LastPass breach and implications for BitWarden

One stipulation I’d like to point out here is any privacy concerns when it comes to the icon server.

URIs stored in your Bitwarden vault still rely on CloudFront CDNs or your own server if self-hosting for serving up favicons.
This may be a concern for some, though it’s pretty clear and made apparent from the getgo by Bitwarden.

Can be disabled by the user and Bitwarden is up-front and transparent about options to the user, and yes thankfully still never stored in clear-text ever.
Just a possible concern for some related to URIs while we are on the topic.


Came here to post the same question. But basically also wondering: what policies and procedures does Bitwarden have in place to prevent similar hack as what happened to Lastpass?

@Brendon_LA – See the information that @dwbit posted above.

Question for the lastpass breach in regards to bitwarden. It looks like in Lastpass’ case, some dev/team keys were also compromised which leaked metadata information for vaults like the website url.

According to their press release Notice of Recent Security Incident - The LastPass Blog

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

Note how it says the format contains UNENCRYPTED data and ENCRYPTED data.

Does this mean that (for bitwarden) if we attach a note or a custom field to a Item (visible in cleartext but only after logging into your bitwarden) would that information have been leaked as well had a similar breach have occurred?

In other words, is our entire item entry encrypted with our personal key or are the plaintext fields visible when viewing an item left unencrypted by our personal key?

e.g. lets say we stored a one sentence reminder of our password on teh item entry in the notes field or a custom field. Is that data NOT encrypted by your personal key? I was under the impression that your entire vault was encrypted with your personal key.

Hey @dooria thanks for checking in, all information you add to a vault item is encrypted, more here:

1 Like

For everybody who is still worried:

Below is literally what a typical login item looks like when stored in your vault. Every gibberish string that starts with 2. and ends with = is an encrypted cipher string, which cannot be decoded without knowledge of your master password or account encryption key. You can see that the item name, URL (uri), username, password, and notes are all encrypted.

"id": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx",
"organizationId": null,
"folderId": null,
"edit": true,
"viewPassword": true,
"organizationUseTotp": false,
"favorite": false,
"revisionDate": "2022-08-01T23:14:22.7Z",
"type": 1,
"name": "2.oiOe4QnM/BeFRsZKAgTLUA==|FSG6Wmi8n2oS8uAyk9/Y0Q==|pPeRfXpjoMBF+JvNv/pPsS8GLxFCeSjX4kQC44ZxbIwE=",
"notes": "2.d7tqa4zezJ+R8FO5WMVvUg==|HRjZwkjyb9aI60gyLz0b5Ntb+uveK/7IUqZIPJV+om5UsySBUhmOAlpADPe3vfAP|7+kVhl/F0Hf3BuHXhfYM4CKFtPYo31trDRSxFyT/KE8=",
"collectionIds": [],
"creationDate": "2022-07-31T21:00:12.7433333Z",
"deletedDate": null,
"reprompt": 0,
"login": {
 "username": "2.zsIWcVw+a7zAshc5m6iqtA==|chVngW949S8w2vZ4+kIwmTRuIspbXm/9Jj4klqapZbs=|yaDnEai9KkWhhjKfGqpJ/yg3bZz6DWc/D4i9kJMbEeA=",
 "password": "2.HjksBbULW3WeWNbdwzn/OA==|6e4vTySS3SC4Iptt9ZVvzw==|+B1LLaWOiP96gXajJQ7ybBF9u0cluUmJ0wZbV0TiU5Q=",
 "passwordRevisionDate": null,
 "totp": null,
 "autofillOnPageLoad": null,
 "uris": [
   "match": 0,
   "uri": "2.weqaSzg07ivBpkZiTGaYDg==|y3cadRYyzBCsHn/LS0T61HlFK58AupiR8gfFbcQ8psJfqhEremBpBqqrTau5J+fhXxlzS3WDfPVu2Fe1Rm/STo39S9tCRXLPrBugKtjCOfI=|/oNwBNtDqQsG72KgUcCxkhQEmgL5qdq/ocZYJWWrKrc="
  } ]

2FA including for instance a Yubikey every time you install bitwarden on a new device or open it from a new device would alleviate many (or should alleviate many) of your concerns. I don’t know of any Yubikeys that have been hacked, and if you’re super worried you can use the yubikey to open BW each time.

