Within 2 hours one of the "honeypot" SSH accounts I put in my password manager was accessed with the creds I provided in the password manager. Now I understand there is internet wide scanning but a succesfull login with a random 12 character username and password I had in my password safe is very unlikely to be a random bot account.
Tomorrow I might have a bit more time to throw a few more honeypot accounts in there and see if they attempt to login.
For the time being I would highly discourage anyone store their passwords there.
(using a random throwaway account for obvious reasons, I don't want any retaliation against my startup on my main account from these guys.)
Since you're anonymous anyways, why not just tell us what you know? Are they breached or is the platform itself some sort of trap?
Another possible theory is that the site has a weakness and has been breached but they are just not aware of it. At this point it's a bit too early too tell though.
I encourage other people to test this on their end as well. It's actually very easy to do, spin up a vm image in the cloud, throw some test creds and see who falls for the bait. I keep a simple spreadsheet with unique usernames in one column and the service I stored those honeypot accounts in the next column. If one of those are accessed then I know for certain which services not to trust.
https://support.1password.com/two-factor-authentication/
They also support 2KSD on all hosted accounts
https://support.1password.com/secret-key-security/
Ergo: master password + secret key + OTP
