LastPass breach and implications for BitWarden

Is there a blog post of some kind that discusses why what happened to LastPass users is unlikely to happen to BitWarden users? Or if it happens, how BitWarden is making it harder for attackers.

So if attackers manage to get hold of my encrypted vault from BitWarden servers, do I face the same risks as with what has happened now at LastPass?

Every system can be breached, including BitWarden. But I rather prefer a PWMS that is aware of that and lets me know what the potential risks are.

And LastPass information policy during the whole incident was a disaster. Is there some statement from BitWarden, how their information policy is in comparable situations?

PS: Never have been a LastPass user


One big difference is that unlike LastPass, Bitwarden does not store any of your login URLs in cleartext. :person_facepalming:


Hey @laza thanks for checking in! Here is something I posted on Reddit last night:

Hey thanks for checking in! Yes, 100% of the information that you input into a Bitwarden vault is encrypted. You can also read more about our minimal data collection here:

And here is a link to some of the steps we take to protect the Bitwarden codebase.

The Bitwarden team continues to focus first and foremost on security, with the team undergoing regular security training, the open source codebase being under regular public scrutiny on Github, subjected to third party audits and consistently monitored by security researchers as part of the bug bounty program.

Whether you work for a security company or are protecting a family account, it is also important to remember that often when we hear about hacking, it is someone gaining access through social engineering attacks, which means a lot of the basics ring true for all team members, ensure that workstations are locked down, 2FA is utilized, zero trust where possible, and to be suspicious of any communications that rely on time/pressure to get a response.


One stipulation I’d like to point out here is any privacy concerns when it comes to the icon server.

URIs stored in your Bitwarden vault still rely on CloudFront CDNs or your own server if self-hosting for serving up favicons.
This may be a concern for some, though it’s pretty clear and made apparent from the getgo by Bitwarden.

Can be disabled by the user and Bitwarden is up-front and transparent about options to the user, and yes thankfully still never stored in clear-text ever.
Just a possible concern for some related to URIs while we are on the topic.


Came here to post the same question. But basically also wondering: what policies and procedures does Bitwarden have in place to prevent similar hack as what happened to Lastpass?

@Brendon_LA – See the information that @dwbit posted above.

Question for the lastpass breach in regards to bitwarden. It looks like in Lastpass’ case, some dev/team keys were also compromised which leaked metadata information for vaults like the website url.

According to their press release Notice of Recent Security Incident - The LastPass Blog

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

Note how it says the format contains UNENCRYPTED data and ENCRYPTED data.

Does this mean that (for bitwarden) if we attach a note or a custom field to a Item (visible in cleartext but only after logging into your bitwarden) would that information have been leaked as well had a similar breach have occurred?

In other words, is our entire item entry encrypted with our personal key or are the plaintext fields visible when viewing an item left unencrypted by our personal key?

e.g. lets say we stored a one sentence reminder of our password on teh item entry in the notes field or a custom field. Is that data NOT encrypted by your personal key? I was under the impression that your entire vault was encrypted with your personal key.

Hey @dooria thanks for checking in, all information you add to a vault item is encrypted, more here:

1 Like

For everybody who is still worried:

Below is literally what a typical login item looks like when stored in your vault. Every gibberish string that starts with 2. and ends with = is an encrypted cipher string, which cannot be decoded without knowledge of your master password or account encryption key. You can see that the item name, URL (uri), username, password, and notes are all encrypted.

