Malwarebytes has flagged a new phishing campaign that weaponized user trust in 1Password’s breach notification system, adding that an employee nearly handed over their vault credentials to scammers.

The lure was an email notifying recipients that their master password had been found in a data breach, mimicking a familiar alert from the company’s “Watchtower” feature.

“Stealing someone’s 1Password login would be like hitting the jackpot for cybercriminals, because they potentially export all the saved logins the target stored in the password manager,” Malwarebytes’ Peter Arntz said in a blog post.

Incident analysis revealed the use of 1Password’s branding, phrasing, and urgency cues, including legitimate support links, leading to the “secure my account now” button that landed victims on a credential-stealing page on a typosquatted domain.

Flawed yet a convincing fake

The fake email came from “watchtower@eightninety[.]com,” an address that at first glance looked authentic. The embedded link even used Mandrillapp, a Mailchimp service often seen in genuine corporate emails, before redirecting users to “onepassword[.]com”, a deceptive look-alike domain.

Adding a layer of realism, the “Contact us” link routed to the real 1Password support page via the same Mandrill redirect. The fake email shared by Malwarebytes displayed generic alert messages like ”Your 1Password account password has been compromised” and “Take action immediately”.

“Although 1Password’s Watchtower feature can send alerts about compromised passwords, it does so by checking its database of known data breaches and then notifying you directly within the 1Password app or through very specific emails about the breach — not by sending a generic message like this,” Arntz warned.

However, the ruse didn’t last long. By October 2, the malicious domain had been tagged as phishing by multiple vendors, and Mandrill began blocking redirection to it. Clicking the button by October 3 resulted in only a “bad URL” error, instead of a credential prompt.

While the effort may have saved hundreds of thousands of potential victims, it is unclear how many had already fallen for the trick by then, as a similar (likely the same) campaign was previously reported by Hoax-Slayer.

Vault keys at stake

Those who clicked on the phishing link earlier had too much to lose. The cloned landing page reportedly asked users for their 1Password login details, potentially giving attackers access to entire password vaults. With that single breach, everything from social accounts to banking credentials could be compromised.

Malwarebytes urged users to remain skeptical of unsolicited alerts, especially those demanding immediate password resets. When faced with such alerts, the safest move is to open the 1Password app directly or navigate to 1Password.com for checking account status, it added. The 1Password lure is part of a larger wave of smarter, cleaner phishing operations. Similar campaigns have recently abused link-wrapping by URL security services to hide malicious redirects and disguise payloads behind fake CAPTCHAs that tricked users into pasting commands on their systems.