https://www.reddit.com/r/Bitwarden/comments/1c6cyxr/what_do_you_do_if_all_of_your_accounts_are/
“Someone hacked my Bitwarden account. I have no idea where to start. What can I do?”
Any thoughts on what happened here? Not my post. Attacker clearly didn’t have the master password or else would have quickly changed it, locking out the victim, which didn’t happen.
Since the OP did not have 2FA, some likely attack vectors include:
OP had (has) a strong, unique master pass. Has an IT career. Isn’t foolish. If the attacker had access to the master password, they would have changed it, locking out the victim from vault.bitwarden.com. This didn’t happen. Therefore we should assume the master password was not compromised.
He says he had. More we don’t know.
I understand the assumption is, they have his vault data. What purpose would a master password change have then? What would they do with his Bitwarden account?
Maybe we shouldn’t assume that.
Just because a master password can’t be guessed doesn’t mean that it can’t be compromised. Personally, I’m not going to assume anything about the OP’s master password strength (IT professional or not), but even if you rule out the 5th bullet point in my response above (“Non-random master password”), then the remaining 9 bullet points still apply.
He admitted to using a pin instead of the master password to access the vault locally. That squares with my belief the attacker did not know the master password.
Does it make a difference? Regardless, the compromise would have been a result of a local breach (of one of OP’s devices).
If I were of criminal mind and had the master password to someone’s vault, the last thing I would do is change it. Why risk alerting the owner when time is of the essence to capture and use the accessed passwords?
As for the problem, I agree with user error. Although in IT, the victim admits to little knowledge of security and implies it again in his or her responses to comments.
The victim says the attacker e-mailed him a plain text export of all his credentials. Square that with not changing the master password. The master password was never changed because the attacker never had it.
@Herc, your second and third sentences appear to contradict one another. What is it you are saying please?
If one had already made maximum use of the available passwords (institutions do respond to breach advice) then a frivolous afterthought might be to change the master password and email the already obtained but no longer useful contents as a trolling act. The last thing.
On the other hand, it is not my problem to account for the behaviour of someone I am not, only to analyse events and estimate risks. You have yet to produce a valid model which excludes the attacker having the master password, yet that is by far the most likely event.
I read through the thread. On the balance of probabilities, my belief is the attacker never had the master password. After they compromised the vault and effectively made use of the passwords, they alerted the victim with an emailed export of all the passwords. However, they never changed the master password because, as I said, I don’t believe they ever had the master password.
The victim was using the pin function to log in to their account.
This is an important case study that Bitwarden engineers should intensively look into, document, and learn from.
The victim is above average in computer literacy and should not be blamed too much.
Yes, I read the entire thread too. You have a belief. You refer to "the balance of probabilities“ while adducing zero evidence for any of them, so you “don’t believe they had” thus averring the same belief with which you started.
While I cannot exclude an alternative, it serves best to first have reason to exclude the bleedin’ obvious.
If we believe that all the OP says in the reddit thread is true,
then my bet would be a compromised device where he had the vault locked with a weak pin (he confirms locking his vault with a pin, he doesn’t say that it was weak).
And probably locked with the option to lock with master password on client restart unchecked (he is asked precisely that, which -as of now- isn’t answered).
Exactly.
And a password manager is not the same as - for example - Google. With a Google / YouTube account you could hijack a YouTube channel and try to make profit of that etc. But what would attackers do with a password manager account (“after” they already have the vault data)? Store their own (and the stolen) passwords and live a happy life?
I don’t think, changing the master password of a password manager account gives an attacker much advantage / benefit… On the contrary, when they don’t change the master password, the victim can add more accounts and the attackers could get access to them as well…
Though that is speculation from my side. Is there any statistics on compromised password manager accounts and their “endings”? - Where are the hackers, when they are needed…
I see that the OP confirmed that his vault was locked with a pin and he unchecked the option to lock with master password on client restart.
Bitwarden recommends not unchecking that option.
What happens if you do, is that the vault is written to disk encrypted with that pin (well, with a key derived from that pin).
If your device is compromised and someone gets access to that pin-encrypted vault, the only thing they have to do to get into your vault is brute-force the pin.
If you keep that lock with master password on client restart option checked, then the vault is encrypted with the pin but kept in memory, not written to disk.
Getting the pin-encrypted vault from memory is much more difficult than getting it from disk.
They could reap those sweet, sweet Premium benefits for the balance of the subscription year… 
This makes the most likely attack vector an info stealer or an evil maid attack that resulted in the exfiltration of the data.json file.
In the end I was correct. The victim’s master password was not breached. They had dramatically reduced their security through the use of a pin and sought further convenience by unchecking lock with master pass on client restart. Once that is done, all it takes is a piece of malware unknowingly installed to expose the whole database.
Also, pins are especially easy to crack because hackers know people use them to dramatically reduce length and complexity, so they have a much narrower range of possibilities to try right from the start. Even if you have a short password, the hacker has no idea it is short. With a pin, they can reasonably assume it is short.
I really don’t understand why you are so hyperfocused on whether or not that user’s master password was leaked. If you concede that malware was used to accomplish the vault breach, then there would have been a number of different ways that the malware could have done its work, either with or without stealing the master password.
Surely a keylogger or something with access to the clipboard would require root privileges. The software necessary to breach this target would have been capable with user privileges.
As well, there is less blame on the victim when we know his master password was not breached. People are quick to accuse such victims of using weak master passwords.
The clipboard can be accessed by any running process.
Furthermore, in Windows, user privileges are sufficient to read the memory of any running process (including the decrypted vault contents stored in the process memory of Bitwarden apps or browser extensions).
Most of the attack vectors proposed in my initial response would be effective also against a master password that is extremely strong, so I don’t know where this is coming from.