The post calls this out:

> the 1Password browser plugin would have noticed that “members-x.com” wasn’t an “x.com” host.

But shared accounts are tricky here, like the post says it's not part of their IdP / SSO and can't be, so it has to be something different. Yes, they can and should use Passkeys and/or 1password browser integration, but if you only have a few shared accounts, that difference makes for a different workflow regardless.

Yes; 1Password was used. And it worked properly. But because humans are fallible, a human made a mistake anyways.

"Properly working password managers" do not provide a strong defense against real world phishing attacks. The weak link of a phishing attack is human fallibility.

Precisely. 1Password's browser integration would have noticed a domain mismatch and refused to autofill the password -- but in a panic, Kurt apparently opened 1Password and then copied/pasted the credentials manually.

This is how they got my Steam account credentials, although I realized the stupid shit I did the second I clicked submit form, and reset my password to random 32 characters using bitwarden. Me! Someone who is deeply technical AND paranoid.

The key here is the hacker must create the most incisive, scary email that will short circuit your higher brain functions and get you to log in.

I should have realized the fact that bitwarden did not autofill and take that as a sign.

Same thing happened to me (not with Steam), but it's also the thought that "this could never happen to me" that leads you to assign an almost zero probability to the problem being a phishing attempt.

> The key here is the hacker must create the most incisive, scary email that will short circuit your higher brain functions and get you to log in.

... and specifically by using the link in the email, yes?

Which is why a properly working password manager is not a strong defense against phishing.

Not a strong defense, but it helps.

But it's also why sites that don't work well with a password manager are actively setting their users up to be phished.

Same with every site that uses sketchy domains, or worse redirects you to xyz.auth0.com to sign in.

Correct. The moral of the story is that hardware MFA and/or passkeys are a necessity in today's world. An infinitely complex password and 2FA are no match for attacks that leverage human psychology.

It's a strong defense that this guy decided not to use

User security that doesn’t meet real users where they are is just nerd theatre.

It works for me. I’m unconcerned if it works for anybody else.

It works for lots of people, until it doesn't. You may well fall victim to such a scheme someday.

That’s almost guaranteed now that I made such a confident statement that it works for me.

Because CEOs at startups are notorious for trying to problem solve aggressively by "just" doing the thing rather than throwing it at a person who _might_ have made the same mistake, but might be more primed to be confused as to why they are not logged into x dot com and why 1password's password prompt doesn't show up and why the passkey doesn't work or whatever.

It's always possible to have issues, of course, and to make mistakes. But there's a risk profile to this kind of stuff that doesn't align well with how certain people work. Yet those same people will jump on these to fix it up!

It’s a bold move to typecast all CEOs as uniquely vulnerable to a problem that the evidence shows every single one of us is vulnerable to.

Blaming some attribute about user as why they fell for a phishing attempt is categorically misguided.