Bitwarden.
There's no good excuse for this from a password manager!
@caseyliss @chockenberry As someone that doesn’t just use platforms, 1Password has improved massively on Windows/Android since launching v8. Obviously YMMV, but just to point out that there have been real benefits for some users.
All that said, this email tracking is obviously complete fucking bullshit 🤬.
@goldenbough Phishing is even more of a concern in a corporate environment.
Getting a foothold inside a firewall exposes a lot more people and information to danger.
Craig Hockenberry
snowy
Roustem
Cabel Sasser
Aaron
Wonkish
Gui Rambo
Josh Rivers
Kelly Guimont
Paul Stockton
Steve Riggins
Jonathan Lang
rardk64
Casey Liss
Ravi 
Jonathan Gulbrandsen
Mat Gadd
Kuba Suder • @mackuba.eu on 🦋
Rick
philbee
Owen 🇦🇺
Timothy Swan
Chris Williams
Golden
Frank Endrullat 🌻
Chancerubbage
Dmitri Kalintsev
Bryan
Subluminal
matthias haak
Josh