Is this email authentic: Action required to maintain your Bitwarden account

Hello guys,

i got an email from no-reply at bitwarden.com to my email adress used for my bitwarden account with the following content:
Bitwarden has enhanced its data encryption standards to further strengthen account security. To continue using your account, you must complete a one-time migration to the new encryption system.

Accounts not migrated by June 24, 2025 will no longer be supported. Unmigrated accounts will be permanently deleted, and all associated data will be lost.

To avoid losing access, please log in and complete the migration now at vault.bitwarden.com (https://start.bitwarden.com/e3t/somethingcryptic...)
[Edit by Nail1684: I just made the link non-clickable.]

Is this email trustworthy? I’m on the bitwarden.eu instance so I guess the link wouldn’t even work. When I login to my vault, there is no such request to update my encryption method?

for me this looks bit suspicious and doesn’t give me a good feeling for trusting bitwarden…

Thank you

@r722d Welcome to the forum!

Without a deep analysis, I think it’s already safe to say it’s a fake/phishing email not coming from Bitwarden. [Edit: As it’s a legitimate mail according to @Quexten, and very likely designated for an US account, some things do look different now afterwards.] Speaking of which:

Understandable – but not a single service has control over who else sends fake/phishing emails, pretending to be that service.

And the content of that mail can be ignored. Neither is there such a migration of encryption that would take any such action, nor a deadline like that. (as far as I know)

It’s good to look for things like that! Unfortunately, those can be spoofed. – You might want to change your email address for Bitwarden now, as it might be part of a data breach… (and obviously, you should check whether your master password is “strong”, if you have 2FA enabled etc.)

Could you post a screenshot of that mail? (just to have a better idea how they designed it)

PS:

Indeed, as the link in that email points to a .com site that doesn’t match with your account on the EU server region – and that alone doesn’t make much sense… [Edit: see my comment at the beginning of this post]

I’m not sure about the question mark at the end… did you already try to login to your (web) vault (as @grb also already suggested – and obviously not by clicking that link in that email!) or didn’t you log in yet? - If there was any need for action for your account, then there should be some kind of notification in the web vault about that…

Seems like an odd notice, given that no corresponding announcements have been made on the forum. I thought it might be related to deprecated KDF settings, but that should not be possible if you are on the bitwarden.eu server.

The best thing to do would be to first ensure that your device is malware free (or find a malware free device), and then log in to the web vault by using a link from one of the other Bitwarden apps (e.g., go to Settings > About > Bitwarden Web App in the browser extension; or go to Help > Go To Web Vault in the Desktop app), or use the direct login link https://vault.bitwarden.eu/#/login.

If there is a legitimate issue, you will see a notice when you log in to the Web Vault app using one of the above methods. [Edited to Add: On re-reading your post, I see now that you did write that you saw no such notice when you logged in to your vault — but are you referring to the Web Vault, or one of the other Bitwarden apps or extensions?]

Overall, there are several red flags in the email text that lead me to believe it is not a legitimate email, but who knows, on occasion Bitwarden has been known for clumsy communication.

You may also want to analyze the email headers, by copying and pasting them into one (or both) of the following tools:

Also, it would be helpful if you could provide more information about the link given (although you must be super careful so that you don’t accidentally launch the link). I would suggest right-clicking the link and selecting the option “copy link address” (or anything equivalent). Then, in your forum response, click the </> (Preformatted Text) button in the editor toolbar (or simply use the keyboard shortcut Ctrl+e) while the cursor is on a new (empty) line. You should then see the following:

```
type or paste code here
```

Paste the copied link over the text that says “type or paste code here”, and refrain from adding any other text to any of the three lines inserted by the </> function.

1 Like

There is no corresponding announcement in the Release Notes also. - If the account would not be migrated by June 24, 2025 and the data would be deleted then - I think we would at least have read that in the Release Notes.

(Sidenote: even the abandonment of the U2F-protocol for 2FA was announced months before… so that whole mail sounds not plausible to me)

:eyes:

Hello,

I also share with the previous comments about the authenticity of the email given that there is no corresponding announcement of such improvement.

But I am also intrigued by the Sender ([email protected]) which is a legitimate Bitwarden address. A spoofed email would fail the SPF/DMARC/DKIM tests as suggested by a previous comment. If it doesn’t fail and this isn’t a legitimate email, then this would be a problem.

Another intrigue would be the link provided, which looks like it’s pointing to the right domain, which again, if this isn’t legitimate email, is somewhat alarming.

There is the possibility that look-alike names are in use, leveraging unicode – similiar to b1twarden.com, but unicode can make it completely invisible to the eye.

