Hackers stole this engineer's 1Password database. Could it happen to you?

Posted on by Admin
Hackers stole this engineer's 1Password database. Could it happen to you?

Related Post


rob dobi/Getty Images

Here’s the very definition of a nightmare scenario.

In February 2024, Matthew Van Andel downloaded a free AI tool on the computer in his home office. Five months later, the Southern California-based engineer learned that the app included an unwelcome extra component — an infostealing tool that gave outside attackers full access to his computer.

Also: The best password managers of 2025

As Robert McMillan and Sarah Krouse reported in the Wall Street Journal, that malware was under the control of a stranger who claimed to be part of an anti-AI activist group that had targeted Van Andel’s employer, the Walt Disney Company.

The hacker gained access to 1Password, a password-manager that Van Andel used to store passwords and other sensitive information, as well as “session cookies,” digital files stored on his computer that allowed him to access online resources including Disney’s Slack channel.

(If you don’t have a WSJ subscription, you can read a copy of the article with no paywall at MSN.)

Van Andel told the WSJ he reported the breach to Disney’s cybersecurity team immediately, filed a police report, and then spent several days changing all of his passwords. To retaliate, the hackers packaged up more than a terabyte of material from Disney’s internal Slack channels and published the entire cache — 44 million messages — online. According to Disney’s cybersecurity team, the dump included “private customer information, employee passport numbers, and theme park and streaming revenue numbers.”

Also: A new Android feature is scanning your photos for ‘sensitive content’ – how to stop it

The attackers also published every personal detail they had about the 42-year-old engineer, including credit card numbers, his medical history, and all of those 1Password logins.

Van Andel lost his job after Disney’s forensic examination reportedly showed that he had accessed pornographic material on his work laptop in violation of company policy. (Van Andel denies that accusation.)

The WSJ article discusses 1Password at length, pointing out that the victim was using the password manager to store 2-factor authentication keys for many sites, and that he hadn’t turned on 2-factor authentication for 1Password itself.

So, does that mean that his choice of password manager was partly to blame for the hell he’s now going through? And after reading this story, should you rethink your password management strategy?

Also: Google now lets you delete personal info directly from Search – here’s how

In this case, it’s hard to assign any fault to the password manager. Bad guys had unrestricted access to his computer for five months! The keyboard logger was capable of stealing every set of credentials he used during that time, even if the usernames and passwords were typed in manually. Using their remote access, they could have simply exported an unencrypted copy of the 1Password database after it was unlocked.

The attackers were also stealing session cookies, which meant they could access accounts remotely as an authenticated user. That’s the most likely explanation for how the company’s Slack communications were compromised. And that would have been true even if the PC’s owner had used only phishing-resistant 2FA codes or prompts managed on a separate device.

The attackers never touched 1Password’s servers, and there’s no evidence that they were able to crack the encryption that protected that database. The same thing would have happened with any password manager program.

No, the real problem is that the victim had downloaded an untrusted piece of software and unknowingly installed malware that took over his PC. The damage might have been less serious if he had discovered that takeover within the first few days, but apparently nothing set off any alarms. And once the hackers discovered that they had reeled in a highly paid engineer for a Fortune 50 company, it was game over

It’s worth noting that this compromise occurred on the victim’s personal device, where he had access to Disney Slack channels, but his work device was reportedly untouched by the infostealer. Most large corporations have security protocols that prevent users from installing random software on company machines. This episode is a good example of why those restrictions exist and why it’s never a good idea to install untrusted executables on your personal devices, either.

Also: The best VPN services of 2025

One aspect of this story did convince me to take a second look at my online security settings, especially for accounts that are protected by 2-factor authentication. I’m comfortable using my password manager to generate one-time passcodes as a second factor for many accounts, but not for high-value credentials like those that let me into my primary email provider, bank and credit card accounts, and authentication services like ID.me and login.gov. For those, I insist on using a separate authentication device or a passkey that’s tied to my PC’s biometrics.

Every online security decision involves tradeoffs. Using a password manager makes it possible to easily create strong, unique passwords for every site that needs them and to sync those passwords securely across multiple devices. That would be impossible to do manually. That tradeoff seems worth it, and securing that password database with a strong password and its own 2-factor verification is essential.

And if your corporate IT department sometimes seems overly cautious, maybe they’re just trying to avoid a nightmare scenario of their own.





Source link

Leave a Comment