Hello. I have recently had many outside attempts (and several successful logins) to my various accounts over the past couple of weeks. I use the browser extension for Bitwarden, and I believe my computer was compromised after making the stupid mistake of running an application that was flagged as not trusted. Anyway, while going through and changing my major passwords I noticed that the “Last edited” tags at the bottom of every single one of my passwords are all at around the same date and time. Is this due to me changing my master password when I thought something was wrong? Or is this potentially an indication that my password list was somehow breached and “cloned” which caused the edited date to change? I have little clue how most cyber security stuff works, but I’ve been an anxious mess trying to clean all of this up and I was just wondering if anyone in the community had some insight. I worry that I may need to nuke my entire computer and go through changing every single one of my passwords that I’ve ever used, because I’m not quite sure how they’d be getting my login information otherwise.
I’m not sure whether your vault has definitely been breached, but I’m concerned that all your “Last Edited” fields “suddenly”(
) show roughly the same time, which isn’t normal. These are general advice only:
- Make password changes on a device that has NO MALWARE; otherwise the changes might not be effective.
- The surest way to remove malware is a fresh reinstall, without restoring apps/browser extensions from a sync. Less reliable options, depending on the malware, include restoring from a known-good image or doing a factory reset. You can also try an offline Windows Defender scan, external tools (like ESET Online Scanner or Kaspersky Virus Removal Tool), or ask for help at BleepingComputer’s malware removal forums.
- Look for clues about Bitwarden breaches by searching for “New Device Logged In” emails (and, if you don’t have 2FA enabled, emails titled “Your Bitwarden Verification Code”). The web vault’s Settings > Security > Devices will show past logged-in devices (though it doesn’t list IPs like the emails do).
Before making changes on the affected PC, confirm it’s malware-free. Start changing important accounts’ credentials from a separate device—perhaps your phone or a backup desktop.
ps: Regarding the date:
- Is the date recent
- Did you import your passwords into the vault on that date
Thank you very much! I’ve been changing important passwords on my phone and work computer exclusively, as I wasn’t sure of the status of my personal PC. I was at work when I suddenly started getting a ton of log-in requests, password reset notifications, and malicious recovery emails being added to various accounts. Definitely nerve-wracking, but immediately when I got home I disconnected my internet and ran the offline Windows Defender scan. It found and quarantined a “Trojan:Script/Wacatac.H!ml” on my personal PC.
I’ve been running deep scans with Bitdefender, Malwarebytes, and Kaspersky and on the initial go-through it quarantined ~6 files in some temp folder, but after that I’ve been able to find nothing else on my computer. I’m so paranoid that I keep running deep scans every couple of hours in hope/fear I’ll find something else, but is this completely pointless to do? I might just end up transferring whatever important files I have and then nuking my PC, but I’m also paranoid that whatever files I transfer may somehow be “infected”
After the initial attack I’ve only had a couple of other accounts that were broken into a week later (this week), but I’m constantly on edge just waiting for the next flood of notifications to come and wondering which accounts they’ve dug their fingers into. I haven’t seen anything regarding new devices logging into Bitwarden, but I can see that the last login to the webpage was May 4, 9:47:55 AM. This is around the time I started getting alarming notifications, so I’m hoping this is when I opened the webpage on my work PC to force log-out all devices and change my master password for Bitwarden. I’m worried that it may have been the “hacker” gaining access to my account, though.
Regarding the dates, they are all set to “Last edited: May 4, 2026, 9:49:27 AM”
The timing does look nice because it may be showing that I logged into the webpage at 9:47 and then changed my master password and secured my account at 9:49, but I’m not sure why doing so would change the “Last edited” date. I’ll try repeating the process and see if that updates the date, but as of late I’ve just been going through and changing every single password in my entire vault and running deep scans in the time being. I’m trying to research more advanced ways of rooting out malware, but this has all left me exhausted and I’m very busy with my job
I hate that people out there would do something like this 
Changing your master password won’t change last modification timestamp on items.
The only way to change the last modification timestamp massively by a single action is by importing an export into the vault, but that would also set the creation timestamp to the same value (I mean: imported items would have the same timestamp for “last edited” and “created”).
If all (or most) of your items have the exact same last modification timestamp (to the second) but different creation timestamps that would mean those items have been all modified at the same time (maybe with a script via bw CLI).
EDIT: these two paragraphs above are not true. There are other ways of changing that last modification timestamp massivelly.
For example:
- archiving
- unarchiving
- trashing
- taking out of the trash
a group of items will modify that timestamp on all of them at the same time.
Having previous vault backups would help an investigation by comparing items in those backups to the current ones (or better: to their state in the moment you detected a possible compromise, before you modified them I mean).
That’s why, in cases like this one (when you have an incident that you will want to investigate later [*]), it helps that future investigation to make a backup of the state of the vault just before rushing to start changing passwords. (This advice comes a bit too late for you, I know).
[*] later, after you have taken the necessary and urgent actions to prevent that incident from worsening; eg. by trying to eliminate possible access to your vault or your accounts to the hypothetic bad guys.
Running new scans won’t help unless whatever attacked your PC was so new that the latest virus definitions would suddenly detect malware they missed before. I think you’ve done as much as you can with automated scans. If I were you and still paranoid after all these scans, I’d ask for help on BleepingComputer or reimage/factory-reset/upgrade in place (keep data but not existing programs) or reinstall afresh.
Beyond what @kpiris mentioned about how a mass date change might have occurred, this still puzzles me.
One more tip: subscribe to the free Hudson Rock email monitoring for your Bitwarden/main email. They specialize in detecting infostealer thefts and may alert you if your credentials are being sold. Your vault breach is still unclear, however.
There are other ways of changing that last modification timestamp massivelly.
For example:
archiving
unarchiving
trashing
taking out of the trash
Hmmm okay, well I haven’t done archives (which is unavailable to free accounts like mine anyway) and I don’t think I’ve somehow mass-trashed and then removed everything from the trash without realizing. I have now created a backup of my current list though, so that will be nice to have for the future. Thank you for the tip! I’ve gone through 100+ emails so far and none of them appear to have been altered in my Vault because they worked for any sign-in attempts that I was making, so I’m completely at a loss as to why they’re showing up as “edited”
Running new scans won’t help unless whatever attacked your PC was so new that the latest virus definitions would suddenly detect malware they missed before. I think you’ve done as much as you can with automated scans.
And thank you @Neuron5569, that gives me a bit of peace for now. I think I’ll end up just wiping the computer completely and starting fresh because I don’t really have that much data anyway… I keep any important important files on a set of hard drives that I keep disconnected from my PC, so thankfully those should be clean. I’ll sniff around on BleepingComputer for some tips on how to make sure everything goes smoothly. This looks like a great resource that I’ve never seen before, so again, thank you for the recommendation. I’m reaching out to the Bitwarden support team to see if they have any insight on the “mass-editing” of Vault entries, because I really would like to get to the bottom of this. I haven’t noticed anything suspicious the past couple of days, so fingers crossed I have it relatively under control 