Latest news with #1Password
Tom's Guide
a day ago
- Tom's Guide
Worried about the 16 billion data breach? I've been hacked, and this is everything I did to fix it
I have a confession to make: I used to reuse passwords. It's the number one security sin, but this was over a decade ago and I didn't know about the best password managers yet. This was a huge mistake. And with news that researchers just uncovered a database of 16 billion records, including passwords and other sensitive data, this could be a problem for you, too. Details are scarce — we don't know where the data came from or who is behind it — but the most important thing is try and look past the feelings of anxiety, and take practical steps to improve your security, and I should know; I've been hacked before. In 2013, Adobe was hacked and the attackers got a list of 153 million usernames and passwords. These passwords weren't encrypted which allowed people to read them — they were stored in plaintext — so once the list was out, attackers had all they needed to target unfortunate Adobe users like me. It was a stressful time and given that your email account houses some of your most sensitive information, once they had access to that account, they could reset your passwords to lock you out of other websites and services too. But I kicked them out and learned pretty quickly how to protect myself from then on. More than a decade later, there are still attackers trying to get into my account, but there's an important difference — they can't now. So, I now feels like the perfect moment to share how I learnt from my mistakes and how you can easily improve your security to stop the same thing happening to you. Okay, you've probably already guessed this one from earlier in the story, but one of the major issues I had when the Adobe hack happened was I was using the same password on multiple sites. So it was pretty easy for the attackers to use credential stuffing and break into my other accounts too. Like others, the reason I did this is because there are a lot of passwords to remember! I obviously didn't want to get locked out of an account, and password reset forms aren't always that reliable, so I decided that the best course of action was a simple, easy to remember password I could use on all sites. I thought it was secure as it has numbers, capital numbers and symbols. It wasn't quite as risky as using 'password' or 'passw0rd,' but it wasn't far off. The best way to avoid this issue is to use a password manager like 1Password or Proton Pass (my preferred option). These store all your credentials in one place securely and can generate long, complex passwords for you to use, but never need to remember. Most have apps for your browser, computer and smartphone too, so you always have access to your passwords. One of the reasons attackers can get into some accounts so easily is that once they have your username and password, they can just sign in as if they're you. But what if you had a unique token to show that you are really you, and without it, someone can't access your account? That's the idea behind two-factor authentication (2FA). If you haven't used this on your personal accounts, you may have done at work. It comes in various forms, but the most common are six-digit codes generated by an app or sent to your phone by SMS. Requiring one of these codes along with your login details shows that not only do you know the username and password, but you have a known physical item with you that helps to verify it's really you trying to log in. This is one of the most effective ways to cut attackers off from your accounts, even if your passwords gets leaked. After I set this up for my Microsoft account (using the free Authy app on my smartphone), hackers kept trying to get into my account, but they never can. It's an easy way to shore up your defences. I only know this, though, because Microsoft has a really useful Account Activity page which shows when and where sign in attempts come from and whether they were successful. If you want even more security for your online accounts, you may also want to consider using a physical security key instead. There's not really a lot to say on this one: if you don't use an account anymore, delete it. It's good to have a cleanup from time to time, and getting rid of old or dormant accounts means less clutter and fewer opportunities for your data to go awry. Not every site gives you an easy 'Delete account' button, but if you head to the company's privacy policy (usually linked in the footer at the bottom of a website), you can find a privacy contact and send an email to request they delete your data. Plus, in the years since I was hacked, authorities around the world have strengthened privacy regulations, so in many places, there's now a legal obligation for the business to comply with your request. This is why you can do things like delete your Google account so easily these days. Yes, Have I Been Pwned is a strange name for a security website (pwn is hacker slag for gaining unauthorized access), but it is easy one of the best free security resources for protecting your accounts. Troy Hunt, the man behind the site, collates data from hacks and can send you alerts when your account is involved. This is how I would later find out my details were leaked in the MyFitnessPal, NetGalley, LinkedIn and breaches, alongside many, many more — usually random sites I had no memory of even signing up to (and had probably stored my details for at least a decade without my realizing). It's easy to use and gives you a very early heads up when you need to change passwords on a hacked account. Hacked data can be messy and difficult to verify, so if you want to check if a specific password has been compromised, there's a searchable Pwned Passwords database too. As things stand right now, Have I Been Pwned hasn't loaded this database into its system (the researchers said the data was only exposed briefly, so it's not publicly accessible, and HIBP does thorough verification checks before adding any breach). By the time hackers were knocking at my virtual door, I'd used my Hotmail email account for almost 15 years. It had built up a long history, and now it was a target, I decided it was time for a fresh start. That's when I switched from Outlook to Gmail, and more recently, to Proton Mail (which we rate as the best email service for security). It was a lot of work — I won't lie to you about that. Going through every account that I had, changing the email address, creating a new password, and setting up 2FA was a big time suck. But it was worth it. My current address has only been involved in one leak (thanks, Twitter), and so there's less of my data floating around. Plus, starting from scratch meant that I could make more deliberate security choices. I became more mindful which services I chose to sign up to, where I put my details and how I protected the account. I rarely use my actual phone number unless I have to, and I make sure I opt out of marketing lists. These aren't fool-proof techniques that'll keep your account secure forever; your data is at the mercy of whichever company controls the account. But it does mean I've had fewer security issues, I don't need to worry that someone will get into my account (as they can't) and I barely get any spam emails now too.
