[HELP] Someone got access to my vault

Ask the Community Password Manager
, ,
1

Hello everyone,

I made a post few days ago on reddit because someone took access to my Bitwarden vault.
I have a unique password for my bitwarden vault, I didn’t use this vault nor password since 2023.
Someone managed to enter the correct password, then I received a 2FA by mail and the person managed to enter this code (or took access to bitwarden without the 2FA ?).

I made a post and since I have some posts into piracy/fitgirl subs, some people just assumed I did download bad things and did got hack this way, and that’s it. Despite saying that was false, I didn’t received help because people assumed It was a malware on my side.

Soo .. I made a post on bleeping computers, to show them that I didn’t do anything and that I wasn’t infected.
https://www.bleepingcomputer.com/forums/t/808455/help-my-mail-and-bitwarden-are-compromised/

Everything is clean, only remnants of cracked softwares that isn’t even installed or doing anything.

Since we can see It’s not a hack from my side .. Does anyone have any ideas ?
I checked the mail I received, it’s a real mail from Bitwarden and I can see the device on the bitwarden security page.

I only have one computer, that is secured, my password is safe, I checked on haveIbeenpowned and Hudson Rock everything look good.

I asked bitwarden support to send me logs to see if the hacker downloaded my vault (.json or something) but no answer in 3 days.

Can someone help me ?

Big thanks.

PS : I need to change my password etc etc, yes, I also put 2FA on some systems. The main issue is that I have work passwords that I can’t really change. I just wanna see if the hacker got them and If i have to escalate the issue to my N+2 (and I’ll probably get fired for that.)

2

You already noted the two sources of vault access records. The complete list:

  • On the web vault (vault.bitwarden.com or valult.bitwarden.eu), settings > security >> devices
  • Your email account gets notices upon each device’s first login.
  • Enterprise customers can arrange for login (and other) logs to be forwarded “real-time”

Bitwarden does not keep their own access history for reasons of “privacy”.

One thing to know about Bitwarden. Their servers do not have your password. Your vault is downloaded to your PC in encrypted format and only your PC has the necessary stuff to decrypt it. Their security whitepaper has all the pesky details for those of us into that stuff.

There is no way to know this with certainty. The only safe position is to presume they were disclosed. Notifying your N+2 should not be a big deal. They should be changing them anyways whenever somebody leaves and whenever there is suspicion the creds have escaped. This will be much better accepted if you are the one that brings the risk to their attention and let them decide to take defensive action before risking compromise.

Absolutely correct. Before you start changing bank, social, etc. passwords, you need to secure your vault:

  1. Back up your vault onto a flash drive that you generally keep offline. Use either ZIP or JSON format for the most complete backup. Either leave it unencrypted or password protected, which ever makes you more comfortable. Don’s use “account restricted”, though as that can not always be recovered.
  2. Deauthorize all sessions.
  3. Log back into the web vault and change your master password to 4 or more random words. Write this on your emergency sheet.
  4. Set up MFA on your vault and write the recovery code onto the emergency sheet too.
  5. After the above is done, you can proceed with changing all the passwords stored in your vault, setting up MFA on the accounts, etc.
  6. Back up your vault again.
1 Like
3

I can confirm that the unwanted devices was showing on " settings > security >> devices "
I can also confirm that I received a mail of trying to get the 2FA, then successful login.

For my bitwarden vault, not gonna lie it was my backup plan of another service that I use, so I just nuked the vault and delete everything, then my account (just in case).

One question that I have :

One thing to know about Bitwarden. Their servers do not have your password. Your vault is downloaded to your PC in encrypted format and only your PC has the necessary stuff to decrypt it.

In my case, the hacked had access to my account, so he got everything to decrypt my password. Right ?

For the N+2 thing, I had passwords into a bitwarden vault, we don’t have any policies regarding to it but the fact that I got hacked = It’s my fault. They won’t think further away..

Thanks for your answer !

4

Yes, they gained access to your account using a password and unconfirmed access to your email; they can export the vault in plaintext using the password immediately. It could have been someone who bought your info and didn’t know that, but normally this wouldn’t be assumed.

5

Did the other service/vault have your Bitwarden and email credentials in it?

In deleting the vault, do you still have a record of the accounts that were in it, so that you know what still needs changing?

6

Was the vault master password randomly generated (e.g., a random 4-word passphrase)?

Was the vault master password ever disclosed to any other person, or ever saved in a digital medium?

Was you email account password randomly generated, unique, confidential, and not stored outside your Bitwarden vault?

Does your email account have 2FA?

Does your email account provide any history of logged in devices?

I don’t think such logs are available. If the attacker was able to log in to your vault, then they did download you vault data in an encrypted form (this always happens when logging in to a Bitwarden app or extension), and knowing the vault master password is sufficient to decrypt the downloaded data (this happens automatically when you log in, but the attacker would be able to do this decryption at will after they have downloaded the encrypted vault).