My suggestion, save the email with headers, zip it up and send it onto [email protected] for their advise. They will know if it is authentic and you will be giving them the opportunity to decide if they need to take action against a bad actor.

In any case, you are right to never enter your credentials on a link emailed to you. It is best to login using the login URL you already know and let autofill enter the credentials because autofill can detect social engineering invisible to you.

1 Like

One possible complication in that logic is that even legitimate Bitwarden emails do not always pass… :roll_eyes:

 

 

Not sure to what extent @r722d had manually typed or manipulated the URL before posting it (it seems that at a minimum, they modified the path that says “somethingcryptic…”), but start.bitwarden.com appears to be a legitimate subdomain (which, when used by itself with no specified path, will redirect to https://www.bitwarden.com/).

But wouldn’t you expect a spoofed email, unless BW’s domain & email infrastructures are compromised, would always FAIL? :confused:

Just to add to the discussion, start.bitwarden.com resolves to 2606:2c40::c73c:67e3 and 199.60.103.227, both with ASN to cloudflare, and company to HubSpot, inc. The typical bitwarden domains, i.e. www.bitwarden.com, vault.bitwarden.com, community.bitwarden.com, usually resolve to something either cloudflare or Fastly in both the ASN and company.

HubSpot is a subprocessor of Bitwarden, but possibly as features in the Team & Enterprise sections. I tried signing up for a new account (given the possible onboarding message change recently), but all the links point to vault.bitwarden.com, bitwarden.com, and one assets.bitwarden.com.

Hi guys,
thanks for the overwhelming replys so far. No, I haven’t clicked on the link in the email yet. I just logged in using web vault by known URLs and browser extension.

Here is a screenshot of the most likely fake email:

And here is the email header. I removed my personal data.