Tom's Guide
4 days ago
- Tom's Guide
I was hacked 12 years ago and the attackers are still trying to get in — here's how I stopped them
I have a confession to make: I used to reuse passwords. It's the number one security sin, but it was the early 2010s, I'd just left college and I couldn't use one of the best password managers as I didn't know about them yet and they were just starting to become popular. In truth, I didn't pay much attention to securing my digital life. This was a huge mistake. In 2013, Adobe was hacked and the attackers got a list of 153 million usernames and passwords. These passwords weren't encrypted so people could read them — they were stored in plaintext — so once the list was out, attackers had all they needed to target unfortunate Adobe users like myself. That's when I discovered what a credential stuffing attack is. It's a lot simpler than the name suggests; the attackers take a stolen username and password and try it on as many sites as they can. Think of it like trying all the keys on a keyring on a locked door. That's how they got into my Microsoft account since I was, unfortunately, using the same password there too. It was a stressful time and given that your email account houses some of your most sensitive information, once they had access to that account, they could reset your passwords to lock you out of other websites and services too. But I kicked them out and learnt pretty quickly how to protect myself from then on. More than a decade later, there are still attackers trying to get into my account, but there's an important difference — they can't now. So, I decided to share how I learnt from my mistakes and how you can easily improve your security to stop the same thing happening to you. Okay, you've probably already guessed this one from earlier in the story, but one of the major issues I had when the Adobe hack happened was I was using the same password on multiple sites. So it was pretty easy for the attackers to use credential stuffing and break into my other accounts too. Like others, the reason I did this is because there are a lot of passwords to remember! I obviously didn't want to get locked out of an account, and password reset forms aren't always that reliable, so I decided that the best course of action was a simple, easy to remember password I could use on all sites. I thought it was secure as it has numbers, capital numbers and symbols. It wasn't quite as risky as using 'password' or 'passw0rd,' but it wasn't far off. The best way to avoid this issue is to use a password manager like 1Password or Proton Pass (my preferred option). These store all your credentials in one place securely and can generate long, complex passwords for you to use, but never need to remember. Most have apps for your browser, computer and smartphone too, so you always have access to your passwords. One of the reasons attackers can get into some accounts so easily is that once they have your username and password, they can just sign in as if they're you. But what if you had a unique token to show that you are really you, and without it, someone can't access your account? That's the idea behind two-factor authentication (2FA). If you haven't used this on your personal accounts, you may have done at work. It comes in various forms, but the most common are six-digit codes generated by an app or sent to your phone by SMS. Requiring one of these codes along with your login details shows that not only do you know the username and password, but you have a known physical item with you that helps to verify it's really you trying to log in. This is one of the most effective ways to cut attackers off from your accounts, even if your passwords gets leaked. After I set this up for my Microsoft account (using the free Authy app on my smartphone), hackers kept trying to get into my account, but they never can. It's an easy way to shore up your defences. I only know this, though, because Microsoft has a really useful Account Activity page which shows when and where sign in attempts come from and whether they were successful. If you want even more security for your online accounts, you may also want to consider using a physical security key instead. There's not really a lot to say on this one: if you don't use an account anymore, delete it. It's good to have a cleanup from time to time, and getting rid of old or dormant accounts means less clutter and fewer opportunities for your data to go awry. Not every site gives you an easy 'Delete account' button, but if you head to the company's privacy policy (usually linked in the footer at the bottom of a website), you can find a privacy contact and send an email to request they delete your data. Plus, in the years since I was hacked, authorities around the world have strengthened privacy regulations, so in many places, there's now a legal obligation for the business to comply with your request. This is why you can do things like delete your Google account so easily these days. Yes, Have I Been Pwned is a strange name for a security website (pwn is hacker slag for gaining unauthorized access), but it is easy one of the best free security resources