i got an email from no-reply at bitwarden.com to my email adress used for my bitwarden account with the following content: Bitwarden has enhanced its data encryption standards to further strengthen account security. To continue using your account, you must complete a one-time migration to the new encryption system.
Accounts not migrated by June 24, 2025 will no longer be supported. Unmigrated accounts will be permanently deleted, and all associated data will be lost.
To avoid losing access, please log in and complete the migration now at vault.bitwarden.com (https://start.bitwarden.com/e3t/somethingcryptic...)
[Edit by Nail1684: I just made the link non-clickable.]
Is this email trustworthy? I’m on the bitwarden.eu instance so I guess the link wouldn’t even work. When I login to my vault, there is no such request to update my encryption method?
for me this looks bit suspicious and doesn’t give me a good feeling for trusting bitwarden…
Without a deep analysis, I think it’s already safe to say it’s a fake/phishing email not coming from Bitwarden. [Edit: As it’s a legitimate mail according to @Quexten, and very likely designated for an US account, some things do look different now afterwards.] Speaking of which:
Understandable – but not a single service has control over who else sends fake/phishing emails, pretending to be that service.
And the content of that mail can be ignored. Neither is there such a migration of encryption that would take any such action, nor a deadline like that. (as far as I know)
It’s good to look for things like that! Unfortunately, those can be spoofed. – You might want to change your email address for Bitwarden now, as it might be part of a data breach… (and obviously, you should check whether your master password is “strong”, if you have 2FA enabled etc.)
Could you post a screenshot of that mail? (just to have a better idea how they designed it)
PS:
Indeed, as the link in that email points to a .com site that doesn’t match with your account on the EU server region – and that alone doesn’t make much sense… [Edit: see my comment at the beginning of this post]
I’m not sure about the question mark at the end… did you already try to login to your (web) vault (as @grb also already suggested – and obviously not by clicking that link in that email!) or didn’t you log in yet? - If there was any need for action for your account, then there should be some kind of notification in the web vault about that…
Seems like an odd notice, given that no corresponding announcements have been made on the forum. I thought it might be related to deprecated KDF settings, but that should not be possible if you are on the bitwarden.eu server.
The best thing to do would be to first ensure that your device is malware free (or find a malware free device), and then log in to the web vault by using a link from one of the other Bitwarden apps (e.g., go to Settings > About > Bitwarden Web App in the browser extension; or go to Help > Go To Web Vault in the Desktop app), or use the direct login link https://vault.bitwarden.eu/#/login.
If there is a legitimate issue, you will see a notice when you log in to the Web Vault app using one of the above methods. [Edited to Add: On re-reading your post, I see now that you did write that you saw no such notice when you logged in to your vault — but are you referring to the Web Vault, or one of the other Bitwarden apps or extensions?]
Overall, there are several red flags in the email text that lead me to believe it is not a legitimate email, but who knows, on occasion Bitwarden has been known for clumsy communication.
You may also want to analyze the email headers, by copying and pasting them into one (or both) of the following tools:
Also, it would be helpful if you could provide more information about the link given (although you must be super careful so that you don’t accidentally launch the link). I would suggest right-clicking the link and selecting the option “copy link address” (or anything equivalent). Then, in your forum response, click the </> (Preformatted Text) button in the editor toolbar (or simply use the keyboard shortcut Ctrl+e) while the cursor is on a new (empty) line. You should then see the following:
```
type or paste code here
```
Paste the copied link over the text that says “type or paste code here”, and refrain from adding any other text to any of the three lines inserted by the </> function.
There is no corresponding announcement in the Release Notes also. - If the account would not be migrated by June 24, 2025 and the data would be deleted then - I think we would at least have read that in the Release Notes.
(Sidenote: even the abandonment of the U2F-protocol for 2FA was announced months before… so that whole mail sounds not plausible to me)
I also share with the previous comments about the authenticity of the email given that there is no corresponding announcement of such improvement.
But I am also intrigued by the Sender ([email protected]) which is a legitimate Bitwarden address. A spoofed email would fail the SPF/DMARC/DKIM tests as suggested by a previous comment. If it doesn’t fail and this isn’t a legitimate email, then this would be a problem.
Another intrigue would be the link provided, which looks like it’s pointing to the right domain, which again, if this isn’t legitimate email, is somewhat alarming.
There is the possibility that look-alike names are in use, leveraging unicode – similiar to b1twarden.com, but unicode can make it completely invisible to the eye.
My suggestion, save the email with headers, zip it up and send it onto [email protected] for their advise. They will know if it is authentic and you will be giving them the opportunity to decide if they need to take action against a bad actor.
