Skip to main content

1Password bets $100,000 that security experts can't break into its systems

1password bug bounty 100k teamspresskitadminpanel
Image used with permission by copyright holder
AgileBits, the developer behind 1Password, just upped the ante for bug hunters, putting up $100,000 for anyone who can break into a 1Password vault and obtain a plain text file full of “bad poetry.”

Previously, the “capture the flag” bug bounty was a mere $25,000, but in order to push security researchers to find vulnerabilities in the 1Password platform — and to demonstrate its effectiveness — AgileBits raised the bounty fourfold.

Recommended Videos

The bug bounty is up on BugCrowd, a platform for crowdsourcing bug hunts, where companies can easily reward security researchers for discovering security vulnerabilities in their products. It’s the biggest bounty currently on the platform, and AgileBits claims the bounty is a measure of how seriously it takes the security of 1Password users.

“We owe it to our customers to do everything in our power to keep them and their information secure. This means using the ingenuity of real people to help us continually improve the security of 1Password. It was important to us to demonstrate how seriously we take this contribution and have increased the prize to prove it,” said Jeff Shiner of AgileBits, speaking with Tom’s Hardware.

The bug bounty specifies a particular account which researchers will have to breach in order to access the bad poetry file. It’s a more focused attack than most users would ever be subjected to, but it’s a good way to stress test the 1Password platform’s overall security.

Password managers are getting more popular every day, and they’re a great way to add an extra layer of security to your digital life, but they’re only as secure as the password you use to access your password manager.

If you use your master password elsewhere, hackers could get into your password manager indirectly. Still, this bug bounty is an excellent way to test how well 1Password works as a platform, without having to compensate for user error.

Jayce Wagner
Former Digital Trends Contributor
A staff writer for the Computing section, Jayce covers a little bit of everything -- hardware, gaming, and occasionally VR.
No, 1Password wasn’t hacked – here’s what really happened
A person using the 1Password password manager on a laptop while sat on a couch.

Password managers have been struggling with security breaches in recent months, with LastPass suffering a particularly bad hack as a notable example. So when 1Password users got an alert last week saying their Secret Keys and passwords had been changed without their knowledge, they were understandably panicked. Luckily, all was not what it seemed.

That’s because AgileBits, the company behind 1Password, has just explained exactly what went wrong during that event. And while it wasn’t as bad as everyone first thought, it still doesn’t paint AgileBits in a particularly good light.

Read more
LastPass reveals how it got hacked — and it’s not good news
A depiction of a hacker breaking into a system via the use of code.

Last year was a particularly bad one for password manager LastPass, as a series of hacking incidents revealed some serious weaknesses in its supposedly rock-solid security. Now, we know exactly how those attacks went down -- and the facts are pretty breathtaking.

It all began in August 2022, when LastPass revealed that a threat actor had stolen the app’s source code. In a second, subsequent attack, the hacker combined this data with information found in a separate data breach, then exploited a weakness in a remote-access app used by LastPass employees. That allowed them to install a keylogger onto the computer of a senior engineer at the company.

Read more
Hackers dug deep in the massive LastPass security breach
The LastPass logo appears in front of a menacing hooded figure.

The cybersecurity breach that LastPass owner GoTo reported in November 2022 keeps getting worse as new details are revealed, calling into question the company's transparency on this serious issue.

It has been two months since GoTo shared the alarming news that hackers stole the usernames, passwords, email addresses, phone numbers, IP addresses, and even billing information of LastPass users. In GoTo's latest blog update, the company reported that several of its other products were compromised as well.

Read more