for protecting your accounts. Troy Hunt, the man behind the site, collates data from hacks and can send you alerts when your account is involved. This is how I would later find out my details were leaked in the MyFitnessPal, NetGalley, LinkedIn and breaches, alongside many, many more — usually random sites I had no memory of even signing up to (and had probably stored my details for at least a decade without my realizing). It's easy to use and gives you a very early heads up when you need to change passwords on a hacked account. Hacked data can be messy and difficult to verify, so if you want to check if a specific password has been compromised, there's a searchable Pwned Passwords database too. By the time hackers were knocking at my virtual door, I'd used my Hotmail email account for almost 15 years. It had built up a long history, and now it was a target, I decided it was time for a fresh start. That's when I switched from Outlook to Gmail, and more recently, to Proton Mail (which we rate as the best email service for security). It was a lot of work — I won't lie to you about that. Going through every account that I had, changing the email address, creating a new password, and setting up 2FA was a big time suck. But it was worth it. My current address has only been involved in one leak (thanks, Twitter), and so there's less of my data floating around. Plus, starting from scratch meant that I could make more deliberate security choices. I became more mindful which services I chose to sign up to, where I put my details and how I protected the account. I rarely use my actual phone number unless I have to, and I make sure I opt out of marketing lists. These aren't fool-proof techniques that'll keep your account secure forever; your data is at the mercy of whichever company controls the account. But it does mean I've had fewer security issues, I don't need to worry that someone will get into my account (as they can't) and I barely get any spam emails now too.
Business Wire
5 days ago
- Business
- Business Wire
1Password Signs Strategic Collaboration Agreement with AWS to Accelerate Adoption of Extended Access Management Across Cloud-Native, AI-Powered Enterprises
TORONTO--(BUSINESS WIRE)-- 1Password, the pioneer of Extended Access Management (XAM), announced today that it has signed a strategic collaboration agreement (SCA) with Amazon Web Services (AWS) to help modern enterprises close the Access-Trust Gap and accelerate secure cloud adoption. This agreement underscores a long-term commitment to co-innovation and global growth, enabling 1Password and AWS to meet surging enterprise demand for scalable, secure, and simplified access management in increasingly complex hybrid and AI-driven environments. 'Building on strong momentum, our expanded collaboration with AWS accelerates our vision of helping modern enterprises close the Access-Trust Gap in the age of AI,' said David Faugno, Co-CEO of 1Password. 'As AI agents reshape how work gets done and new trust challenges emerge across every layer of the cloud, 1Password delivers the security platform organizations need to stay safe and grow with confidence. By collaborating closely with AWS, we're bringing scalable access management solutions to even more customers, putting trust, speed, and productivity at the center of enterprise transformation and innovation.' 1Password and AWS Close the Access-Trust Gap for Modern Enterprises Modern organizations are navigating a growing Access-Trust Gap as employees increasingly rely on unsanctioned apps, AI agents, and untrusted devices to handle sensitive company data. 1Password Extended Access Management closes this gap by securing every sign-in, to every app, from every device. Continued traction in sales via AWS Marketplace has led to contracts averaging four times the size and win rates exceeding 50%, broadening global reach as 1Password now secures one-third of Fortune 100 companies. The new SCA builds on this foundation, fueling global expansion and accelerating innovation in agentic AI via co-developed solutions. It also deepens engagement with AWS leadership, expands participation in co-sell initiatives and partner programs, and drives strategic investments aimed at unlocking new markets, customer segments, and industry verticals. '1Password delivers exceptional value to customers who rely on secure AWS cloud computing environments for their most sensitive workloads," said Chris Sullivan, Vice President, Americas Channels & Alliances at AWS. "This expanded collaboration enhances our joint ability to provide enterprises with robust access management solutions built specifically for AWS, allowing organizations to secure their cloud environments while maintaining the agility needed in today's AI-driven landscape.' Simplifying Secrets Management for Cloud-Native Development A new secrets syncing integration with AWS Secrets Manager simplifies how developer, security, and IT teams manage secrets in cloud-native workflows. This integration is part of the 1Password Extended Access Management platform, giving AWS customers a seamless way to embed secure, policy-driven secrets management into every stage of their development lifecycle: Simplified secrets management at scale: Reduce risk and complexity by consolidating secrets management and enforcing secure, role-based access to application secrets. Developer velocity with built-in security: Eliminate plaintext secrets and enforce policy-driven governance by seamlessly embedding secure access into CLI, CI/CD, and AI workflows, without slowing teams down. Granular access control that reinforces compliance and trust: Enable least-privilege access for human and AI identities with fine-grained policies that protect credentials, ensure compliance, and maintain operational integrity. 