My friend has a @1Password Family subscription and let the credit card lapse. She didn't notice the emails asking to update the card.

1Password completely deleted her account and logged her out on all devices. Now she can't access her 100+ passwords and 2FA tokens

WTF
I feel terrible because I recommended @1Password to her as I have to countless friends over the years.

For as long as I've used 1Password, their policy was to make passwords read-only when a license or subscription expires. Never to remotely wipe your passwords as punishment
She's now been logged out and had her passwords wiped on both her Mac and iOS devices and hasn't been able to access her accounts for several days.

@1Password support - can you fix this now, please?
The 1Password app should NEVER delete data. And it should ESPECIALLY never do so because of an expired credit card.

This completely destroys my trust in the app.

Imagine waking up tomorrow and all your data has been remotely wiped from your 1Password apps on all devices.
@1Password - If you're reading this, please DM me so I can share her account's email address. I would love to see you get to the bottom of this.
UPDATE: So here's what happened.

My friend added her brother as an Owner on the family plan. He signed up, tried 1Password for a day, and stopped using it.

1.5 years go by.

Then, the emails about an expired credit card start coming, but they're sent to both of them.
The brother sees the expired card emails for the Family account. By this time he has his own Individual 1Password account.

He thinks the emails are from that time he tried 1Password a few years ago, so he clicks a link in the email and deletes the account.

The Family account.
What's surprising is he was able to delete the whole Family account without logging in. It's the one action you can take as an Owner without logging in. You just need to access to the email address.

No master password, no secret key.
Lesson: any Owner can delete the whole Family account, even one who hasn't logged in for years, forgot they're an Owner, and isn't actively using their user account anymore.

I recommend everyone audit who has Owner on your Family account. Remove anyone who isn't active anymore.
One more surprising detail:

Once the Family account was deleted, the local data was wiped from all the devices of the other members in the Family account.

Remote wiping makes sense for company accounts where you want to wipe when an employee leaves. But not for families.
If one family member gets tired of paying, switches away from 1Password, and deletes the account, then the other users in the family should have a happy path to get their data out.

They should still be able to access their passwords, even if in read-only mode.
1Password should have sent a message explaining that her Family account was deleted and asking if she wants to pay for an individual account, or switch into read-only mode, or something!

But wiping the *remote and local* data and saying "Account Deleted" is wrong.
Fortunately, 1Password can recover deleted accounts for 35 days after deletion. They're now working on doing that for her account.

But the bigger problem is that this wiping behavior clears the Secret Key from all the logged in devices.
Many users rely on their logged-in devices to produce their Secret Key so they can log in to new devices.

By logging out and wiping all devices, the user is forced to rely on their offline copy of the Secret Key (the Emergency Kit) to get back into their account.
So, even once 1Password restores the deleted account, anyone who didn't save their Emergency Kit (which is a terrible mistake, to be clear) might be locked out.

Lesson: this design should be improved.

Lesson: Double-check your Emergency Kit. Do you know where it is?
Still waiting for support to un-delete her account, but I'm hopeful that this story will have a happy ending now.

Huge thanks to the 1P employees who have been super helpful over DM.

I'm still planning to remain a 1Password customer.
Hopeful there are some lessons to be learned here that lead to better UX and give family members a way to keep their data when the owner deletes the account.

I'll update this thread once my friend is back into her account.
She’s back into her account! 🔥🔥

Thanks to 1Password for all the help!

Several employees, especially @zck, went above and beyond to personally help resolve this. And @jpgoldberg agreed that the way secret keys are handled for deleted family accounts can be improved.

❤️✨❤️✨

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Feross 🧙🏼‍♂️✨

Feross 🧙🏼‍♂️✨ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @feross

3 Jun
I just built a site to help you make a friend in 2 minutes! My goal is to help people stuck indoors because of COVID-19 (or police curfews) to make meaningful connections with strangers. Hope you love it!

virus.cafe
Here's how it works:


1. You are matched with a random partner for a video chat
2. You're given a deep question to discuss
3. You have 2 minutes to discuss it!

The only rule is: no small talk!
Here are a few samples:

- When in your life have you been the happiest?
- What would you be willing to die for?
- What is the biggest lie you’ve told without getting caught?
- What is a belief you had as a child that you no longer have?
- What human emotion do you fear the most?
Read 11 tweets
5 Jul 18
🤯 Just read a fascinating paper called "The Surprising Creativity of Digital Evolution"

🤣 It's a bunch of HILARIOUS anecdotes showing how Artificial Life systems often produce SUPER surprising and SHOCKINGLY ridiculous results. 😲

👇 THREAD
😜 "Selection Gone Wild"

"It is often functionally simpler for evolution to just exploit loopholes in the quantitative measure than it is to achieve the actual desired outcome"
🙄 "Evolution had discovered another cheat: "somersaulting without jumping at all. ... At the start of the simulation, the individual 'kicks' the foot of its pole off the ground, and begins falling head-first, somersaulting its foot"
Read 27 tweets
4 Jun 18
My thoughts on GitHub...

Microsoft in 2018 isn't an evil monopolist anymore. They've actually invested heavily in open source, recently becoming the #1 contributor on GitHub including to many projects that are not their own (e.g. @electronjs) but there are some downsides. 1/10
Downside 1: One less independent tech company. GitHub used to be an independent advocate for open source. Now, it'll be yet another service of Big Tech Inc. Historically, companies use acquisitions to push users into their ecosystem to sell more products and services. 2/10
Acquirers often make it slightly annoying to use the acquired product with competitor ecosystems, letting integrations with competitor services languish to the point that they stop working or are removed entirely. They also might start pushing Microsoft Azure in some form. 3/10
Read 11 tweets
7 Jan 18
❤️ Alan Watts:

"My goodness, don't you remember when you went first to school?
You went to kindergarten.
And kindergarten, the idea was to push along so that you could get into first grade.
And then push along so that you could get into second grade, third grade, and so on,
Going up and up and then you went to high school and this was a great transition in life.
And now the pressure is being put on, you must get ahead.
You must go up the grades and finally be good enough to get to college.
And then when you get to college, you're still going step by step, step by step, up to the great moment in which you're ready to go out into the world.

And then when you get out into this famous world,
Comes the struggle for success in profession or business.
Read 7 tweets
19 Aug 17
1/ Ryan Dahl (creator of Node.js) wrote an epic rant and then quit writing software for a while. I want to repost it here now.
2/ "I hate almost all software. It's unnecessary and complicated at almost every layer. At best I can congratulate someone for quickly...
3/ ...and simply solving a problem on top of the shit that they are given. The only software that I like is one that I can easily...
Read 28 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!