Thus, as noted by @DenBesten, you should assume that all secrets that were stored in your vault have been compromised.

7

For future readers of this thread (the point seems to be moot for OP, who has already deleted their Bitwarden account), I would recommend the following modifications to the advice given above:

  • In Step #3, make sure to select the option “also rotate my account’s encryption key”.
  • Just before Step #4, use the current Two-Step Login Recovery Code to disable 2FA (which also rotates the Recovery Code).
  • In Step #5, start by changing the passwords on your email account(s), since these can be used (by the attacker) to reset other account passwords.
8

Was the vault master password randomly generated.

Yes It was.

Was the vault master password ever disclosed to any other person, or ever saved in a digital medium?

Never.

Was you email account password randomly generated, unique, confidential, and not stored outside your Bitwarden vault?

Yes ! 24 caracteres generated password, stored on another service of password management.

Does your email account have 2FA?

Yes It does, and the 2FA is on my phone, with aegis app which require my fingerprint (and the password is 32 caracters randomly generated.)

Does your email account provide any history of logged in devices?

Yes It does, and there is no trace of access from this IP, nor another device.

Okay, considering your second paragraph, i’m fcked.

9

Very sorry about your situation. It is a bit baffling, though. Please read through this entire message, as there may still be a glimmer of hope for you.

Was your Bitwarden vault password stored in your other password manager? Was the Aegis password stored there, as well?

I don’t know too much about Aegis, but I imagine it may be possible to bypass the biometric unlock, if the password is known (similar to Bitwarden’s implementation of biometrics).

Did your Bitwarden account have any other 2FA methods enabled other than email?

Did you ever obtain and save the 2FA Recovery Code for your Bitwarden account? Is it possible it was stored in your other password manager?

:backhand_index_pointing_right: Come to think of it, are you sure that the email you received from Bitwarden was a Two-Step Login (2FA) code? It seems more likely that it may have been a code required for New Device Login Protection (implying that your Bitwarden account did not actually have any 2FA enabled). What was the text of the email? For New Device Login Protection, it is basically one line that says something like:

To finish logging in, enter this verification code: 12345678

In contrast, the email message received when using email as 2FA looks like this:

Your two-step verification code is: 123456

 

The distinction is important, because it is possible for an attacker to bypass the New Device Login Protection (without having accessed your email), but it should not be possible for them to bypass a Two-Step Login (2FA) code without having access to your email account.

:backhand_index_pointing_right: In your email inbox (or in trash or spam folders), was the verification code email followed by an email notice from Bitwarden with a subject line like New Device Logged In From [Device] (where “[Device]” is a specific device or browser type), and message body that looks as follows?

image
image500×301 28.9 KB

 

Trying to keep some hope alive, I am working off a hypothesis that the attacker never accessed your email; it may be possible that you may have been mistaken about your interpretation of the device information that is in the Security > Device log in the Web Vault, in which case there is a chance that the attacker never accessed your vault data. On the other hand, it is also possible that you did not have 2FA on your Bitwarden account (as I have suggested above), in which case the attacker may have been able to complete the login process without accessing your email account.

Your answers to all questions posed in above would be helpful in determining the most likely explanation for what happened.

10

Was your Bitwarden vault password stored in your other password manager?

No, It’s only in my head.

Was the Aegis password stored there, as well ?

Gotta be honest, it’s worst than that : I did generate a long password, forget to copy it. So if one day I loose my finger for my fingerprint authentification, I can’t connect to my account lol. But atleast it’s really secure, NO ONE not even me know the password ahah

Did your Bitwarden account have any other 2FA methods enabled other than email?

No sadly, I only had 2FA by email at the time.

Did you ever obtain and save the 2FA Recovery Code for your Bitwarden account? Is it possible it was stored in your other password manager?

Never, I just created the bitwarden vault in 2023, did a backup of my proton into bitwarden then forgot about it.

Sans titre
Sans titre1636×1099 114 KB

When i go into into security tabs → devices, I see the computer that was used.
19 mai 2025 20:57:22, like in the mail

11

Based on the emails received from Bitwarden, it seems like you did not actually have any 2FA enabled for your Bitwarden account. The code that was sent to you was not a 2FA code, but a verification code required for Bitwarden’s New Device Login Protection (which is only active for accounts that do not have any 2FA).

Unfortunately, with the new information, it does seem that the attack was successful. Also, the short time between the verification code email and the “New Device Logged In” notification does strongly suggest that the attacker had access to your email at the time (i.e., they did not bypass the verification process). Perhaps you were the victim of session token theft or a RAT. I know that you scanned your computer, but a session token theft would not necessarily leave behind any footprints, and it is also possible for malware to hide their tracks. Session hijacking seems more likely, is this would probably explain why you saw no suspicious device logins in your email account logs (the attacker is essentially spoofing your own device).

