Bitwarden Master Password Leaked In Breach

On my mobile, Avast informed me that I had a leak, labeled “Russian Password Stealer”, dated Nov. 4th, which showed my Bitwarden login username AND Master Password.

Naturally, I immediately changed my Master Password on all my BW apps.

I’m baffled how this could have happened. It makes me wonder just how secure Bitwarden is. Am I going to have to go through all my logins and change their respective passwords, just to be safe?

The breach won’t have come from Bitwarden. Were you using a strong, unique password for your Bitwarden account?

You may want to google “Russian Password Stealer” and “Russian Password Stealer 2021” to get a bit more information. If this information is true, You may have something installed on your device that is the culprit to the leak of your password. You should be also be considering using a two factor authentication method on important logins and bitwarden. (Don’t use the ‘mobile’ as a link in doing this!)

I would also stop using the ‘mobile’ for anything but phone calls and simple web browsing (looking only at weather and news) until you have this straightened out!

IF you are a high profile target, you may also need the services of good security firm.

@frank1940: I should’ve mentioned, yes, I am using 2FA, so I just realized that even if a culprit had my MP, they couldn’t get past that. In theory, anyway.

@danmullen: I would like to think that my MP was long and strong enough but apparently not, alas. I used a phrase that I could easily remember, including upper and lower case letters along with numbers, but no special characters.

Just to employ the CYA Principle, I am currently running complete rig scans in both ESET and Malwarebytes. Let’s see if anything untoward comes up. I should think not, since this is a fairly recent clean install.

Thanks for your quick replies, Frank and Dan.

1 Like

Was this a outside message from Avast where they ‘found’ your login name included in a list of compromised passwords OR was it an internal message from an Avast scan of your device itself?

The problem I have is that your Bitwarden master password is hashed before it leaves your device and hits the internet. This would imply that it was comprised somehow inside of your device. (Keylogger or the memory recovery method that the ‘Russian Password Stealer’ is using.)

1 Like

The source of info was from within Avast Mobile itself, under the heading of “hack alert” where it scans the interwebs for such things.

As mentioned in a previous response, I ran a full scan with ESET and MalwareBytes (and then SuperAntiSpyware and MS Defender), and the ESET results came up with nothing that would indicate a keylogger-type nasty (as far as I could tell), just a “variant of Win32/QHost Trojan” in my custom HOSTs file and a “variant of Win32/KingSoft.I potentially unwanted application” for a Wise Driver Care installation .exe file. From what I’ve researched, these could very well be false positives, but I can’t be too sure. They’ve all be quarantined just in case.

Still not clear how the BW MP ended up on a naughty list.

I’d suspect that you either have a keylogger/virus infecting your machine or that you’ve re-used your Bitwarden login/password combo on another site that has been hacked. I seriously doubt that they deduced this info from Bitwarden itself. If that was the case (and that’s a big “if”) then we would be hearing about other people having the same issue.

Since the master password to every Bitwarden vault never leaves the client’s device, it is certain that your credentials were not obtained from a Bitwarden server. If you are CERTAIN that your BW master password was unique, then the opinions above that you have some form of keylogger or other piece of malware that captures your credentials at login are very plausible explanations. It could also be that your Hosts file was modified to send you to a phishing site that looked like Bitwarden, and without knowing, you entered your BW login credentials as you would normally.

The good news is that if you didn’t get any email notices that a login was detected on a unrecognized device, you’re probably okay. But you may still be open to the same vulnerability, so I hope you find the cause soon.

This is scary stuff, so if you do find out, please let us know as I’m sure everyone here would be very interested to know.

1 Like

As best I can deduce, and from what others have said, it must’ve been some time in the near past when I quite possibly had a keylogger in my rig unbeknownst to me. I did have a hard-as-heck-to-remove nasty which very might’ve been the culprit. David H, I believe you’re on the right track with your conclusion.

It was a unique password, used nowhere else, but also likely unuseable since I use 2FA. I’ve seen no apparent misuse or any other anomalies occur, so I believe I can conclude this is a one-off, since no nasties are currently in my system.

1 Like

If that’s the case - and it does sound plausible - I would think very carefully about any credentials you may have entered in sites and apps manually, and also any emails you’ve sent or anything sensitive you may have typed. If you had a keylogger on your system and don’t know what time period it was there for, I’d consider changing any important account passwords, just in case.

Duly noted, and I shall do just that, and even though I always used Bitwarden to “fill in the blanks”, your excellent advice is well worth heeding.

Thank you all for your concern. It’s comforting to know that someone in the Great Out There cares.

1 Like

SO the notification was the result of detection of a discourse of the login and PW that was external to this device. (There are lists of logins and Passwords that can be purchased on the ‘dark’ web. It is possible that yours— Your e-mail login was the match that keyed the discovery— was on one of these lists.) Do you use Bitwarden on more than one device? If you do you want to check those devices also.

What I am trying to say is that you heard about it on your mobile device but that does not mean that the compromise didn’t happen on some other device-- like a desktop or laptop.

1 Like

Right, I have BW on desktop and mobile, and it’s the only password of any kind that I would’ve manually entered, at least as far as memory serves.

To reiterate, I suspect I caught a nasty on my desktop from a malicious file (from a sketchy source, entirely my fault) which MS Defender had the most wicked time trying to quarantine, and only ESET could remove. I also suspect a naughty entrance into my HOSTs file that might’ve compromised my rig, as that was one of the things removed by ESET (Win32/Qhost variant). I can only conclude that a keylogger found its way into my system through one of those two avenues.

I’ll be dipped: I just ran ESET again, and ffs, that Qhost thing showed up again. I nuked my HOSTS file and rebuilt it. WTH, smh.

When these things ‘come back’ after being removed, it is probably time to google the infection with terms like ‘remove’ and/or ‘returns’ to see if there are other ways to remove it. (I remember onetime there was one ‘nasty’ that had another hidden process checking to see that it was still installed. After we thought it was ripped out, we renamed a simple genealogy calendar program as the ‘nasty’ and making it “read-only”. Served two purposes-- prevented a reinstall and would alert the user that the ‘nasty’ was back trying to to its thing. Probably would not work today but it did back then…)