Security Risks From Phishing URLs and Long-Lived SMS “One-Time” Links
1Password introduced a new anti-phishing UX control that displays pop-up warnings when users land on suspected phishing or typosquatted domains, addressing a gap where users might manually type credentials even when the password manager refuses to autofill due to a URL mismatch. The feature is enabled by default for Individual and Family plans, while enterprise admins can enable it via Authentication Policies in the 1Password admin console.
Separate academic/industry research highlighted systemic exposure risks from SMS-delivered “one-time” links that do not expire, enabling personal data access long after delivery. The study assembled a dataset from public SMS gateways (over 33M messages, 323K unique URLs, and 10.9K+ domains) to analyze how SMS link design choices can leak data over time; the article also notes broader threat trends where attackers increasingly use malicious URLs via SMS (smishing) and large-scale domain churn/brand impersonation to drive credential theft and fraud.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
SC Media report adds details on weak SMS-link token security
A later report on the SMS sign-in link research highlighted that 125 services used weak tokens that could allow attackers to guess valid login links, and reiterated that many links remained active for months or years. It also emphasized backend overfetching of personal data and noted the true number of affected services may be higher than observed.
1Password launches phishing URL pop-up warnings
1Password announced a built-in feature that displays pop-up warnings when users visit suspected phishing or typosquatted sites, aiming to prevent manual credential entry on fake pages. The protection is enabled by default for individual and family plans, while enterprise administrators can enable it through Authentication Policies.
Researchers disclose SMS link issues to 150 affected services
After identifying the exposures, the research team reported the issues to 150 services. Only 18 responded and seven implemented fixes, indicating that many of the exposed services likely remained vulnerable.
Researchers identify widespread exposure from long-lived SMS sign-in links
A research study analyzing more than 33 million messages from public SMS gateways found that SMS-delivered magic links and sign-in URLs at 177 services often acted as bearer tokens, exposing personal data and enabling account access. The study identified 701 still-working endpoints, including some links dating back to 2019, and found weak token designs, overexposed backend data, and in some cases account takeover or editable personal-data forms.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
SMS sign-in links expose user data across hundreds of services | SC Media
scworld.com
Open source1Password adds pop-pup warnings for suspected phishing sites
bleepingcomputer.com
Open source1Password adds pop-up warnings for suspected phishing sites
bleepingcomputer.com
Open sourceOne-time SMS links that never expire are exposing personal data for years - Help Net Security
helpnetsecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