'As a fast-moving agency, flexibility is everything—but not at the expense of security,' said Ivan Blagdan, Chief Technology Officer at Convertiv. '1Password Extended Access Management gives us real-time assurance that every device accessing sensitive data—whether personal or company-issued—meets our standards around trust. It strikes the right balance between productivity and protection, so we can move fast and stay focused on delivering results for our clients.' Securing the Next Generation of Autonomous Workflows As organizations embrace agentic AI to drive innovation, securing these autonomous systems demands a modern, identity-first approach. 1Password Extended Access Management provides the identity security layer to manage AI agents with the same rigor as human identities but without sacrificing developer velocity or operational scale. 1Password empowers customers to build and scale AI agents securely by eliminating hardcoded secrets, enforcing least-privilege access, and delivering visibility into agent activity. '1Password has been essential in helping us scale AI development securely,' said Stephan Brostrøm, CTO of 'It strikes the right balance between speed and protection—giving us a trusted way to manage credentials and access without compromising developer efficiency.' To learn more about 1Password Extended Access Management and the new secrets syncing integration with AWS Secrets Manager, visit our website and our blog. About 1Password Trusted by over 165,000 businesses and millions of consumers, 1Password pioneered Extended Access Management, a new cybersecurity category built for the way people and AI agents work today. Our mission is to unleash productivity without compromising security. The 1Password Extended Access Management platform secures every sign-in, to every app, from every device, including the managed and unmanaged ones that legacy IAM, IGA, and MDM tools can't reach. Leading companies such as Asana, Associated Press, Aldo Group, Canva, IBM, MongoDB, MediaComm Communications, Octopus Energy, Slack, Salesforce, Stripe, Under Armour, and Wish rely on 1Password to close the Access-Trust Gap: the security risks posed by unfederated identities, unmanaged apps, devices, and AI agents accessing sensitive company data without proper governance controls. Learn more at
National Post
5 days ago
- Business
- National Post
1Password Signs Strategic Collaboration Agreement with AWS to Accelerate Adoption of Extended Access Management Across Cloud-Native, AI-Powered Enterprises
Article content With AWS Marketplace demand and global reach accelerating, 1Password deepens its collaboration with AWS to meet rising enterprise demand for secure access across cloud and AI-driven environments. New integration with AWS simplifies secrets management to secure sprawl, boost productivity, and reinforce cloud security. Article content TORONTO — 1Password, the pioneer of Extended Access Management (XAM), announced today that it has signed a strategic collaboration agreement (SCA) with Amazon Web Services (AWS) to help modern enterprises close the Access-Trust Gap and accelerate secure cloud adoption. This agreement underscores a long-term commitment to co-innovation and global growth, enabling 1Password and AWS to meet surging enterprise demand for scalable, secure, and simplified access management in increasingly complex hybrid and AI-driven environments. Article content 'Building on strong momentum, our expanded collaboration with AWS accelerates our vision of helping modern enterprises close the Access-Trust Gap in the age of AI,' said David Faugno, Co-CEO of 1Password. 'As AI agents reshape how work gets done and new trust challenges emerge across every layer of the cloud, 1Password delivers the security platform organizations need to stay safe and grow with confidence. By collaborating closely with AWS, we're bringing scalable access management solutions to even more customers, putting trust, speed, and productivity at the center of enterprise transformation and innovation.' Article content 1Password and AWS Close the Access-Trust Gap for Modern Enterprises Article content Modern organizations are navigating a growing Access-Trust Gap as employees increasingly rely on unsanctioned apps, AI agents, and untrusted devices to handle sensitive company data. 1Password Extended Access Management closes this gap by securing every sign-in, to every app, from every device. Continued traction in sales via AWS Marketplace has led to contracts averaging four times the size and win rates exceeding 50%, broadening global reach as 1Password now secures one-third of Fortune 100 companies. The new SCA builds on this foundation, fueling global expansion and accelerating innovation in agentic AI via co-developed solutions. It also deepens engagement with AWS leadership, expands participation in co-sell initiatives and partner programs, and drives strategic investments aimed at unlocking new markets, customer segments, and industry verticals. Article content '1Password delivers exceptional value to customers who rely on secure AWS cloud computing environments for their most sensitive workloads,' said Chris Sullivan, Vice President, Americas Channels & Alliances at AWS. 