1Password explains scary Secret Key and password change alerts

1Password says a recent incident that caused customers to receive notifications about changed passwords was the result of service disruption and not a security breach.

The company first revealed in an incident report five days ago that the notifications were erroneous and linked to routine database maintenance scheduled on Thursday, April 27th.

Today, 1Password chief technology officer (CTO) Pedro Canahuati provided more details and said the customers' information was unaffected.

"On April 27th, between 9:03 PM and 9:26 PM ET, 1Password experienced a brief service outage. This was not a security incident, and customer data was not affected in any way," said Canahuati.

"The client applications displayed an incorrect message stating: Your Secret Key or password was recently changed. Enter your new account details to continue."

However, as Canahuati explained, this didn't happen. The erroneous alerts were triggered by 1Password's U.S. servers responding to a spike of sync requests following the migration of backend databases with sign-in rejections.

The client applications interpreted the error code sent from the servers incorrectly and displayed the incorrect password change alerts on customers' devices in the United States region.

However, these alerts did not go unnoticed, with 1Passwords users worried that their accounts were hacked or that the company suffered a security incident.

​The traffic in 1Password's U.S. environment reverted to normal by 9:26 PM ET on April 27th, with no additional failed sign-in attempts detected.

By April 28th, no additional erroneous messages showed up while monitoring the service health, and the fixes were confirmed to be working as expected.

While the company didn't mention it, this wasn't the first time such errors have shown up on users' devices, with some reports going back as far as December 2022, even though they never changed their Secret Key or passwords.

At the time, 1Password team members directed affected customers to contact the company's support team to provide more details so the issue could be further investigated.

Since no other updates from 1Password were added, the previous instances of such notifications showing up were likely linked to minor incidents affecting a much smaller number of customers. 

1Password sign-in error (kirsch)

​Canahuati added today that 1Password would use the data collected during last week's incident to understand the root cause and improve database migration processes and error handling.

"We take the integrity of your data and the stability of our systems very seriously and will continue to work hard every day to earn the trust you've placed in us," said Canahuati.