2 weeks ago, I received a message from Bitward wit the title: New Device Logged In From Edge
with the IP from Italy: it was not me, login from a browser that I don’t use (edge), during the night (so I was sleeping).
As explained in the documentation, I changed my master password, activated the 2FA, changed all my password and I thought all my password were safe again.
And what a surprise when I received again the same kind of email saying that someone entered again to my vault (this time the IP was from Mexico) few days after, but this time with 2FA activated. How is it possible with 2FA activated ???
I don’t use a VPN, I didn’t put my master pasword somewhere else (I changed it after the first hack). I really don’t understand this situation.
Am I the only one facing this kind of situation? Do you have any idea how is it possible to have someone entering in my vault without my second factor code generated by my phone app 2FAS?
A pre-requisite to doing the above is to ensure that the device you are using must be 100% malware free — which may require a clean installation of the entire operating system.
If there is malware on your device while you are setting up your new master password and 2FA, it is possible for these credentials to be stolen and transmitted to the hackers.
Have you taken any action to eliminate malware from your devices?
Your are right, I should check this. I am using manjaro (archlinux) with brave as a browser and everything is updated… I will make some research to see how to ensure I have no malware on linux (never had such issues). Reinstalling everything will be a huge work.
I will perform the sanity checks this evening to see if I have any malware or something like that.
However, even if my computer is full of malwared, I don’t understand what is the scenarios that enable someone to login in my vault without the code provided by 2FAS from my own mobile (that the hacker doesn’t have).
The email is the one from bitwarden, at least it seems… I checked it carefully and it seems to be the original one. There is a link to “deauthoryze all sessions”.
Any malware running on your device would have had access to this information, and could use it to set up their own authenticator app to generate TOTP codes that would satisfy the Bitwarden 2FA requirement.
Also, if you use “Remember me” option during 2FA authentication, the client would save a state to the disk that can be exfiltrated and potentially used for replay at other locations. If you don’t use this option, then this isn’t the method used to bypass your 2FA.
Thanks @grb for your scenario, you are right this kind of scenario could explain the connexion. @Neuron5569 yes, you are also right, I checked the box to remember me… I understand also your point.
So now I am in a quite difficult situation:
with the checks I did , I have doubts that these 6 “issues” above could cause an access to the “bitwarden 2FA configuration screen”. It is not impossible but very difficult to imagine => Do you know where I could look for such malwares on a manjaro (archlinux) machine using brave supposed to be quite secure?
the fact that a “simple malware” from any infected website could “take my bitwarden authentification” and bring it to another computer does make me feel very safe for the long terme
Bitwarden team is making a fantastic job, the solution is really good but something is not working well for me here… And I have no answer anymore from their support team, strange. My computer doesn’t seem to be “full of malware” and the fact that in less than a months, some people entered in my vault is not very good for me…
If there are more checks I can do, I will continue to investigate if I can help the team to understand what is happening so that other users don’t face the same drama that is happening with my account…
One usual alternative explanation is there is some kind of BW breach, but normally, people expect this kind of breach to be more wide-spread, which it is not (yet).
Here’s a suggestion what you could check (to at least help me to understand).
This is a positive by heuristic, so it’s prone to false positive. OTH, if it’s a true malware, and is regularly run, it can possibly install more malware making it quite dangerous. If you haven’t deleted them already, I would upload it to https://www.virustotal.com/ to see what other vendors say.
@Neuron5569 the issue is that I deleted these 2 files i the node_module but what I can try is:
Try to identify how it arrived here to reinstall (I will search in AUR repository)
Run kaspersky again to check that It is ahain on my system
Put it in virustotal as required
It will probably not be so easy since this module was probably a dependency from another on and I have to find a way how to find it… But I will do my best.
Additionnally, I will launch again a scan of the full computer with ClamAV and post here what it found and this time I will not remove the suspecious files for virustotal if you need it.
Is there any other action I can do? Scan with another tool?
I will go home late today so not sure I can run the full scan. I keep you informed.
Since we don’t know definitely that they are the problems, and it takes efforts to find where they come from:
I personally would try to definitively eliminate doubts by backing up the data, and rebuilding (installing) linux from scratch—assuming you changed your master password, set up your TOTP 2FA, etc., on the Linux system.
Then grab Bitwarden from the official source, deauthorize all sessions, change the master password, and generate another TOTP secret (turn it off, and then back on again).
I’d reset the mobile devices that use Bitwarden as well.
Kaspersky has a very good reputation about catching new viruses/malware early, but the problem with virus suspicion is, the only way to be sure is to nuke all relevant systems, and then be very careful about what you put back in. I am sorry you are experiencing this issue, but hopefully, you’ll be able to sort it out.
Once they have a clean system to work on, OP also needs to rotate the 2FA Recovery Code. This requires first using the current recovery code (by submitting it using the web form at vault.bitwarden.com/#/recover-2fa (or vault.bitwarden.eu/#/recover-2fa, if the account is hosted on the .EU server), which turns off all 2FA requirements for the account. Having done this, one should then get a new recovery code, and re-enable TOTP for the account.
Hudson Rock is an Israeli company that sells access to information stolen by Infostealer. They say they add new information on a daily basis. I don’t know of any breached email by infostealers, so I can’t check for sure.
Thanks all your suggestions. Here are some additionnal inputs:
I scanned my computer again for malware and virus… Found some for windows but I am on linux
My email adress doesn’t show any leacks with the site of hudsonrock
It doesn’t appear to come from my software…
To be honnest, I understand your proposald to reinstall everything from scratch, carefully following your advices above. But it will have a significant impact on my day to day work.
I don’t have any feedback from BW support on investigation on what happen on my account… It seems that BW has no way to investigate and see at least if someone really logged (that it is not a false positive), and also if the email I received from them is legit (I have no feedback from BW support). If the solution is: “everytime someone enter, reinstall all your devices hoping that it will not happen again in 2 weeks”, I will not sleep quitely With the current situation, I don’t feel secure with BW anymore
At the very least, see if you can locate another device that is known to be malware free, then use the clean device to change your master password, rotate your account encryption key, rotate your two-step login recovery code, and set up 2FA again.
If you subsequently log in to your Bitwarden account on a compromised device, your vault data could still be stolen. Therefore, my suggestion to you would be to switch to a different password manager solution temporarily, for the next several months (making sure to choose a password manager that documents new logins). If during this time-period, you are notified about unauthorized logins into your new password manager, then that would be strong confirmation that your computer is infected by an info-stealer; on the other hand, if you get a third unrecognized login notification for your Bitwarden account, then that points to a very sophisticated attack against your Bitwarden account. If neither happens, perhaps after a few months you would feel comfortable resuming use of your Bitwarden account.