Malwarebytes was targeted in a sophisticated phishing attack where scammers attempted to steal an employee’s 1Password credentials via a deceptive email impersonating 1Password’s Watchtower breach alert system. The phishing email, sent from watchtower@eightninety[.]com, directed victims to a fraudulent domain (onepass-word[.]com) disguised as a legitimate password reset page. While the attack was thwarted by Mandrillapp (Mailchimp’s email service) blocking the phishing URL shortly after deployment, early victims risked exposing their entire password vault, granting attackers access to all stored logins potentially leading to account takeovers, identity theft, or lateral breaches into corporate systems. The incident mirrors a prior campaign reported by Hoax-Slayer (September 2025), suggesting a recurring threat. No confirmation of successful credential theft was disclosed, but the attack highlights vulnerabilities in employee awareness and third-party email services used for redirects. The compromised credentials could have enabled deeper infiltration into Malwarebytes’ infrastructure or partner networks if exploited.
TPRM report: https://www.rankiteo.com/company/malwarebytes
"id": "mal2692126100625",
"linkid": "malwarebytes",
"type": "Cyber Attack",
"date": "9/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'Cybersecurity',
'name': 'Malwarebytes',
'type': 'Company'}],
'attack_vector': 'Email (Phishing)',
'customer_advisories': ['Users advised to check 1Password account status via '
'official channels'],
'data_breach': {'data_exfiltration': 'Unknown (if any victims entered '
'credentials)',
'personally_identifiable_information': 'Potential (if '
'1Password vaults were '
'accessed)',
'sensitivity_of_data': 'High (password manager credentials '
'could grant access to all stored '
'accounts)',
'type_of_data_compromised': ['1Password credentials '
'(potential)']},
'date_detected': '2025-10-02',
'date_publicly_disclosed': '2025-10-03',
'description': 'In a well-targeted phishing attempt, scammers tried to obtain '
'the 1Password credentials of a Malwarebytes employee. The '
'phishing email mimicked a legitimate 1Password Watchtower '
'alert, urging the recipient to change their password and '
'enable two-factor authentication via a malicious link '
'(onepass-word[.]com). The domain was quickly flagged as '
'phishing, but early victims may have exposed their '
'credentials. The attack leveraged Mandrillapp (a Mailchimp '
'service) for tracking and redirection, though Mandrillapp '
'blocked access to the phishing site shortly after detection. '
'A similar campaign was reported by Hoax-Slayer on September '
'25, 2025, suggesting an ongoing threat.',
'impact': {'brand_reputation_impact': 'Minimal (proactive disclosure by '
'Malwarebytes)',
'data_compromised': ['Potential 1Password credentials (if victims '
'fell for the scam)'],
'identity_theft_risk': 'High (if 1Password credentials were '
'compromised)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Unknown (potential if '
'credentials were stolen)',
'entry_point': 'Phishing email '
'(watchtower@eightninety[.]com)',
'high_value_targets': ['1Password credentials']},
'investigation_status': 'Disclosed; domain blocked',
'lessons_learned': ['Phishing emails can mimic legitimate services (e.g., '
'1Password Watchtower) with convincing domains and '
'redirection chains.',
'Early detection and blocking of phishing domains (e.g., '
'via Mandrillapp) can limit exposure.',
'User education remains critical to prevent credential '
'theft via social engineering.'],
'motivation': 'Credential theft (1Password vault access)',
'post_incident_analysis': {'corrective_actions': ['Domain blacklisting by '
'security vendors',
'Public awareness campaign '
'by Malwarebytes',
'Encouragement of 2FA '
'adoption for 1Password '
'users'],
'root_causes': ['Successful spoofing of 1Password '
'Watchtower alert',
'Use of Mandrillapp for '
'legitimate-looking redirection',
'Typosquatted domain '
'(onepass-word[.]com) to bypass '
'initial suspicion']},
'recommendations': ['Do not click links or buttons in unsolicited emails.',
'Verify account status directly through official '
'websites/apps (e.g., 1Password).',
'Use real-time protection with web filtering to block '
'malicious domains.',
'Enable two-factor authentication (2FA) for password '
'managers and critical accounts.',
'Monitor for similar phishing campaigns (e.g., '
'Hoax-Slayer’s September 25, 2025 report).'],
'references': [{'date_accessed': '2025-10-03', 'source': 'Malwarebytes Blog'},
{'date_accessed': '2025-09-25', 'source': 'Hoax-Slayer'}],
'response': {'communication_strategy': ['Public blog post/disclosure',
'Advice to users (e.g., avoid '
'clicking unsolicited links, verify '
'via official 1Password channels)'],
'containment_measures': ['Domain (onepass-word[.]com) flagged as '
'phishing by multiple vendors',
'Mandrillapp blocked redirection to '
'phishing site'],
'incident_response_plan_activated': True,
'remediation_measures': ['Public advisory issued by Malwarebytes',
'Indicators of Compromise (IOCs) '
'shared']},
'stakeholder_advisories': ['Public warning issued'],
'threat_actor': 'Unknown (cybercriminals)',
'title': 'Targeted Phishing Attempt Against Malwarebytes Employee for '
'1Password Credentials',
'type': 'Phishing',
'vulnerability_exploited': 'Human error (social engineering)'}