Return-Path: <1axb2hpwuzf4icc6y9lyaszs9ml0fz8gjc93vk-r722d=emailprovider.com@22371289t.bitwarden.com> Delivered-To: [email protected] Received: from proxy02.emailprovider.name ([127.0.0.1]) by dovecot16.emailprovider.name (Dovecot) with LMTP id QrtPFlxdOGgDCgMAchYRkQ for <[email protected]>; Thu, 29 May 2025 15:30:56 +0200 Received: from proxy02.emailprovider.com ([127.0.0.1]) by proxy02.emailprovider.name (Dovecot) with LMTP id VPCzN9FVOGi62gIAGFAyLg ; Thu, 29 May 2025 15:30:56 +0200 Received: from mailin04.emailprovider.com (unknown [10.0.0.64]) by proxy02.emailprovider.com (Postfix) with ESMTPS id 4b7S1X48KSzyZB for <[email protected]>; Thu, 29 May 2025 15:30:56 +0200 (CEST) Received: from mx04.emailprovider.com (mailin04.emailprovider.com [127.0.0.1]) by mailin04.emailprovider.com (Postfix) with ESMTP id 8108F2040B for <[email protected]>; Thu, 29 May 2025 15:30:56 +0200 (CEST) X-Virus-Scanned: amavisd-new at emailprovider.com X-emailprovider-Spam-Status: v=1; e=base64; a=aes-256-gcm; d=iDmpuKODIPAc98+dtGvyDyZUSxWJUqFRA0Uo6qHfu9/kBDsQ8MNBBByeqVp77UkZzdfyr2fjd htTv/fBImzV9NTwAxPzGDtKWBih5moLbGvZyj/ZP5VunjJu6sicgTs+2wklc9nCzprq2OKXCiyH DSszk4JwTh0kl8mOECroxkmPfu6DhrlvUPGWS3IOctNuD3gxopbcSwaQvx8As2KTE/OwJbYf8s7 5EhObtrrH0nIzE1NM0kTt4J7jZMYUp9Tp8YWIxG0NCZxbixWoOEZ9QbmrUk0y0XeAYdDQDI5fc1 i2EBz+uI3Trt2YEXEzmr0s6t5lUq+b8pTNgxjBL6vIEnoXOrxKPnG+8zBKV3uq88GrxKhsyzWEG AGarJ7TW3fDt3caGJVjuan0Wz6PMX47XBIMMyQs5cVVBqVZX1AVkI3bKw+y7qCD/d75GxpjSDrT JX5WFlPoFAL87EhGuMiOkvXnhvWF1rKzB8iJR7r45TD+reO8M39iBCZRy/szu/K3LTjIlyNLmaj 9RcPhyabdqQtO5QvNhPdNkPKt0M1BS+f8GuTQLfqCQ4lZ/B6/LmG+f+Kq+R/Dhrzkr0UYER4= Authentication-Results: emailprovider.com; dmarc=pass (p=reject dis=none) header.from=bitwarden.com Authentication-Results: emailprovider.com; spf=pass smtp.mailfrom=22371289t.bitwarden.com X-emailprovider-Antispam-Signature: v=1; e=base64; a=aes-256-gcm; d=DbSapAF2IdNgFmh4S4d6FqIOWSpuobPnUVqnXEBX+Mzeslfuahrt/luxozSm5IYf+jmHAiUTDp411mnyGRZqCcMDGnA4geMAE9cTm3luz+IEb6gSse9I0idwkYI5lMhFk5irF4YH Authentication-Results: emailprovider.com; dkim=pass (2048-bit key) header.d=22371289t.bitwarden.com [email protected] header.b=vKUBxiD7; dkim=pass (2048-bit key) header.d=bitwarden.com [email protected] header.b=FXEjjeWj; dkim-atps=neutral X-emailprovider-TLS-Received-Status: TLSv1.2 Received: from bid4685.22371289t.bitwarden.com (bid4685.22371289t.bitwarden.com [158.247.21.103]) by mx04.emailprovider.com (Postfix) with ESMTPS id 4b7S1W4cmFz11cp for <[email protected]>; Thu, 29 May 2025 15:30:55 +0200 (CEST) Received: by 172.16.215.36 with SMTP id a0cgfhxxtp4xci0xt9vhdsc7pnrlhwsdh5ih8gfs0ar; Thu, 29 May 2025 13:30:55 GMT DKIM-Signature: v=1; s=hs1; d=22371289t.bitwarden.com; [email protected]; h=sender:from:from:reply-to:to:to:cc:cc:subject:subject:list-unsubscribe:form-sub:feedback-id:list-unsubscribe-post; a=rsa-sha256; c=relaxed/relaxed; bh=Rx9NNfA2r3bnwIpCjs4+fFhMuUQ3qONri2z+RI83Mjo=; b=vKUBxiD7i7uiOoCUpDwSdo/o7KiihNyQn8GfK4dAIyW/1sVe39Nib+qTkmvNZY fPLCMlMLF6B+8rWhoqgaqPfq30S8yCzSW/t4iD4SqWVVuibL2Ii7YtuzSpWsXuk jAeRIJabHYgfBlyBh4Ycogd7jOs3J3Vjd18iXJL/L6MPE5ynOf1XRAeOFje005E vKFWO7ahRuUOXxU/rLpf212405vB38tBhXDBZ8eIpbRUI6gfOwpJvmGLfopPKtp PhTXNHmrv89pkPbm4XKpQQ32+1t8TVzFKoAF50ge31WIJSpP3AaFNW0fECPlnte xGmB9ThMcCVcbBmpA5/KXoQXJBXQ==; q=dns/txt; t=1748525455; x=1748788255; DKIM-Signature: v=1; s=hs1-22371289; d=bitwarden.com; [email protected]; h=sender:from:from:reply-to:to:to:cc:cc:subject:subject:list-unsubscribe:form-sub:feedback-id:list-unsubscribe-post; a=rsa-sha256; c=relaxed/relaxed; bh=Rx9NNfA2r3bnwIpCjs4+fFhMuUQ3qONri2z+RI83Mjo=; b=FXEjjeWjnDZ5OuBVUUSC0W8QINSEmM4OTx0duSCzsFzsY9akf8ozPW3LtrdqxB KXZdepZpQnHoaCKduiO/tEQRVJwXfSueCbvmq24rgYUIxyXuNgHZua8iZCGT9+2 J6d/0uYcpyqfmrONdiTgOYcrHMYSpOE0QGgq6rJzlCT1pm0J7RTzP4LuLyqxkVx lNG2lFngbSmK1G0Ri6A5xu0LYktHZP63+Su6bVQP9jhSoxUfjMX0UgC2qpo7MCp TjrKfhhzgONOkQUsIYvgPp1DtoBrpna9pH9zskbczGW/hv8vM8t3xoXwtX+AxT1 q9BTLIRIJ+F2F2eh5n9XcGhK1ZQA==; q=dns/txt; t=1748525455; x=1748788255; X-HS-Cid: 1axft4wc7woondsybwhbw4d45enyd0d98lgy6o Date: Thu, 29 May 2025 09:30:55 -0400 From: Bitwarden <[email protected]> Reply-To: [email protected] To: [email protected] Message-ID: <1748525448379.0e8d3929-4fef-44e3-bdfa-b9f9f9b197d5@22371289t.bitwarden.com> Subject: Action required to maintain your Bitwarden account MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_5862784_995845725.1748525455190" X-Report-Abuse-To: [email protected] (see https://policy.hubspot.com/abuse-complaints)
**

It passes on the SPF and DMARC tests.

