Email phishing attack targeting 1Password users seems to be underway

A suspected email phishing campaign targeting users of the popular password manager 1Password has raised alarms across the cybersecurity community. Reports from social media platforms, including Reddit and X, suggest that attackers are sending fraudulent emails to 1Password users, urging them to reset their passwords under the guise of a security breach. The emails, which appear to exploit a possible email leak from 1Password, have already resulted in at least one alleged case of financial loss, with a user reporting being scammed out of their cryptocurrency.

The phishing email, as seen in screenshots shared by affected users, is designed to mimic official 1Password communication. The email, sent from a suspicious address (support@somabreath.com), claims to be from 1Password and bears the subject line “ACTION REQUIRED: Reset your password.” It informs the recipient that 1Password’s “advanced AI monitoring system” has flagged their account password as compromised due to a “recent breach.” The email urges users to reset their password within 24 hours to avoid having their account temporarily locked, directing them to click a “Secure Account” button to proceed.

The email’s design is polished, featuring 1Password branding and a professional tone, which could easily deceive users into believing it is legitimate. It even includes a “Standard encryption (TLS)” label and a “Learn more” link to add an air of authenticity. However, several red flags indicate its fraudulent nature. The sender’s email domain, somabreath.com, is unrelated to 1Password’s official domain (1password.com), and the urgency of the 24-hour deadline is a common tactic used in phishing attacks to pressure users into acting without verifying the email’s legitimacy.

The phishing campaign first came to light through user reports on Reddit and X in early March 2025. A Reddit user posted on the r/1Password subreddit, stating, “Just got a phishing email, definitely not from 1Password,” while another speculated that 1Password may have suffered a data breach that exposed user email addresses. On X, user @rhoml shared a warning about the phishing emails, noting their suspicious nature, while @A9Trade echoed similar concerns, highlighting the potential scale of the attack.

Perhaps the most alarming report came from a Reddit user who admitted to falling victim to the scam. “I got scammed out of all my crypto by this .. stupid I was but was on the go in a city.. I’ll live and learn,” the user wrote, underscoring the real-world consequences of the phishing campaign. The user’s loss of cryptocurrency suggests that the attackers may be directing victims to a fake 1Password login page, where they harvest credentials to access sensitive accounts, including cryptocurrency wallets.

As per some screenshots shared on Reddit, the attackers did a pretty decent job replicating the 1Password webpage, as seen below.

While 1Password has not officially confirmed a data breach, speculation is rife that the company may have inadvertently leaked user email addresses, providing attackers with a targeted list for their phishing campaign. The precision with which these emails are being sent to 1Password users lends credence to this theory. If true, this leak would represent a significant security lapse for a company whose primary mission is to safeguard user credentials.

1Password is a widely used password manager trusted by millions to securely store sensitive information, including passwords, credit card details, and secure notes. A data leak, even if limited to email addresses, could undermine user trust and expose customers to further cyberattacks. But the company has yet to issue a public statement addressing these concerns.

As this situation develops, further updates from 1Password will be critical in clarifying the scope of any potential data leak and the measures being taken to protect users.