Exposed Password: Bitwarden vs Google

How often is Bitwarden Exposed Password updated? I have a chunk of passwords exposed 2 days ago but not showing in Bitwarden Exposed Password scan.

I received a spam/scam email this morning with a list of passwords and attachment saying the person has access to my accounts, computer, and blah blah blah and want me to pay bitcoin so they don’t expose stuff (scam seems to have been around for some time now). Curiously I looked through my passwords on Bitwarden and found a bunch of passwords in the scam email. They were passwords created with random password generator through Bitwarden. As I was updating one by one, Google passwords pop-up was saying password is exposed in a breach and I should update it. I do have some passwords saved in Google passwords so I ran the free Google passwords check and it found the passwords that were in the scam email and all were exposed 2 days ago according to Google passwords. Google showed the websites associated with the exposed passwords.

Upgraded to Bitwarden premium to run Exposed Password check to see if there were any other passwords exposed but not saved on my Google passwords. None of the exposed passwords Google showed or the ones in the scammers email are showing as exposed in Bitwarden exposed password scan. Curious to know how soon Exposed Password gets updated since Google is already showing it and Bitwarden is not.

Hello and welcome to the communities!

TLDR; check/remove malware on your devices, understand that there would be differences for BW’s breach reporting service.

BW uses haveibeenpwned (HIBP) services to run such reports, so what is included would depend on HIBP policies, which most likely are different from Google’s. It appears to me that other partys’ breach services (Google, etc.) are more sensitive than HIBP.

Here are HIBP policies (Have I Been Pwned: FAQs) :

How is a breach verified as legitimate?

There are often “breaches” announced by attackers which in turn are exposed as hoaxes. There is a balance between making data searchable early and performing sufficient due diligence to establish the legitimacy of the breach. The following activities are usually performed in order to validate breach legitimacy:

  1. Has the impacted service publicly acknowledged the breach?
  2. Does the data in the breach turn up in a Google search (i.e. it’s just copied from another source)?
  3. Is the structure of the data consistent with what you’d expect to see in a breach?
  4. Have the attackers provided sufficient evidence to demonstrate the attack vector?
  5. Do the attackers have a track record of either reliably releasing breaches or falsifying them?

What would concern me more is how multiple passwords, if kept exclusively in Bitwarden, got exposed. If I ran an admin service for my relatives, I would carefully check for and remove malware on their devices, query them about being phished/installing new software/following links, and turn on 2FAs on at least all their important accounts.

Answer to most of the questions are don’t know (new to this). I do have Malwarebytes premium and Windows Defender running and nothing was picked up by both (did another scan while writing this up).

As for how I know it is a valid breach. The scam email has passwords. I checked against Bitwarden export to see if any of my accounts have any of the passwords, about 30 matched. Made a list of all the sites I need to change passwords. Then did google passwords check and they came up as breached passwords. Did a Bitwarden Exposed Password check and they do not show up.

Ex: My Robinhood password was in the email from the scammer (did not say site or username, just a list of passwords). Robinhood password is 50 random characters I used Bitwarden to create. Google password breach is showing it as breached 2 days ago. I do have 2FA so i’m not as worried. There are other sites in the same boat; password is in the email the scammer sent, password does exist in my Bitwarden export and Google passwords is showing it as breached 2 days ago.

For devices, I only use Bitwarden on my own devices. Do not share devices with others. Some of the passwords are app passwords, so cannot log in on desktop/web. All just weird. In the process of changing all passwords I care about.

Edit: It’s this scam without the screenshots:
https://answers.microsoft.com/en-us/windows/forum/all/hey-i-got-an-email-which-contained-all-my/99711851-b414-4524-aeaf-45cf5fd8d386?page=1
https://answers.microsoft.com/en-us/windows/forum/all/hacker-sent-me-an-email-of-all-my-passwords-and/6dec02ee-9771-4f4c-8fcc-581175f85068

First, I don’t know what happened. I am just hoping you’ll find out so that you can definitively plug the holes, and we can learn something.