Thank you, everyone, for letting me know that there is no such migration planned.
I hope other affected users will find this post and that it will help them avoid clicking on the link.
I will also report it to Bitwarden.

https://start.bitwarden.com/e3t/Ctc/RK+113/d2F3X704/VVt96N1wwH7FW8km4_G97c-6QW7Pgndt5x8fGKN6R-BYK3lYMRW69sMD-6lZ3nBW9fHHnn8F5mfzVBsdLn2-bQjjW2CQTXL6GQRblW1R2JMq2tDP5MW2L-y3t2gkqVlW2CFdCw7Fg-fzW3glzyW4WRkjpW3KGzRD5XFPJNW3yXJc62k500jW5rN7FC8wBjs8W1xFTfJ9jpjYPW5J25sZ2VWnTWN4grtk1Nbk_MW5Rzp_S9hz-gtN8LYCB7RDk25N6HB38zXWy5xN2H2RBv3cxmfW1DdFmc2NkFs5N8WRVKGhyJs1W7r9pDs5QbHjBf8Lshjn04

This is the original link provided in the email behind the “Migrate Data” button.

1 Like

Just a note on this, none of my emails from Bitwarden has:

  1. "reply-to: "
  2. the company’s address at the bottom
  3. the bottom-most logo

edited: logo

And just to be sure: so when you regularly logged in to your web vault, there is no warning message or notification of any kind, that you have to take any action regarding encryption migration, right? (not in the “start screen”, and also not in the various Settings pages?)

Adding to this:

E.g. the legitimate “New device Logged In…” mails in the EU region do get send from a bitwarden.eu mail address.

PS: As my account is in the EU region server as well, I didn’t get such an email.

… and the question remains, what could be meant at all. – Even it if it was KDF, I think not even on the .com servers the accounts with “Low KDF” warnings were “forcibly migrated” (hence, this still open feature request: Increasing the default number of PBKDF2 for existing accounts).

Regarding “data encryption” of the vault etc. - I think there are some changes going on in the background (e.g. Remove legacy encryption services by quexten · Pull Request #14551 · bitwarden/clients · GitHub ?!), but as written before, so far nothing was announced or mentioned anywhere AFAIK that would even involve any user action.

And as you @grb alluded to: the EU server region is quite “new” (I think it was introduced around mid 2023), so very unlikely that there suddenly is any pressing “encryption migration” needed for those “recent” accounts…

So in sum, the whole “issue” of the mail doesn’t seem very plausible / valid to me. :thinking:

Thanks. I think the header more or less indicates that Bitwarden’s infrastructure, associated with HubSpot, was probably involved. At the point the email passed from HubSpot to your email provider, all SPF/DKIM/DMARC checks passed.

I think there is trouble, or it is authentic, or some unknown things.

My latest emails from Bitwarden, initiated by my own actions, didn’t result from this kind of email chain from within HubSpot. They came through SendGrid, with unidentifiable internal servers.

You should definitely pack up your email in its entirety and forward it to Bitwarden for confirmation/analysis.

1 Like

@djsmith85 @dwbit Could you shed some light on it from an official side? (e.g. if there could be such an “un-announced” migration going on - and emails like that getting sent - at all)

2 Likes

@r722d I strongly agree with the above (save the message, place it in a ZIP file, and email it as an attachment to [email protected]). I would also suggest that you include a link to this discussion in your email. If you get a response, please share any conclusions with us.

If you don’t mind, could you re-post the redacted email headers here, but using the same method that you used for pasting the URL — i.e., using the </> (Preformatted Text) button in the editor toolbar, as per my previous instructions? What you posted above is a little garbled, and cannot be parsed by the tools.

Hey all. This email is authentic. I’ll cc @dwbit here in case you need someone with a Bitwarden badge to confirm. It is not malicious, and accurately describes the situation. These accounts should not exist on the EU instance; @r722d did you have an old, separate account on the US instance that you never deleted?

For some background, accounts created prior to 2019 were created using an encryption scheme that used the key derived from your masterpassword directly to encrypt account data. This is inflexible and has significant risk to create vulnerabilities. Forced migration has been active for a while, and you cannot log in on these accounts on anything other than the web client. Support for this encryption scheme will be dropped as per the date mentioned in the email (corresponding git commit: [PM-20225] Prevent legacy users without userkey from logging in by quexten · Pull Request #14267 · bitwarden/clients · GitHub).

If you received such an email, feel but don’t trust its legitimacy, then don’t click the button from the email and instead directly navigate to the web vault from the Bitwarden website. Logging in should show you a migration screen and allow you to migrate the account.

Here is what this looks like, taken from the PR introducing forced migration:

4 Likes