Do I need to change all my passwords?

I recently fell victim to a robbery where I was compelled to surrender my Android phone(and its password), along with one of my bank passwords for unauthorized transfers—a truly harrowing ordeal, to say the least.

To provide some context, I’m uncertain about the specific vault timeout, but I hadn’t used the Bitwarden app for a minimum of 6 hours prior to the incident, and I had the biometrics login on Bitwarden enabled. Following the theft of my phone, my Google password was altered(likely due to the 2FA SMS), and my device seemed to have gone offline . It took me several hours to regain access to my Google Account, as I had to activate my number on a new device.

In addition, I had some passwords saved in Google, simultaneously with Bitwarden (though never the Bitwarden master key). Given that my phone was offline and unprotected after this incident, it seems prudent to consider changing those passwords, but what about those that are only on Bitwarden? Could also the criminal use my Android password to set up a new biometric profile and gain access to Bitwarden?

2 Likes

I think that with the phone and it’s unlock password, the thief can unlock your vault with biometrics registering it’s own fingerprint on android (the phone unlock password is needed for that).

If you had your bitwarden account logged in but locked on the phone, I think the thief could unlock it with it’s own fingerprint.

So, regarding bitwarden, first of all I would log on to the web vault, change my master password and force a logout of all sessions.

Then I would change all my passwords (beggining with the most important ones), because I think you can not be sure if the thief has accessed your bitwarden account by unlocking it on your stolen phone.

2 Likes