I was wondering if anyone had any recommendations…
Set up my account in December 2022. Since then have only used on my iPhone and used FaceID to login every time. Yesterday (30 Sep) my phone decided I needed master password to login. I am a free user of password manager.
I cannot remember my master password (not written down, not in notes etc). Nightmare I know, and I understand this might mean I need to delete my account and start again.
I have tried guessing my password multiple times without success. My questions are:
should I not be receiving an email from BitWarden saying someone has been trying to (unsuccessfully) access me account?
my email address has not be pwned. I am receiving my master password hint to this email (sadly I must have changed the password and not updated the hint). Is there any chance someone has hacked my bitwarden account and I don’t know about it? Would I receive an email if there is a login on a new device? Could a hacker change the email address linked to my account without me knowing?
Any tips or recommendations would be greatly appreciated.
You will only receive such an email notice if someone has attempted unsuccessfully to access your account 9 or more times (basically, when Bitwarden starts requiring hCaptcha on login, as a rate-limiting defense).
Yes, you would receive an email from Bitwarden stating exactly that.
It’s theoretically possible to do if you are victim of information-stealing malware or an Attacker-in-the-Middle exploit.
Yes, but this has not happened in your case, since you are still receiving password hints at your original email address.
I’m not sure why you’re asking so many questions about getting hacked. The fact that you were logged out of your mobile app is a completely normal (albeit not very frequent) event — it can happen at any time without warning, as a result of software updates on your phone, or as a result of server maintenance on Bitwarden’s end, etc.
I recently provided some relevant advice to another user in a similar situation (although your situation is actually worse) — you may wish to read the comment linked below:
Thanks very much - all helpful (and yup, pretty bad situation for me! all my own fault).
“You will only receive such an email notice if someone has attempted unsuccessfully to access your account 9 or more times (basically, when Bitwarden starts requiring hCaptcha on login, as a rate-limiting defense).” - I have tried probably around 30 different passwords within the space of 5 minutes but have not received any email notice from bitwarden and it isn’t requesting hCaptcha.
Unless there is something odd going on, this suggests that the email address you are using for these login attempts may be incorrect, or that the server region (bitwarden.com vs. bitwarden.eu) has been incorrectly selected. Since you’re able to get the master password hint emailed to you (which indicates your email address is correct), I would strongly advise that you double-check which server you are attempting to log in to (there should be a dropdown selector for “logging in on” or “server” on the email input screen).
Regardless, did you follow the instructions in the other comment that I had linked, and if so, what was the outcome?
If I select the bitwarden.com region and ask for a master password hint, I receive one to my registered email address. If I select bitwarden.eu and try the same…no email. So I am guessing bitwarden.com is the correct server region (I opened my account in Dec 2022), and this is the server region on which I have been guessing my password…still no email from Bitwarden saying there has been a failed login attempt.
I did try the instructions in your other comments, thanks. No luck unfortunately
I dug into the code a bit, and I found a snippet that indicates the warning email is only sent if the failed login attempts happen on a “new” (unrecognized) device.
Well, as you probably recognize, if you currently have no Bitwarden client apps or extensions that are still logged in, then your current vault data are unfortunately lost. Unless you somehow are able to recall your master password, you have no choice but to start over, manually recovering all accounts that had been stored in yoru vault.
If you do end up magically remembering or starting over, be sure to create both an emergency kit and occasional backups. The lesson you are learning today is one nobody needs to learn twice… and for those reading along, they ought to avoid learning this lesson the hard way.