@Crips Welcome to the forum!
Edit: Please read the “Update” at the bottom of this comment.
There are two different email warnings that Bitwarden sends in these situations:
Which version have you been receiving from Bitwarden?
Regardless of which version of the email warning that you are receiving, the fastest way to end this type of attack is to change the email address that you use as your Bitwarden username. I would suggest that you log in to your Web Vault (vault.bitwarden.com
or vault.bitwarden.eu
, as applicable), and navigate to the Reports > Data Breach; using the Data Breach check, verify that the email address you plan to use as your new username is not found in any known data breaches.
If you don’t have another email account (or if all of your email accounts have been found in data breaches), then check whether your email service provider supports so-called “plus-addressing”: for example, if your regular email address is [email protected]
, then you can also receive emails sent to [email protected]
(where xxxxx
can be replaced by any word or random string of letters/numbers).
Before changing the email address used for your Bitwarden account username, go to Tools > Export Vault in the Web Vault app, specify the “.json (Encrypted)” file format, and the “Password Protected” export type, then follow the prompts to create a Password Protected backup of your vault contents. This is a prudent precaution, because on occasion, the vault can become corrupted during the username change process. If you have a Premium account, it is also recommended that you enter the search string >attachments:*
to locate any vault items that have file attachments; download copies of these files if you do not already have backup copies available elsewhere.
Update:
@Neuron5569 is right, if the OTP messages are legitimate emails sent from <[email protected]>
or <[email protected]>
, then the attackers already know both your email address (Bitwarden username) and your master password.
Unless you had a weak or re-used master password, then it is very likely that you have unlocked or logged in to Bitwarden on a phishing website or on a device that is malware-infected. And since you continue to receive the OTP emails after changing your master password, it seems clear that the computer or mobile device that you used when changing your master password is compromised by malware.
Do not log back in to your Bitwarden account on the compromised machine (i.e., do not complete the email address change recommended above using a device that has malware).
Your first priorities should be to detect and remove all malware on your device, and in the meantime, to find a clean device that you can use to change your Bitwarden username and master password.