Read on Twitter
My friend has a @1Password Family subscription and let the credit card lapse. She didn't notice the emails asking to update the card.
1Password completely deleted her account and logged her out on all devices. Now she can't access her 100+ passwords and 2FA tokens
WTF
1Password completely deleted her account and logged her out on all devices. Now she can't access her 100+ passwords and 2FA tokens
WTF
I feel terrible because I recommended @1Password to her as I have to countless friends over the years.
For as long as I've used 1Password, their policy was to make passwords read-only when a license or subscription expires. Never to remotely wipe your passwords as punishment
For as long as I've used 1Password, their policy was to make passwords read-only when a license or subscription expires. Never to remotely wipe your passwords as punishment
She's now been logged out and had her passwords wiped on both her Mac and iOS devices and hasn't been able to access her accounts for several days.
@1Password support - can you fix this now, please?
@1Password support - can you fix this now, please?
The 1Password app should NEVER delete data. And it should ESPECIALLY never do so because of an expired credit card.
This completely destroys my trust in the app.
Imagine waking up tomorrow and all your data has been remotely wiped from your 1Password apps on all devices.
This completely destroys my trust in the app.
Imagine waking up tomorrow and all your data has been remotely wiped from your 1Password apps on all devices.
@1Password - If you're reading this, please DM me so I can share her account's email address. I would love to see you get to the bottom of this.
UPDATE: So here's what happened.
My friend added her brother as an Owner on the family plan. He signed up, tried 1Password for a day, and stopped using it.
1.5 years go by.
Then, the emails about an expired credit card start coming, but they're sent to both of them.
My friend added her brother as an Owner on the family plan. He signed up, tried 1Password for a day, and stopped using it.
1.5 years go by.
Then, the emails about an expired credit card start coming, but they're sent to both of them.
The brother sees the expired card emails for the Family account. By this time he has his own Individual 1Password account.
He thinks the emails are from that time he tried 1Password a few years ago, so he clicks a link in the email and deletes the account.
The Family account.
He thinks the emails are from that time he tried 1Password a few years ago, so he clicks a link in the email and deletes the account.
The Family account.
What's surprising is he was able to delete the whole Family account without logging in. It's the one action you can take as an Owner without logging in. You just need to access to the email address.
No master password, no secret key.
No master password, no secret key.
Lesson: any Owner can delete the whole Family account, even one who hasn't logged in for years, forgot they're an Owner, and isn't actively using their user account anymore.
I recommend everyone audit who has Owner on your Family account. Remove anyone who isn't active anymore.
I recommend everyone audit who has Owner on your Family account. Remove anyone who isn't active anymore.
One more surprising detail:
Once the Family account was deleted, the local data was wiped from all the devices of the other members in the Family account.
Remote wiping makes sense for company accounts where you want to wipe when an employee leaves. But not for families.
Once the Family account was deleted, the local data was wiped from all the devices of the other members in the Family account.
Remote wiping makes sense for company accounts where you want to wipe when an employee leaves. But not for families.
If one family member gets tired of paying, switches away from 1Password, and deletes the account, then the other users in the family should have a happy path to get their data out.
They should still be able to access their passwords, even if in read-only mode.
They should still be able to access their passwords, even if in read-only mode.
1Password should have sent a message explaining that her Family account was deleted and asking if she wants to pay for an individual account, or switch into read-only mode, or something!
But wiping the *remote and local* data and saying "Account Deleted" is wrong.
But wiping the *remote and local* data and saying "Account Deleted" is wrong.
Fortunately, 1Password can recover deleted accounts for 35 days after deletion. They're now working on doing that for her account.
But the bigger problem is that this wiping behavior clears the Secret Key from all the logged in devices.
But the bigger problem is that this wiping behavior clears the Secret Key from all the logged in devices.
Many users rely on their logged-in devices to produce their Secret Key so they can log in to new devices.
By logging out and wiping all devices, the user is forced to rely on their offline copy of the Secret Key (the Emergency Kit) to get back into their account.
By logging out and wiping all devices, the user is forced to rely on their offline copy of the Secret Key (the Emergency Kit) to get back into their account.
So, even once 1Password restores the deleted account, anyone who didn't save their Emergency Kit (which is a terrible mistake, to be clear) might be locked out.
Lesson: this design should be improved.
Lesson: Double-check your Emergency Kit. Do you know where it is?
Lesson: this design should be improved.
Lesson: Double-check your Emergency Kit. Do you know where it is?
Still waiting for support to un-delete her account, but I'm hopeful that this story will have a happy ending now.
Huge thanks to the 1P employees who have been super helpful over DM.
I'm still planning to remain a 1Password customer.
Huge thanks to the 1P employees who have been super helpful over DM.
I'm still planning to remain a 1Password customer.
Hopeful there are some lessons to be learned here that lead to better UX and give family members a way to keep their data when the owner deletes the account.
I'll update this thread once my friend is back into her account.
I'll update this thread once my friend is back into her account.
She’s back into her account! 
Thanks to 1Password for all the help!
Several employees, especially @zck, went above and beyond to personally help resolve this. And @jpgoldberg agreed that the way secret keys are handled for deleted family accounts can be improved.
Thanks to 1Password for all the help!
Several employees, especially @zck, went above and beyond to personally help resolve this. And @jpgoldberg agreed that the way secret keys are handled for deleted family accounts can be improved.
