Is it possible to review account IP history? [Question]

Hello,

I have a friend who I recommended Bitwarden to and whom appears to have had one of his credentials stolen. I am trying to help him locate if the service was hacked or his password manager or laptop or other.

Is it possible to check what IP addresses someone had signed into Bitwarden from?

I’m not sure if that’s possible, maybe they have some logs they could check for you.

In terms of the stolen credentials, have they set up 2FA for logging into Bitwarden? And the compromised account, does that have 2FA? Is the password for the compromised account unique or has it been reused elsewhere?

I would check HaveIBeenPwned.com - they have a page where you can enter your password and it’ll tell you if it’s on a known leaked password list.

Hopefully they set a strong, secure, unique password for their BW account, so my money would be on the compromised account being accessed directly, not via BW. Chances are if someone had gained access to BW, they’d have seen more than one account compromised by now.

I agree with danmullen’s assessment. Further, it would be wise to do two things to your friend’s BW account RIGHT NOW. 1. Change master password. 2. In an abundance of caution change the encryption key also. You can do that on the same vault page where you change the master password. If you proceed on step 2 make sure to log out of all sessions and then log back in so you don’t mistakenly harm the data file. You can read about this on the webpage. Its easy to do and effectively creates a brand new vault with totally new everything. I do it every few months just for my own OPSec.

2 Likes

Will using “Deauthorize sessions” prevent this potential harm?

1 Like

I simply “log out” of all open sessions. I am not near a place where I can open my actual vault right now to discern the actual term used in the process. The reason for logging out/closing all sessions is that any former open sessions are using the OLD encryption keys (has nothing to do with the Master Password used). By logging out and then logging back in your devices will have the new encryption keys being used. Don’t mix them together or data loss will happen. Fear not; this is really easy stuff.