EXTREME HEADS UP
I just go phished on my 1Password account from an email talking about unconfirmed users. Clicked a link to:
httpx://mkt-lnk.1password.co/n/
And it's on a Family Account that's managed by my wife who's currently in Kuwait.
FUCK!
/cc @1password
I've been getting a lot of those "your parcel couldn't be delivered" phishing attacks lately and if you're a human with a phone, you probably have been too. Just as a brief reminder, they look like this: These get through all the technical controls that exist at my telco and
So the “phishing link" with the .co domain was a valid link and documented as such:
https://support.1password.com/email-domains/
But I still find it inexcusable.
That link caused 30 minutes of complete panic. I know enough about how phishing works to know how absolutely fucked I'd be if that link hadn’t just been to track my click in the email.
I am just now starting to recover from the episode.
Which brings up another question: why is a company I pay to protect my private information using tracking links in the emails it sends me?
Privacy should be a part of all operations at 1Password.
When one of the leading products that protects your passwords encourages you to use a phish-like link, it's pretty much game over.
FedEx has legacy systems, arcane government regulations, and a bunch of weird infrastructure. Their phish-like links are understandable, at least.
1Password using a phish-like link just so they can track my fucking click makes no sense at all.
Craig Hockenberry
Chris Williams