Second, the questions from HIBP weren’t for you, they are answers that HIBP tries to answer before adding the breaches to their lists.

Third, because your multiple credentials are compromised, the most likely cause would be from your end; hence, the following line of questions.

Concerning a malware, there are infostealers also that would exfiltrate data from your machine and erase themselves without a trace. Not finding anything on your machines is good, but not finding it doesn’t mean there wasn’t one before. Only you can tell, by examining if you have downloaded/installed anything / followed any links that may be deemed suspicious in the past few months.

So, you match the passwords in the email you received to 30 passwords in Bitwarden. Are the passwords all/mostly/just-a-few randomly generated passwords only kept in Bitwarden? Do you keep them also in your browser’s password manager (presumably Chrome)?

When you export your Bitwarden vault, do you keep the exported files encrypted?

How do you keep your Bitwarden locked on your desktop? PIN? Do you require entering master password after app restart?

Infostealers do:

  1. Exfiltrate browser’s credentials.
  2. Exfiltrate Bitwarden encrypted file, which is more vulnerable when PIN protected, not requiring master password on restart
  3. Exfiltrate files, especially with certain names/extensions.
  4. Keylog and sniff at clipboards

Ah sorry i thought those questions were for me and i was like ??? Sorry for the misunderstanding.

All the passwords were created 4+ years ago it seems. And some of the sites don’t exist anymore or I don’t have an account with them anymore (account purged due to inactivity). There were some random generated passwords that I did not have current on Bitwarden, I probably changed recently.

30 passwords were all randomly generated. All kept in Bitwarden, some kept on Google passwords (chrome). For export from Bitwarden, this was the second time i did it (csv file) and i delete (shift delete) after use right away (wish there was a way to search by password instead of having to export). Bitwarden is locked on desktop/devices. Always require master password for browser/app restart and 2FA for new logins.

As I went through updating impacted passwords, one of the sites said “password compromised, click here to reset password”. That site/company did have a statement about data breach back in March 2024 but my account was not part of the compromised list so don’t know.

I know data breaches are part of life now-a-days so not too worried. I have 2FA on banking type of sites. Was hoping Bitwarden’s Exposed Password checker was more up-to-date like Google so I can see if other passwords were exposed as well (instead of just the ones saved on Google passwords).

Thank you for the questions of things for me to think about to be more cautious. At first was thinking maybe part of the snowflake data breach that happened this week but we’ll see in the coming days/weeks.

1 Like

Don’t know how to Edit so replying.

Update: Received about 30 email from Experian Identity Works a few mins ago saying email address was found on the dark web.

Urgent: We found a match to your monitored email address along with a password on the dark web. While this information doesn’t necessarily mean you are a victim of identity theft, your account information may be at risk, as well as any accounts where the same credentials were used.

Some of the 30 Experian emails give the site, some do not. The ones that show the site do match the ones I just finished updating over the weekend due to that scam email. Guessing it will trickle down to Bitwarden Exposed Password checker in the coming days as it’s database is refreshed. I kept one password as the old one since there is nothing sensitive for me on that site so I can know when Bitwarden Exposed Password is updated.

Update 2: Started getting emails/alters from CreditWise also with date found on June 7th 2024. There’s also about 30 alerts. Alert details say password is exposed.

Guessing this was from the Telegram Combolist on June 3rd 2024. Some people said passwords were 4-5+ years old, which matches my time frame of old password. Troy Hunt: Telegram Combolists and 361M Email Addresses

1 Like

Hey, thanks for the update and the link. That was an interesting read. Since it is the guy who runs HIPB himself, a bunch of people might get new email notifications either by email, and by Bitwarden report soon. He mentioned both old website breaches being combo-listed with newly cracked passwords, and new Infostealer logs.

He also mentioned a 13-year-old that suffered a similar scam email that you did, though. It’s intriguing that they would use passwords from new Infostealer logs and send them to the owners immediately instead of trying those accounts first or trying the credential stuffings first (not worth the efforts? Differently focussed criminal activities?).

The unique passwords shown in the articles aren’t searchable on HIPB, though, so did he actually load everything? Always more questions.