A vault breach usually means a user’s mistake, one way or another, and trying to figure out the likeliest vector of attack will probably always look like victim-blaming, especially for victims that seem more intent to look beyond their own behaviors as possible causes. If it wasn’t a master password, it’s going to be 2FA, or other things such as listed above.
Another alternative is a BW’s vulnerability. Now, there’s money in that, if one can satisfy the HackerOne’s requirements.
By chance, does your Trash or your downloads folder contain a (old) copy of a vault export? (JSON or CSV) If so, does it by chance have the same items as the email you received?
@DenBesten The victim of this breach is not present here in this Community Forum thread — this is just a discussion of an event that was recently reported on Reddit.
The OP of the Reddit thread (/u/Butterscotch-Clouds) has indicated that they locked their vault using a PIN, and stored the PIN-protected encryption key in the local vault cache (by disabling the option to lock with master password on restart). This would render them vulnerable to both info-stealing malware and evil maid attacks.
As was always most likely and predicted, the problem was user error (or choice) regarding personal security practices, personal vault security, rather than an important issue for Bitwarden’s attention. This is not victim-blaming, it is first attention to likely modes of failure.
Being careful about trade-offs between convenience and security, and protecting against likely attack vectors rather than gold plating the already case-hardened, needs attention from even the most experienced users.
Found this thread from a google search, and created an account just to say that there could be something for an attacker to gain by changing the master password, and that would be locking a user out of all of their accounts and making it difficult for them to do damage control. Imagine someone who doesn’t make local backups of their vault and who doesn’t remember all of the services for which they have a password in the password manager. Once you get access to their vault, be as stealthy as you can until you do something that will inevitably raise an alarm to them. Then, change the master password and lock them out of their vault. If they (correctly, in this case) assume their vault has been compromised, they now have two obstacles to overcome:
All the while, you can continue to do harm. If the user fails to remember every website they had in their password manager, you could potentially do harm indefinitely.
Anyway, I’m being pedantic, but I’m also pointing it out because it’s a risk worth considering. Clearly, from the information provided in the original post, it was possible that the attacker had the master password and decided not to lock the user out, and it was also possible that the attacker didn’t have the master password and couldn’t lock the user out of their vault if they wanted to.
@andymang Welcome to the forum!
On the other hand, and attacker who has the ability to change the master password also has the ability to delete the account outright. Such an attacker could also easily make a local vault export before deleting the account, so there doesn’t seem to be much benefit to locking the user out by changing the master password.
@andymang Hi!
I see your point. And I wouldn’t exclude that scenario completely. But I still think, that the “normal criminals” probably want to make a lot of money as fast as they can. What you describe sounds like far too much effort for a regular criminal.
And, I think we shouldn’t forget, that everything they do, leaves traces - and can potentially be used against them. - Contacting all websites and changing the passwords? Lots of possibilities, to maybe get trackable data from the criminals. (and they could lock users out of their accounts - all accounts or single one’s that bring the most money - even without locking them out of Bitwarden/PW manager… in the vault would be then the wrong password… then the criminals could play this game even longer…)
[PS: And even I myself don’t want to go through my complete vault and change most or all passwords, because it would cost me days and potentially weeks until I’m finished… 
- apart from the point, that is not even recommended, to change passwords frequently without a reason]
What you describe, I can imagine when someone, a single person, is a “high potential target” - rich (blackmail/extortion…), political influence (blackmail/extortion again…), strong personal interests (e.g. the ex partner who want’s to “destroy” the former partner)… that may happen… - but that’s not the broad kind of attack used. (and again, all of those things would also be possible, with taking over only a few sensitive accounts of the target person, and not necessarily with also shutting the person out of their Bitwarden account - but again, I don’t say by that, it could never happen)
That being said, you should of course try to protect yourself so that you possibly don’t get hacked. And protect your Bitwarden account as good as you can.
Agreed. A “normal criminal” will seek it’s own benefit (most of the time, economic benefit) rather than doing harm to their victim for the sake of doing harm. Unless is someone who “hates” his victim.
Well, the slightest suspicion that your passwords vault has been compromised, I think would count as a reason 
Yes, of course. And that’s why I wrote “frequent password changes without a reason not recommended”. (to emphasize it again )