I have noticed that one of my accounts was compromised about one or two days before that article was published, and I ensure you, it was impossible to be compromised on my side.
It was not possible to bruteforce my credentials or use dictionary attacks on them. Keyloggers and any sort of other cyber attacks are out of question as I only used the account on a secured Linux install, who’s sole purpose is to have a clean environment for any sort of tasks which require security. If someone had access to that device, they would not need any of my google accounts to begin with. Moreover, although the account was used there, it does not equates to actively logging myself in. It’s been over 6 months before that incident that I entered any sort of login information for that account in that system, and it was never used anywhere else.
The account was was not using 2FA, and I kept getting logged out due to a suspicious login. Regardless of what I changed the password to, someone kept recovering my account with the previous password until I added 2FA. I never had any issus afterwards, and that was the only time my security was “compromised”. I’m not gonna lie, I suspected that the fault was with Google even before the incident, because just days before that it behaved odd, and I was proven right a few days after the incident.
Google was hacked a while ago this year. Someone released an article about it, but it soon got buried in the search engine and I can’t seem to find it anymore… they did a good job at covering it up. There were no known leaks from that hack and it’s unlikely that the sources which Bitwarden uses have any data on it since Google did not release any data about the users affected or their credentials. Those credentials were not released on the black market either. It was deemed as a governmental attack and it was not spoken about since.
A few other people I know had a similar issue like mine. It may have been an isolated event, although the article said otherwise and the people I know are from various places in the world, but whoever talked about it was clearly silenced because I didn’t see people complaining about it.
Big companies like google will often hide their data breaches to keep their image “clean”. There’s also the uncertainty of how many people were affected if you can’t find any sort of logs about what happened to help you with that. Also, not every hacker is looking to publicly share what they get from an attack. When those things go together, we as the clients to those services can end up in very difficult positions.
What you’re experiencing, is very likely that Google flagged in their database some passwords as affected, but kept silent about it being their fault. There could also be that the agreement they have with Facebook would include sharing data about such things, which could give them access to a bigger database of flagged accounts, since Facebook was hacked quite often in the past years. Since they managed to get an agreement with Facebook, they likely have with others as well, but much more difficult to spot.
Just because Bitwarden uses a trusty source, it does not mean that it is complete. If your credentials are flagged, it’s likely because they have been compromised. If they are not flagged, it does not mean that they are not compromised.
To this day, I did not find any traces online of my account being compromised, but it was, and I was not the only one that had those issues at around the same time.
Now the question is… are you going to risk it and believe one service over another, or are you going to play it safe as you should and do what is logical in such a situation? Just change those credentials. It takes a minute and you’re on your way. If anything, you should be glad that one of them alerted you.