Just a short first response, adding to the corresponding question on Reddit (https://www.reddit.com/r/Bitwarden/s/BWfzLPlAnl) - though I don’t know if you’re the same person or if these are two separate incidents:
By “ending all sessions” you mean “deauthorize all sessions” in the web vault? That may be a good idea in your case, but I would assume the attacker logged in to your vault just like you, so that is not nearly enough.
Things in order I think I would do RIGHT AWAY in case of a compromise of a bitwarden account (like this one seems to be):
First of all, if you can’t access the compromised bitwarden account:
1.- Delete the compromised account via it’s email.
2.- Create a new account, preferrably with a different and, if possible, unique email. Don’t reuse the master password.
3.- Enable 2SV.
4.- Import the most recent backup available.
If you can regain control of your compromised account:
1.- Deauthorize all sessions.
2.- Change master password rotating account encryption key (needed if one of your devices where you access bitwarden could be compromised, and also needed in case of account compromise; especially with a weak master password).
3.- Disable 2SV (if it’s enabled) and re-enable it, whether it was previously enabled or not (this would be to force a change on the 2SV recovery code).
4.- Restore missing vault data (if any is missing) using the most recent backup.
Once the bitwarden account and it’s vault contents are secured again:
1.- Update your emergency sheet; or create a new one, if you didn’t before.
2.- If the contents of your vault is any different from your most recent backup: take a new vault backup: to have a clear and accurate picture of what its content was when it was compromised (it could be useful in the future).
3.- Change each and every one of the credentials stored in the compromised vault (this will probably take a lot of hours of tedious work, prioritize).
Needless to say, all of this should be done on a device you are fairly certain that it is free from malware.
If we are making a list now, first of all I would think of what most sensitive data was in my vault - like online banking, credit card, PayPal login data etc. (PS: and email account(s)!) - that the attacker now assumingly has and could use himself.
And the most immediate step would be to contact your bank to protect your banking account and changing the credentials (passwords etc.) for all those most sensitive login data etc.
PS: Though, what has to be done “first” may also depend on the causes of situations like that. E.g. if you have malware on your device causing this, you can change credentials as long as you want… So no easy answer here.
This is the recommended advice for users whose Bitwarden accounts have been compromised:
Find a malware-free device (or thoroughly disinfect your current device). Unless you have strong reason to believe otherwise, you should assume that you vault was compromised by means of malware on a device where you used Bitwarden; none of the steps below will be effective if you perform them on a device that has malware. Cleaning your device may require reformatting the drive and reinstalling the operating system, depending on what type of malware has infected it.
Log in to the Web Vault, and Deauthorize All Sessions.
Log in to any non-mobile app (e.g., Web Vault, Desktop app, or browser extension) and create a password-protected.json export of your vault contents.[Step 3 is not applicable in your situation.]
Log in to the Web Vault, and change you master password (enabling the option “Also rotate your account encryption key”); your new master password must be a randomly generated 4-word passphrase. Optionally, also change the email address used as your Bitwarden username.
If your account had 2FA, then go to this form to disable your 2FA recovery code and turn off 2FA for your account, then get a new 2FA recovery code.
Enable 2FA for your account (using FIDO2/WebAuthn if possible), since the previous step will have resulted in the removal of all 2FA from your account.
If you performed Steps 2–6 on a device different from your main device (the one that was compromised), then you need to proceed with scrubbing all malware from that device before you ever log in to Bitwarden on that device again (see Step 1).
Start the process of resetting passwords for all accounts stored in your Bitwarden vault, starting with the most important/sensitive ones (e.g., bank accounts, credit card accounts, etc.), and the ones that you know have already been hacked. In addition, if the website provides such an option, deauthorize all logged-in sessions after changing the password.
In your case, you would import your previous backup before starting Step 8.
Going forward, you should also make a serious effort to determine how this compromise may have occurred. Was your master password re-used or non-random? Did you not have 2FA on your Bitwarden account? Do you download pirated software or media from nonreputable sites? If you don’t change something about your security posture, the situation you’re finding yourself in now is likely to recur in the future.
Since the old vault has nothing in it, there is no point in deauthorizing sessions, deleting the account or doing anything else that may alert the bad actor that you are onto them.
Here is the process I would follow:
Make absolutely sure your PC is free from malware.
Create a brand new account using a new username and password. Plus-addressing can help keep things simple (e.g. [email protected], where “something” can be anything). Getting Started on the Right Foot is a good reference for doing this.
Import your backup into the new account.
Change every password stored in your vault, starting with those that can impact your financial life (banks, investments, credit cards) and that can be used to regain access to account (mostly, email accounts). To keep track of progress, you might add a smiley to the name as you complete each change.
If you have any credit cards stored in your vault, request a new card with a new number.
After everything is done and the bad actor no longer has exploitable data, delete the old vault.
So yes, I’m now currently at the final stage - with a new account and a similar style of password, extended from 10 to 20 mixed characters which (as always) is also written on my ‘emergency’ password/login information sheet inside my bedroom door.
I started changing credentials - and that in itself is such a major pain it’s beyond belief… but I don’t use PayPal or any other online browser based banking services making life easier there.
For example, Facebook (which I use for my local online selling) now presented ONLY the option for me to use a WhatsApp code (with me never having had a WhatsApp account, I remember the insidious step that Meta took in purchasing WhatsApp).
Going forward I will be investigating my Android phone, as I have always felt safe (since around 2006) using Linux without any kind of anti-malware software…
This is obviously an understatement - and obviously (assuming that there is possibly little risk or benefit from the hacker actually using any of my data) the biggest headache.
It’s likely it will not be completed - so basically I will focus on important/recently used… There are a total of 550 items and many of those might have been expired through disuse or are just not important enough to worry about.
I started this task identifying the highest priority websites and will continue by using my browser history.
This does not sound like it is as secure as it could/should be (and may have contributed to your recent vault compromise).
If your password is not a computer-generated random password, then it is impossible to guarantee the safety of your vault. On the other hand, if your 20-character password is in fact a random character string (like 6%F+CV^6$=q-;e3x<2BB), then it seems that you would be tempted to copy and paste the master password instead of typing it manually; this exposes you to unnecessary risks.
The best practice is to use a randomly generated 4-word passphrase as your master password.