No, while 2FA offers great protection against compromised master passwords (especially if using Yubikey with FIDO2/Webauthn), 2FA will provide exactly zero extra protection against the kind of breach that occurred at Lastpass. The 2FA is only required to obtain a copy of your vault, it is not required to decrypt your vault. In the Lastpass breach, the vault data were exfiltrated through a side channel, and once the attackers have the vault data there is no need for authentication.

1 Like

I agree with @grb , that the hack at lastpass exposed an awful security oversight, that lastpass failed to have enough (2fa) access control on backup files. In other words, to retrieve a backup file should a 2fa code as well as a login (at very least, and perhaps more safeguards).

Question: is there a public statement from competitors like 1Password that they have better access security, for their backup files, already in place?

Backup files are the crown jewels, the storage of your secrets. It helps that they are encrypted, but if a bad guy has a copy, they can take as long as they like to try new ways to decrypt. An analogy is stealing a big, heavy, iron safe, without opening it yet. Back in the garage, the thief can use as many saw blades as they want to attack the big iron safe.

1 Like

I just read an article on this. It’s a shame that Lastpass didn’t reveal the problem sooner. They probably saw it as a sort of admission of failure, I guess, and they tried to avoid or delay it, probably. A bad way of thinking. It would have allowed customers to change their password and they would have been reminded to watch out for phishing attempts.
Let’s hope that Bitwarden would let us know quickly the same issue, in an identical situation.
I have the same questions as you.
Is everything 100% encrypted with Bitwarden?
It’s worth thinking about the consequences of data theft on the servers, indeed.
Isn’t everything encrypted with Lastpass? Why?
What are the differences between Lastpass and Bitwarden?

What can do some hackers with our encrypted data?
I thought that the answer was nothing. Was I wrong?
the Lastpass case is interesting.
I also think that there’s no server that can not been hijacked one day, unfortunately. not necessarily but it’s possible.
The good question is could the hackers have our data in clear in the end? Is it impossible?

This was answered earlier in this thread, here and here.

Nothing, unless you have a weak master password.

You may find this Mastodon post by password secrurity expert Jeremi Gosney to be illuminating.


Thanks for sharing this.


+1 (Great post @grb, thanks for sharing).


Thanks for your answers. I will read that with much interest :slight_smile:

Here is an interesting article from 1Password. It is the use of what they call Secret Key. Does Bitwarden have a similar layer of security, or is it just the same as LastPass?

1 Like

Neither. Bitwarden is more secure than LastPass; Bitwarden is equally secure to 1Password if you are using a strong Master Password. If you are using a weak Master Password (which is a bad idea), then 1Password’s secret key would protect the vaults that are stored on their servers, but offers no additional protection for the local copies of the vault that are stored on your devices.


It seems that on Lastpass 2FA (like a Yubikey) only stops the downloading of a vault. Once a vault is downloaded out of LastPass’ internal backups then 2FA is bypassed.
Is this also true for Bitwarden? Or is Bitwarden’s vault itself protected by a Yubikey thus making it impossible to break into the vault?

2FA is only for authentication (proving that you are you), not for encryption — this is true for Bitwarden and any other password manager that I am aware of. The thing that makes it impossible to break the vault encryption is your Master Password, which must be sufficiently strong for this task (e.g., a passphrases of 5-7 words that have been randomly selected from a large list, typically 7776 words for diceware lists).

A few years ago Lastpass was acquired by Logmein which had a dodgy reputation at the time - not sure if it has now. But their clear intention was to make profit. There are fees for Lastpass but is it possible that the metadata they don’t encrypt is sold for additional profit?

I would absolutely imagine so, part of what prevented us from moving to this as any form of a corporate password manager.
LastPass’ US Privacy Policy has a few questionable provisions about what data is collected and how it is processed, but namely to me

LastPass may use and share customer account and registration data, service data, billing data, and feedback with our third-party service providers to:
(g) provide analysis or valuable insights to our customers and users; (h) assess the needs of your business to determine and promote other LastPass products which we believe may be helpful to you; (i) provide product updates and marketing communications; (j) conduct research and analysis for business planning and product development; and (k) display content based upon your interests. To the extent permitted by law, we may also combine, correct and enrich personal data we receive from you with data about you from other sources, including publicly available databases or from third parties to update, expand and analyze our records, identify new prospects for marketing, and provide products and Services that may be of interest to you.

While it seems fairly easy to opt-out, though I personally would rather have to opt-in to any marketing and data harvesting where possible, and the use of personal data for up-selling a product meant to not know anything about you just seems wrong to me IMHO.

1 Like