iOS Developers Claim 1Password isn’t Removing Deleted Profile Pictures

iOS Developers Claim 1Password isn’t Removing Deleted Profile Pictures

The iOS developer and security researcher duo Mysk claims that after deleting their 1Password account, their profile picture was still being stored and remained publicly accessible via a URL.

The saga started when Mysk discovered that 1Password profile pictures were accessible through a publicly available URL:

Mysk🇨🇦🇩🇪 (@mysk@mastodon.social)
Attached: 1 image Oh, 1Password stores user profile pictures on their servers without authentication. Anyone who has the long URL, which also contains the account identifier, can access the picture. It’s not a big deal, but a password manager should definitely be more careful. #privacy #infoSec
MastodonMysk🇨🇦🇩🇪
Mysk🇨🇦🇩🇪 (@mysk@mastodon.social)
This is a test account we created to test the new feature that 1Password just announced about unlocking the app with the Mac password, as it relates to our recent work. Here’s the link that was shown in the screenshot: https://a.1passwordusercontent.com/VL4OMT3IFZDB3LIJRC67R3ECLU/f2v3kcoxrnemzaf4hrl7vtpw6m.png
MastodonMysk🇨🇦🇩🇪

They pointed out that 1Password considers profile pictures to be personally identifiable information in their documentation as well.

After changing the profile picture on their test account, the old one was still visible from the same link, meaning the image wasn’t deleted and was not only still stored on their servers, but also still publicly available:

Mysk🇨🇦🇩🇪 (@mysk@mastodon.social)
Oh woow 😱! After changing the profile picture yesterday, the link to the old profile picture still works even though the old picture is not visible anywhere in the account. Are they storing profile pictures in a CDN? This is not LinkedIn, it’s a password manager 😖
MastodonMysk🇨🇦🇩🇪

After deleting the account, the link was still up and accessible 7 days later:

Mysk🇨🇦🇩🇪 (@mysk@mastodon.social)
Article 17:65 of the GDPR, the right to be forgotten: A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject. This 1Password account was deleted on November 15, 2025 and its profile picture is still online: https://a.1passwordusercontent.com/VL4OMT3IFZDB3LIJRC67R3ECLU/f2v3kcoxrnemzaf4hrl7vtpw6m.png
MastodonMysk🇨🇦🇩🇪

They’re correct here about the GDPR, since the profile picture is no longer being used for any purpose.

Editor's note: We reached out to 1Password for comment, but have not received a response at the time of publishing. We will update this post when we hear back.

Community Discussion