The only thing that remains unclear is how they obtained your Bitwarden vault password. What parameters were used to generate the password (length, passphrase or password, character sets if password, etc.)? Where did you generate the password (i.e., what specific generator was used)?

Your narrative implies that you generated a random password for your Bitwarden account in 2023, never wrote it down or saved it anywhere, never typed or disclosed the password in 2 years, never used it for any other account or service, but you still remember what it was. Is this accurate?

12

If at all possible use exclusively a security key (YubiKey) for your vault, and especially your email and banks. I don’t allow any exceptions. I keep recovery codes but I won’t accept text or email as a form of two factor. Just toooooooooooooooooo weak. Security Keys cannot be phished and they are not very expensive at all.

13

Just bought one Yubico YubiKey 5C NFC and I’ll try to use it in as many services as possible.

14

The only thing that remains unclear is how they obtained your Bitwarden vault password. What parameters were used to generate the password (length, passphrase or password, character sets if password, etc.)? Where did you generate the password (i.e., what specific generator was used)?
Your narrative implies that you generated a random password for your Bitwarden account in 2023, never wrote it down or saved it anywhere, never typed or disclosed the password in 2 years, never used it for any other account or service, but you still remember what it was. Is this accurate?

Considering my hella bad memory, I understand that this sound absurd but dude it’s the only one password i’ll remember till I die and I have no clue why this specific password is in my head. When I tried to remember it, I made a little song about it and now I can randomly sing it.
The only issue with it is that there is no special caracters.
And for the site I think I used dashlane (the first one who poped up when i wrote " generate password online")

Can I do something about the RAT or session token theft ? I changed my gmail password too, just in case.

15

That shouldn’t have been an issue if what you generated was a passphrase (not a random character string), and as long as the number of random words was sufficiently large — again, provided that the passphrase was never disclosed or ever used for any purpose other than logging in to an authentic Bitwarden app.

Dashlane’s generator does not have the ability to generate passphrases, so it must have been something else — unless what you generated was a random character-string password. Was it? If so, the guessability will depend critically on the password length and on whether you included numbers as will as both upper- and lowercase letters in the generator settings. For a password (but not a passphrase), omitting special characters will reduce your password strength by 35–75% (depending on what other character classes were included/excluded).

Please note that there is a risk involved in using any online password/passphrase generator, especially one that has not been vetted and received a passing score in Aaron Toponce’s audit; for optimal security, the generator should be downloaded and then opened on your local computer only after it has been disconnected from the internet.

If the RAT was still on your computer, presumably it would have been found in the scan that you did. For the session hijacking, you would have to go into your email account and deauthorize all active login sessions.

16

Just a heads up to keep you safe. IF you only bought one security key it is imperative that you maintain recovery codes to bypass two factor authentication should that key get lost or broken. I have a pile of keys and use 4 or 5 (site allowance) for my accounts.

I have never had a key break or malfunction in many years. Theft or loss — never happened but possible. Reiterating ----- keep recovery codes to compensate for key loss.

17

It wasn’t a passphrase, it’s like " yt5qmrklp9gfpi6dven54201 " (obvisouly it’s not the password, but same amount of each characters.

the generator should be downloaded and then opened on your local computer only after it has been disconnected from the internet.

I use the protonpass one now, and generate 30 characters with special symbol, numbers, caps etc.

you would have to go into your email account and deauthorize all active login sessions.

No session was found, in doubt I deconnected everything and changed password on another computer.

I have a pile of keys and use 4 or 5 (site allowance) for my accounts.

I’ll print the recovery codes and put them somewhere, I can’t afford another key (70€ was already kinda huge for me lol) but thanks for the advice !

18

I count 16 lowercase letters and 8 numerical digits — so the resulting entropy would have been in the range 102–124 bits, which is not crackable with today’s technology (even if you were still using deprecated settings for the KDF). This means that the password had to have leaked from somewhere.

That’s fine, as long as you use the generator that’s integrated inside the app, and not the publicly available generator webpage.

FYI, all you need is the 30€ Security Key series; you could have had two already!

1 Like
19

FYI, all you need is the [30€ Security Key series]; you could have had two already!

I just canceled the order of the 66€ one and bought 2 30€, thanks :slight_smile:

This means that the password had to have leaked from somewhere .

I swear on my cat that this password is only in my head.

That’s fine, as long as you use the generator that’s integrated inside the app, and not the publicly available [generator webpage]

Yep, I have protonpass premium so I only use the inside app one

1 Like
20

One theoretical possibility is that your device was compromised at the time that you generated the original password (or even that the website you used was compromised). It had to have leaked from somewhere, we just don’t know where

And did you ever log into your account (i.e., access your vault) using any Bitwarden app, browser extension, or web vault during the two years from the original account creation until you received the email notifications about the verification code and login from a new device?