Skip to main content

1Password actions by a likely malicious caller

ID:1password_malicious_caller
Data type:1Password
Severity:
Medium
MITRE ATT&CK:TA0001:T1078.004

Description

AlphaSOC detected suspicious activity involving 1Password actions performed by a potentially malicious caller, which may indicate that a threat actor is attempting to access or manipulate password vaults. Adversaries target password managers to gain access to multiple accounts and sensitive credentials stored within the vault, enabling lateral movement and broader compromise of organizational resources.

Impact

Unauthorized access to 1Password vaults could expose all stored credentials, API keys, and sensitive information across the organization. This may lead to account takeovers, data breaches, and unauthorized access to multiple systems and services that rely on the compromised credentials.

Severity

SeverityCondition
Medium
1Password actions by a likely malicious caller

Investigation and Remediation

Review 1Password audit logs to identify the specific actions performed, source IP addresses, and affected vaults or items. Verify whether the activity originated from authorized users and expected locations. If compromise is confirmed, immediately force password resets for all potentially exposed credentials, revoke active sessions, and conduct a comprehensive review of all systems that may have been accessed using compromised credentials from the password vault.