'This expanded collaboration enhances our joint ability to provide enterprises with robust access management solutions built specifically for AWS, allowing organizations to secure their cloud environments while maintaining the agility needed in today's AI-driven landscape.' Article content Simplifying Secrets Management for Cloud-Native Development Article content A new secrets syncing integration with AWS Secrets Manager simplifies how developer, security, and IT teams manage secrets in cloud-native workflows. This integration is part of the 1Password Extended Access Management platform, giving AWS customers a seamless way to embed secure, policy-driven secrets management into every stage of their development lifecycle: Article content Simplified secrets management at scale: Reduce risk and complexity by consolidating secrets management and enforcing secure, role-based access to application secrets. Developer velocity with built-in security: Eliminate plaintext secrets and enforce policy-driven governance by seamlessly embedding secure access into CLI, CI/CD, and AI workflows, without slowing teams down. Granular access control that reinforces compliance and trust: Enable least-privilege access for human and AI identities with fine-grained policies that protect credentials, ensure compliance, and maintain operational integrity. Article content 'As a fast-moving agency, flexibility is everything—but not at the expense of security,' said Ivan Blagdan, Chief Technology Officer at Convertiv. '1Password Extended Access Management gives us real-time assurance that every device accessing sensitive data—whether personal or company-issued—meets our standards around trust. It strikes the right balance between productivity and protection, so we can move fast and stay focused on delivering results for our clients.' Article content Securing the Next Generation of Autonomous Workflows Article content As organizations embrace agentic AI to drive innovation, securing these autonomous systems demands a modern, identity-first approach. 1Password Extended Access Management provides the identity security layer to manage AI agents with the same rigor as human identities but without sacrificing developer velocity or operational scale. 1Password empowers customers to build and scale AI agents securely by eliminating hardcoded secrets, enforcing least-privilege access, and delivering visibility into agent activity. Article content '1Password has been essential in helping us scale AI development securely,' said Stephan Brostrøm, CTO of 'It strikes the right balance between speed and protection—giving us a trusted way to manage credentials and access without compromising developer efficiency.' Article content To learn more about 1Password Extended Access Management and the new secrets syncing integration with AWS Secrets Manager, visit our website and our blog. Article content About 1Password Article content Trusted by over 165,000 businesses and millions of consumers, 1Password pioneered Extended Access Management, a new cybersecurity category built for the way people and AI agents work today. Our mission is to unleash productivity without compromising security. The 1Password Extended Access Management platform secures every sign-in, to every app, from every device, including the managed and unmanaged ones that legacy IAM, IGA, and MDM tools can't reach. Leading companies such as Asana, Associated Press, Aldo Group, Canva, IBM, MongoDB, MediaComm Communications, Octopus Energy, Slack, Salesforce, Stripe, Under Armour, and Wish rely on 1Password to close the Access-Trust Gap: the security risks posed by unfederated identities, unmanaged apps, devices, and AI agents accessing sensitive company data without proper governance controls. Learn more at Article content Article content Article content Article content Article content
Yahoo
11-06-2025
- Business
- Yahoo
Everyone's using AI at work. Here's how companies can keep data safe
