I think it is a little odd I got an email from this company but never have signed up or heard of this before…
It happens. I get emails obviously intended for someone else all the time. Perhaps someone has an email very similar to yours and just made a mistake when they signed up?
Same here Chris.
If it appears someone used your email address to create an account with Bitwarden, you can simply delete the account following the steps below:
Steps to delete your account:
- Navigate to Bitwarden Web Vault
- Enter your account’s email address - the email address that what used
- Go to your email inbox and click the verification link that was sent to you to confirm the delete
It happened to me too, so I signed up to the forum to follow this thread.
The fact that many report it at the same time makes me think that something is going on…
@go12 It might be worth checking to see if there has been a sudden spike in sign-ups, in case someone is doing some sort of automated process maliciously.
I am curious to know what the email said. Was it legit, or perhaps, was it some kind of third-party phishing attempt?
There are a few reports of unsolicited account registrations. We’re working to add some additional protection in the next release.
The game of “whack-a-mole” is never ending
No phishing detected on the email.
Here is the header:
From: Bitwarden [email protected]
Subject: Welcome to Bitwarden!
Message-ID: [email protected]il.amazonses.com
Date: Wed, 21 Jul 2021 03:31:49 +0000
Content-Type: text/plain; charset=UTF-8
Welcome to Bitwarden and thank you for creating an account! Now you can extend robust security to all of your online experiences and devices.
Your Master Password is the only way you can unlock the Vault and only you hold the key. Memorize it, or write it down and keep it in a safe place.
While the email appears to not be fake, it doesn’t mean that something concerning is not going on if this happened to a bunch of people. Perhaps there is an attempt to register lists of emails to see who has an account and who does not. If your website says “account already registered” or something when attempting to sign up with an email already signed up, it may lead to knowledge for hackers, etc.
Interesting. Thanks for sharing. I wondered if it was the standard message for a new signup.
For what it’s worth, mine looks legit too: DKIM, SPF, and DMARC passed. Happy to share the full headers if needed
I’m trying to figure out what an attacker would gain from this?
Are they just checking to see if you already have an account?
Edit: Yup, this could be what they’re doing. I just tried to sign up with an email that already has an Bitwarden account and got a warning saying this email is already taken.
The other thing is, I have been a lastpass user for like 12 years or so now and I found it weird I got an auto sign up to what appears to be a competitor…
I am pretty sure Bitwarden does not operate like that. Given that there are a number of you reporting the same issue within the same day, the most likely scenario is that your login credentials were breached on another site and are now being used in a credential stuffing blitz by a malicious actor hoping that you (1) have an existing Bitwarden account, and (2) you recycled the same password.
The good news for you is that if you didn’t have a Bitwarden account, you are safe.
But if you wanted to test my theory, you could go to a site like Have I Been Pwned: Pwned Passwords and see if your email is associated with a breach. If so, try any passwords that were leaked to see if you can login to the BW account that was created without your knowledge. If so, that proves the intent of whoever created it as malicious.
There is also a subreddit (https://www.reddit.com/r/Bitwarden/comments/oohyv5/) where people are discussing this same issue.
Does Bitwarden not verify account email addresses before actually creating an account?
Yes, there is email verification on new accounts. It is prompted after you login for the first time, but not before.
I think it would be beneficial to change the process so the email verification has to be completed before the account is fully set up.
We’re taking some extra measures to prevent any spamming in the first place, as we don’t want anyone getting emails they didn’t solicit at all, regardless if it’s welcome for verification
One thought though, what about those who use email-shaped usernames, that can’t actually receive email? (it happens )
I didn’t realise that it’s possible to sign up without an email address!
Privacy enthusiasm knows no bounds!