Skip to main content

Unexpected 1Password item usage action observed

ID:1password_unexpected_action
Data type:1Password
Severity:
Low
MITRE ATT&CK:TA0006:T15555

Description

AlphaSOC detected unexpected 1Password item usage activity. This detection identifies actions that deviate from a user's established behavior patterns, potentially including accessing, modifying, deleting, or exporting vault items.

Impact

Unauthorized access to 1Password vault items could expose credentials, API keys, or other sensitive information stored within the password manager. This may lead to broader compromise of organizational systems and services, unauthorized access to multiple accounts, and potential data breaches or lateral movement within the organization's infrastructure.

Severity

SeverityCondition
Low
Unexpected 1Password item usage action observed

Investigation and Remediation

Review 1Password activity logs to identify the specific actions performed. Verify whether the actions were authorized. If unauthorized, immediately rotate all potentially compromised credentials, review and revoke any suspicious sessions, and conduct a comprehensive audit of all systems where the exposed credentials may have been used.