Security Risks From Phishing URLs and Long-Lived SMS “One-Time” Links
1Password introduced a new anti-phishing UX control that displays pop-up warnings when users land on suspected phishing or typosquatted domains, addressing a gap where users might manually type credentials even when the password manager refuses to autofill due to a URL mismatch. The feature is enabled by default for Individual and Family plans, while enterprise admins can enable it via Authentication Policies in the 1Password admin console.
Separate academic/industry research highlighted systemic exposure risks from SMS-delivered “one-time” links that do not expire, enabling personal data access long after delivery. The study assembled a dataset from public SMS gateways (over 33M messages, 323K unique URLs, and 10.9K+ domains) to analyze how SMS link design choices can leak data over time; the article also notes broader threat trends where attackers increasingly use malicious URLs via SMS (smishing) and large-scale domain churn/brand impersonation to drive credential theft and fraud.
Timeline
Jan 28, 2026
SC Media report adds details on weak SMS-link token security
A later report on the SMS sign-in link research highlighted that 125 services used weak tokens that could allow attackers to guess valid login links, and reiterated that many links remained active for months or years. It also emphasized backend overfetching of personal data and noted the true number of affected services may be higher than observed.
Jan 25, 2026
1Password launches phishing URL pop-up warnings
1Password announced a built-in feature that displays pop-up warnings when users visit suspected phishing or typosquatted sites, aiming to prevent manual credential entry on fake pages. The protection is enabled by default for individual and family plans, while enterprise administrators can enable it through Authentication Policies.
Jan 23, 2026
Researchers disclose SMS link issues to 150 affected services
After identifying the exposures, the research team reported the issues to 150 services. Only 18 responded and seven implemented fixes, indicating that many of the exposed services likely remained vulnerable.
Jan 23, 2026
Researchers identify widespread exposure from long-lived SMS sign-in links
A research study analyzing more than 33 million messages from public SMS gateways found that SMS-delivered magic links and sign-in URLs at 177 services often acted as bearer tokens, exposing personal data and enabling account access. The study identified 701 still-working endpoints, including some links dating back to 2019, and found weak token designs, overexposed backend data, and in some cases account takeover or editable personal-data forms.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
Related Stories
SMS-Based Authentication and Phishing Risks via Intercepted or Mass-Sent Text Links
Recent research highlighted systemic security and privacy risks created by **sign-in/authentication links delivered over SMS**, showing how easily such links and embedded personal data can be exposed and abused at scale. By observing public SMS gateway services (temporary numbers used to receive texts), researchers collected **332,000 unique SMS-delivered URLs** extracted from **33 million texts** sent to **30,000+ phone numbers**, and reported that messages from **701 endpoints** on behalf of **177 services** exposed *critical PII*. The work underscores that SMS is unencrypted and that authentication links and sensitive details can persist in accessible stores or be captured through weakly protected SMS delivery ecosystems. Greek police separately dismantled a criminal operation in the Athens area that used a **rogue mobile base station** (an “**SMS blaster**”) concealed in a car to push phishing texts to nearby phones. Authorities said the device coerced phones to connect and **downgraded them from 4G to 2G**, enabling collection of identifiers (e.g., phone numbers) and delivery of scam messages impersonating banks and courier firms with **phishing links** used to steal payment card data and conduct unauthorized transactions; investigators have tied the group to at least three fraud cases and indicated the suspects may be Chinese nationals. Together, the reporting and research illustrate how SMS-delivered links can be exploited both through passive exposure of messages/URLs and through active, proximity-based telecom impersonation to distribute credential- and payment-theft lures.
1 months ago
1Password Adds Copy-Paste Phishing Protection to Warn on Credential Entry to Lookalike Sites
*1Password* introduced a new **phishing protection** capability aimed at stopping users from entering credentials into fraudulent lookalike sites, particularly when users bypass autofill and instead **copy/paste** passwords. The feature checks whether the site a user is interacting with matches the saved login’s expected URL; if it does not, 1Password can warn the user before credentials are submitted, adding deliberate friction to reduce “momentary lapse” credential theft. Reporting highlights that phishing kits and AI-assisted site creation are making realistic fake login pages easier to produce at scale, increasing the likelihood of users being tricked into credential entry. 1Password’s approach is to detect URL mismatches (e.g., typosquatted domains) and present an explicit warning/confirmation step when a user attempts to paste credentials into a site that doesn’t align with the vault record; pairing this with **multi-factor authentication (MFA)** is recommended to further reduce account takeover risk.
1 months ago
Email-Borne Social Engineering and Credential Theft Risk
Recent coverage emphasized that **phishing and social engineering via email** remain a primary initial access vector, with attackers increasingly blending into routine workflows (emails, meeting invites, and trusted SaaS notifications). TechTarget highlighted that user judgment is often the last control when filters fail, citing the *Microsoft Digital Defense Report 2025* claim that **28% of breaches** trace back to phishing/social engineering, and noting reports of spam relayed through **legitimate Zendesk domains/instances** (e.g., leveraging recognizable brands) to bypass filtering and drive credential theft or follow-on access. Separate reporting and guidance reinforced how attackers operationalize these patterns: The Hacker News described **Operation Nomad Leopard**, a spear-phishing campaign targeting Afghan government entities using government-themed decoys and a **GitHub-hosted ISO** that drops a **LNK** to execute a **FALSECUB** backdoor capable of remote command execution. Other items in the set were largely general best-practice or “common threats” explainers (password hygiene, generic threat overviews) rather than incident-specific intelligence, but they align with the same overarching risk theme: weak/reused passwords and routine email behaviors continue to enable account takeover and downstream compromise.
1 months ago