Companies across industries are encouraging their employees to use AI tools at work. Their workers, meanwhile, are often all too eager to make the most of generative AI chatbots like ChatGPT. So far, everyone is on the same page, right? There's just one hitch: How do companies protect sensitive company data from being hoovered up by the same tools that are supposed to boost productivity and ROI? After all, it's all too tempting to upload financial information, client data, proprietary code, or internal documents into your favorite chatbot or AI coding tool, in order to get the quick results you want (or that your boss or colleague might be demanding). In fact, a new study from data security company Varonis found that shadow AI—unsanctioned generative AI applications—poses a significant threat to data security, with tools that can bypass corporate governance and IT oversight, leading to potential data leaks. The study found that nearly all companies have employees using unsanctioned apps, and nearly half have employees using AI applications considered high-risk. For information security leaders, one of the key challenges is educating workers about what the risks are and what the company requires. They must ensure that employees understand the types of data the organization handles—ranging from corporate data like internal documents, strategic plans, and financial records, to customer data such as names, email addresses, payment details, and usage patterns. It's also critical to communicate how each type of data is classified—for example, whether it is public, internal-only, confidential, or highly restricted. Once this foundation is in place, clear policies and access boundaries must be established to protect that data accordingly. 'What we have is not a technology problem, but a user challenge,' said James Robinson, chief information security officer at data security company Netskope. The goal, he explained, is to ensure that employees use generative AI tools safely—without discouraging them from adopting approved technologies. 'We need to understand what the business is trying to achieve,' he added. Rather than simply telling employees they're doing something wrong, security teams should work to understand how people are using the tools, to make sure the policies are the right fit—or whether they need to be adjusted to allow employees to share information appropriately. Jacob DePriest, chief information security officer at password protection provider 1Password, agreed, saying that his company is trying to strike a balance with its policies—to both encourage AI usage and also educate so that the right guardrails are in place. Sometimes that means making adjustments. For example, the company released a policy on the acceptable use of AI last year, part of the company's annual security training. 'Generally, it's this theme of 'Please use AI responsibly; please focus on approved tools; and here are some unacceptable areas of usage.'' But the way it was written caused many employees to be overly cautious, he said. 'It's a good problem to have, but CISOs can't just focus exclusively on security,' he said. 'We have to understand business goals and then help the company achieve both business goals and security outcomes as well. I think AI technology in the last decade has highlighted the need for that balance. And so we've really tried to approach this hand in hand between security and enabling productivity.' But companies who think banning certain tools is a solution, should think again. Brooke Johnson, SVP of HR and security at Ivanti, said her company found that among people who use generative AI at work, nearly a third keep their AI use completely hidden from management. 'They're sharing company data with systems nobody vetted, running requests through platforms with unclear data policies, and potentially exposing sensitive information,' she said in a message. The instinct to ban certain tools is understandable but misguided, she said. 'You don't want employees to get better at hiding AI use; you want them to be transparent so it can be monitored and regulated,' she explained. That means accepting the reality that AI use is happening regardless of policy, and conducting a proper assessment of which AI platforms meet your security standards. 'Educate teams about specific risks without vague warnings,' she said. Help them understand why certain guardrails exist, she suggested, while emphasizing that it is not punitive. 'It's about ensuring they can do their jobs efficiently, effectively, and safely.' Think securing data in the age of AI is complicated now? AI agents will up the ante, said DePriest. 'To operate effectively, these agents need access to credentials, tokens, and identities, and they can act on behalf of an individual—maybe they have their own identity,' he said. 'For instance, we don't want to facilitate a situation where an employee might cede decision-making authority over to an AI agent, where it could impact a human.' Organizations want tools to help facilitate faster learning and synthesize data more quickly, but ultimately, humans need to be able to make the critical decisions, he explained. Whether it is the AI agents of the future or the generative AI tools of today, striking the right balance between enabling productivity gains and doing so in a secure, responsible way may be tricky. But experts say every company is facing the same challenge—and meeting it is going to be the best way to ride the AI wave. The risks are real, but with the right mix of education, transparency, and oversight, companies can harness AI's power—without handing over the keys to their kingdom. This story was originally featured on
