I’ve been using Bitwarden for a few years, and for the first time today got this email :
“Additional security has been placed on your Bitwarden account.
We’ve detected several failed attempts to log into your Bitwarden account. Future login attempts for your account will be protected by a captcha. If this was you, you can remove the captcha requirement by successfully logging in.
If this was not you, don’t worry. The login attempt was not successful and your account has been given additional protection.”
Is that official? It makes me nervous to think someone has been trying to log in to my account. But my main password is very long and random, I remember putting it in one of those password testers, and it said something like a million quadrillion years or something! I also have 2fa on all my main accounts, email, anything to do with money etc.
Should I be worried? Also when I tried to login using my browser it worked as normal, there was no captcha? And how would a captcha help anyway
Hey there, there is a built in system if there are too many failed attempts, but for official support please use Get in Touch | Bitwarden. If you think someone is trying to access your account, you may want to update your master password Your Master Password | Bitwarden Help & Support
Please note, it is always a good idea to ensure you have safely backed up your account before making any changes.
Turn on 2FA for your bitwarden vault if not already. 2FA is must for securing something which keeps all your other passwords. Print the 2FA recovery codes and keep them at a secure place like a Safe.
Since you received only “unsuccessful attempt” email, that means your vault should be safe. Though its wise to consider changing your master password ,if you think it would have been leaked. but at the cost of remembering the master password again so that you don’t forget it.
Also as an additional safeguard , avoid using the email which you give out to your friends or use for any other websites for your bitwarden vault. I have a separate email for accessing bitwarden vault which i don’t share it on any websites or with friends. Use that email only along with alias services for other websites to mask your real email.
Hope it helps !
I had a bitwarden account for some time but I hadn’t used it. A couple of days ago I wanted to revisit and start using it. In the evening of the same day that I logged in, I received the same email, with an IP that traces to Vietnam (I am not Vietnam-based).
Could someone enlighten us how this could be happening? Is there any explanation why someone would try to hack our account on the same day that we showed any activity, other than our computer being compromised or being targeted by a hacker?
The system does generate an email if there are too many failed attempts. It is important to have a strong master password and enable two-step login on your account. You can also change your master password at any time, just ensure you are backing up your vault before making any account changes. You can find a useful user guide here.
Hi, no I wasn’t using a VPN and I wasn’t trying to log in at that time. Last time I had logged in was 2-3 hours prior, and I didn’t have multiple failed attempts so I doubt it was due to my attempts.
I used bitwarden on a PC, Macbook and iPhone, not sure if any of these is known to cause failed attempts remotely.
I am doing a full scan with Defender right now, it hasn’t spotted anything with the previous scans. I am generally careful, trying to stick to reputable sites and open only reliable files…
Defender is a good start, but you may want to follow up with Malwarebytes.
However, your computer may be fine. All it would take for someone an attacker to unsuccessfully attempt a Bitwarden login is to know (or guess) your email address and to know (or guess) that you are a Bitwarden user.
Has your email address been disclosed in public (e.g., on social media or internet forums) or in a data breach (check by entering your email address at Have I Been Pwned?). Alternatively, would your email address be easy to guess using a dictionary attack (e.g., [email protected])?
The most concerning aspect is the coincidence of the timing. Thus, it is possible that someone “observed” your earlier login to Bitwarden. A keylogger is unlikely (because in that case, they would also know your Master Password, and their login attempts would not have been unsuccessful). However, is it possible that someone was “shoulder surfing” (i.e., watching your computer screen) when you logged in, or that your computer screen was in view of a surveillance camera when you logged in? Alternatively, did you use a WiFi connection when you logged in? The attacker could be someone local, who then used a VPN to make it appear that they were in Vietnam when they attempted to log in to your Bitwarden account.
Thanks, yes my email had definitely been leaked before but it’s the timing I find so suspicious as well. I can’t reject it being a coincidence but it’s very unlikely. I was hoping it was a known behaviour, that somehow when an account becomes active again it is visible somewhere, rather than my computer being “observed”.
Not sure what exactly you are envisioning in the statement above, but Bitwarden would (presumably) not be sending out an email with very specific language (“Additional security has been placed on your Bitwarden account. We’ve detected several failed attempts to log into your Bitwarden account.”) if there was some routine notification when inactive accounts become inactive again.
Another avenue to check is whether the email message that you received is legitimate, or potentially a phishing attempt. Check the full message headers and ensure that the email originated with bitwarden.com. Again, though, the timing (unless purely coincidental) suggests that your computer activity was “observed” (at least in part). Did you log in to Bitwarden from an Internet Cafe or other public WiFi network? Were any other people in the same room while you were logged in to Bitwarden?
Alright thanks for helping out. I can’t think of any insecure place where I made it visible, so I was trying to see if this is a widespread phenomenon, maybe if they use crawlers or something equivalent to see which accounts are active.
If something else comes up I’ll contact the support team.
