Suspected malicious attack.
Any chance you have another device that is already logged in? Do you remember the master password? IF you do then you may want to delete the app (Android, etc…) and re-install it. You can easily sync the new app install to the BW cloud as long as you know the credentials.
If you have positively backed up your vault to a csv file you have the option to delete your account and then create it again by simply importing the saved vault csv. This is last ditch effort and before deleting your account be certain you have the “goods”. If you do the process is super easy.
If you do NOT have a saved backup csv make sure that you create one if you are able to get back into your vault. Same for all reading this thread.
I can clearly recall the password I set. I also set the hint. Got initial welcome mail and email verification mail etc. All of a sudden I found I cannot access the vault with my password. Looks suspicious for me.
As per the back up is concerned, I have backup and frankly that is not of concern, The biggest concern is somebody might have seen my plaintext passwords
Well, the security loophole is, if master passcode is leaked somehow, BitWarden does not ask for for 2-FA when you change the email address. That is wrong!
Say I have previously had opened bitwarden vault from email id ‘ABC’.
Now, to change it to ‘PQR’, it only requires the master password and sends verification code to the new mail address, i.e to PQR.
It does not send any notification to ABC nor asks for any 2-FA code to do that.
In short, to hijack your bitwarden account, someone simply needs to know 1-factor auth key, which is your master password. That is bad
If you have 2FA set up, even if they manage to change your email address surely they would need that second factor in order to access your vault?
You are correct.