"id": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx",
"organizationId": null,
"folderId": null,
"edit": true,
"viewPassword": true,
"organizationUseTotp": false,
"favorite": false,
"revisionDate": "2022-08-01T23:14:22.7Z",
"type": 1,
"name": "2.oiOe4QnM/BeFRsZKAgTLUA==|FSG6Wmi8n2oS8uAyk9/Y0Q==|pPeRfXpjoMBF+JvNv/pPsS8GLxFCeSjX4kQC44ZxbIwE=",
"notes": "2.d7tqa4zezJ+R8FO5WMVvUg==|HRjZwkjyb9aI60gyLz0b5Ntb+uveK/7IUqZIPJV+om5UsySBUhmOAlpADPe3vfAP|7+kVhl/F0Hf3BuHXhfYM4CKFtPYo31trDRSxFyT/KE8=",
"collectionIds": [],
"creationDate": "2022-07-31T21:00:12.7433333Z",
"deletedDate": null,
"reprompt": 0,
"login": {
 "username": "2.zsIWcVw+a7zAshc5m6iqtA==|chVngW949S8w2vZ4+kIwmTRuIspbXm/9Jj4klqapZbs=|yaDnEai9KkWhhjKfGqpJ/yg3bZz6DWc/D4i9kJMbEeA=",
 "password": "2.HjksBbULW3WeWNbdwzn/OA==|6e4vTySS3SC4Iptt9ZVvzw==|+B1LLaWOiP96gXajJQ7ybBF9u0cluUmJ0wZbV0TiU5Q=",
 "passwordRevisionDate": null,
 "totp": null,
 "autofillOnPageLoad": null,
 "uris": [
   "match": 0,
   "uri": "2.weqaSzg07ivBpkZiTGaYDg==|y3cadRYyzBCsHn/LS0T61HlFK58AupiR8gfFbcQ8psJfqhEremBpBqqrTau5J+fhXxlzS3WDfPVu2Fe1Rm/STo39S9tCRXLPrBugKtjCOfI=|/oNwBNtDqQsG72KgUcCxkhQEmgL5qdq/ocZYJWWrKrc="
  } ]

2FA including for instance a Yubikey every time you install bitwarden on a new device or open it from a new device would alleviate many (or should alleviate many) of your concerns. I don’t know of any Yubikeys that have been hacked, and if you’re super worried you can use the yubikey to open BW each time.

No, while 2FA offers great protection against compromised master passwords (especially if using Yubikey with FIDO2/Webauthn), 2FA will provide exactly zero extra protection against the kind of breach that occurred at Lastpass. The 2FA is only required to obtain a copy of your vault, it is not required to decrypt your vault. In the Lastpass breach, the vault data were exfiltrated through a side channel, and once the attackers have the vault data there is no need for authentication.

1 Like

I agree with @grb , that the hack at lastpass exposed an awful security oversight, that lastpass failed to have enough (2fa) access control on backup files. In other words, to retrieve a backup file should a 2fa code as well as a login (at very least, and perhaps more safeguards).

Question: is there a public statement from competitors like 1Password that they have better access security, for their backup files, already in place?

Backup files are the crown jewels, the storage of your secrets. It helps that they are encrypted, but if a bad guy has a copy, they can take as long as they like to try new ways to decrypt. An analogy is stealing a big, heavy, iron safe, without opening it yet. Back in the garage, the thief can use as many saw blades as they want to attack the big iron safe.

1 Like

I just read an article on this. It’s a shame that Lastpass didn’t reveal the problem sooner. They probably saw it as a sort of admission of failure, I guess, and they tried to avoid or delay it, probably. A bad way of thinking. It would have allowed customers to change their password and they would have been reminded to watch out for phishing attempts.
Let’s hope that Bitwarden would let us know quickly the same issue, in an identical situation.
I have the same questions as you.
Is everything 100% encrypted with Bitwarden?
It’s worth thinking about the consequences of data theft on the servers, indeed.
Isn’t everything encrypted with Lastpass? Why?
What are the differences between Lastpass and Bitwarden?

What can do some hackers with our encrypted data?
I thought that the answer was nothing. Was I wrong?
the Lastpass case is interesting.
I also think that there’s no server that can not been hijacked one day, unfortunately. not necessarily but it’s possible.
The good question is could the hackers have our data in clear in the end? Is it impossible?

This was answered earlier in this thread, here and here.

Nothing, unless you have a weak master password.

You may find this Mastodon post by password secrurity expert Jeremi Gosney to be illuminating.


Thanks for sharing this.


+1 (Great post @grb, thanks for sharing).


Thanks for your answers. I will read that with much interest :slight_smile:

Here is an interesting article from 1Password. It is the use of what they call Secret Key. Does Bitwarden have a similar layer of security, or is it just the same as LastPass?

1 Like

Neither. Bitwarden is more secure than LastPass; Bitwarden is equally secure to 1Password if you are using a strong Master Password. If you are using a weak Master Password (which is a bad idea), then 1Password’s secret key would protect the vaults that are stored on their servers, but offers no additional protection for the local copies of the vault that are stored on your devices.


It seems that on Lastpass 2FA (like a Yubikey) only stops the downloading of a vault. Once a vault is downloaded out of LastPass’ internal backups then 2FA is bypassed.
Is this also true for Bitwarden? Or is Bitwarden’s vault itself protected by a Yubikey thus making it impossible to break into the vault?