In any case, you are right to never enter your credentials on a link emailed to you. It is best to login using the login URL you already know and let autofill enter the credentials because autofill can detect social engineering invisible to you.
One possible complication in that logic is that even legitimate Bitwarden emails do not always pass…
Not sure to what extent @r722d had manually typed or manipulated the URL before posting it (it seems that at a minimum, they modified the path that says “somethingcryptic…”), but start.bitwarden.com appears to be a legitimate subdomain (which, when used by itself with no specified path, will redirect to https://www.bitwarden.com/).
Just to add to the discussion, start.bitwarden.com resolves to 2606:2c40::c73c:67e3 and 199.60.103.227, both with ASN to cloudflare, and company to HubSpot, inc. The typical bitwarden domains, i.e. www.bitwarden.com, vault.bitwarden.com, community.bitwarden.com, usually resolve to something either cloudflare or Fastly in both the ASN and company.
HubSpot is a subprocessor of Bitwarden, but possibly as features in the Team & Enterprise sections. I tried signing up for a new account (given the possible onboarding message change recently), but all the links point to vault.bitwarden.com, bitwarden.com, and one assets.bitwarden.com.
Hi guys,
thanks for the overwhelming replys so far. No, I haven’t clicked on the link in the email yet. I just logged in using web vault by known URLs and browser extension.
Here is a screenshot of the most likely fake email:
Thank you, everyone, for letting me know that there is no such migration planned.
I hope other affected users will find this post and that it will help them avoid clicking on the link.
I will also report it to Bitwarden.
And just to be sure: so when you regularly logged in to your web vault, there is no warning message or notification of any kind, that you have to take any action regarding encryption migration, right? (not in the “start screen”, and also not in the various Settings pages?)
E.g. the legitimate “New device Logged In…” mails in the EU region do get send from a bitwarden.eu mail address.
PS: As my account is in the EU region server as well, I didn’t get such an email.
… and the question remains, what could be meant at all. – Even it if it was KDF, I think not even on the .com servers the accounts with “Low KDF” warnings were “forcibly migrated” (hence, this still open feature request: Increasing the default number of PBKDF2 for existing accounts).
And as you @grb alluded to: the EU server region is quite “new” (I think it was introduced around mid 2023), so very unlikely that there suddenly is any pressing “encryption migration” needed for those “recent” accounts…
So in sum, the whole “issue” of the mail doesn’t seem very plausible / valid to me.
Thanks. I think the header more or less indicates that Bitwarden’s infrastructure, associated with HubSpot, was probably involved. At the point the email passed from HubSpot to your email provider, all SPF/DKIM/DMARC checks passed.
I think there is trouble, or it is authentic, or some unknown things.
My latest emails from Bitwarden, initiated by my own actions, didn’t result from this kind of email chain from within HubSpot. They came through SendGrid, with unidentifiable internal servers.
You should definitely pack up your email in its entirety and forward it to Bitwarden for confirmation/analysis.
@djsmith85@dwbit Could you shed some light on it from an official side? (e.g. if there could be such an “un-announced” migration going on - and emails like that getting sent - at all)
@r722d I strongly agree with the above (save the message, place it in a ZIP file, and email it as an attachment to [email protected]). I would also suggest that you include a link to this discussion in your email. If you get a response, please share any conclusions with us.
If you don’t mind, could you re-post the redacted email headers here, but using the same method that you used for pasting the URL — i.e., using the </> (Preformatted Text) button in the editor toolbar, as per my previous instructions? What you posted above is a little garbled, and cannot be parsed by the tools.
Hey all. This email is authentic. I’ll cc @dwbit here in case you need someone with a Bitwarden badge to confirm. It is not malicious, and accurately describes the situation. These accounts should not exist on the EU instance; @r722d did you have an old, separate account on the US instance that you never deleted?
For some background, accounts created prior to 2019 were created using an encryption scheme that used the key derived from your masterpassword directly to encrypt account data. This is inflexible and has significant risk to create vulnerabilities. Forced migration has been active for a while, and you cannot log in on these accounts on anything other than the web client. Support for this encryption scheme will be dropped as per the date mentioned in the email (corresponding git commit: [PM-20225] Prevent legacy users without userkey from logging in by quexten · Pull Request #14267 · bitwarden/clients · GitHub).
If you received such an email, feel but don’t trust its legitimacy, then don’t click the button from the email and instead directly navigate to the web vault from the Bitwarden website. Logging in should show you a migration screen and allow you to migrate the account.
