Hacked three times in one day - leaving Bitwarden

Note: Your question may already be answered in the Bitwarden Help Center.

Just a reminder - All Enterprise, Teams, Families, and Premium subscribers receive priority support at Get in Touch | Bitwarden :partying_face:

I received an email notifying of failed login attempts since I haven’t used BW for a while. I immediately changed my password. 2 hours later I get the SAME email. I changed my password AGAIN and set up 2FA. Another 2 hours later, the SAME email! I now have purged my vault and deleted my account since it’s pretty obvious that someone from BW is leaking my changed master passwords to scum hackers otherwise would I be spammed with “failed login attempts” emails EVERY 2 Hours?! Bitwarden can no longer be trusted!

First of all, if the email notifications said “Failed login attempt”, then that indicates your Master Password was not known to whoever was trying to log in. If your Master Password had been leaked, then the emails would just say Your Bitwarden account was just logged into from a new device..

All it would take for a failed login attempt to occur is for somebody to know your email address, and then make a lucky guess that you have a Bitwarden account. Have you tried checking your email address in HaveIBeenPwned? Or have you ever publicly disclosed your email address anywhere on the internet (e.g., on forums)? Have you tried Googling your email address and seeing if it comes up?

Before changing your Bitwarden Master password, you should have changed your Bitwarden username (email account). That should put an end to the notifications.

The email notification that you received is generated when someone has tried 9 times in a row to log in using a valid email but an incorrect Master Password. Bitwarden also forces further login attempts to solve an hCaptcha to thwart automated login attempts by bots. Ironically, each time that you successfully logged in to your Bitwarden account, you reset the “failed attempts” counter and removed the hCaptcha challenge, allowing the bot to continue to guess passwords. So it seems there was a bot that was trying to log in with your email address and a random password every once 10-15 min; the bot would have been stopped after 2 hours (9 failed attempts — when you saw the first email notification), but each time that you logged in to your account to change you password, the bot was able to do another 9 attempts (until you got the email notification 2 hours later). Unless your Master Password was ridiculously simple (e.g., Password123) it is unlikely that the bot would have ever succeeded — even though you allowed it to continue guessing by removing the hCaptcha challenges and not changing your login email.


Just adding my response to the same post on Reddit:

Hey there, the Bitwarden team does not have access to your master password. See more in the Bitwarden Security Whitepaper.

It sounds more like your email was leaked somewhere.

You can also take advantage of email alias/masking services like SimpleLogin, AnonAddy, Firefox Relay etc… to quickly and easily replace leaked credentials.