I found this phishing website https://bitwardenlogin.com/ yesterday, trying to impersonate vault.bitwarden.com. I’ve created a “Report Abuse” ticket with the domain registrar (Tocows Domain). Perhaps someone from the compliance team at Bitwarden can look into this. The phishing page is very similar to the vault login page, along with an SSL cert and similar sounding domain name to make it look legit.
I hope Bitwarden can take down this domain before someone gets their account compromised.
Many (or all) of those may be legitimate, self-hosted instances of Bitwarden. A few of them are in violation of Bitwarden’s Trademark Policies, but my guess would be that none of those are actual phishing sites (unless you have evidence to the contrary).
I would consider my master password compromised and changing it. Please make a backup before changing your MP. Don’t know if the encryption key is compromised as well
Also consider reinstating your 2FA so it’s makes the old one invalid.
99% i have done the login. I have cleared the browsing history . It has been suggested to bookmark the right link. Ironically, having created the right account 3 days ago, I had exactly the wrong url as a bookmark. Also if it can be useful to someone I had noticed an anomaly. That is, the first time I logged in I could not enter while the second time it went and I entered the safe
Were both attempts made on the same site (i.e., on the phishing site), or was the first attempt on the phishing site and the second attempt on the legitimate vault.bitwarden.com site?
When you successfully logged in (i.e., the second time you attempted), did you receive any email message from Bitwarden saying “Your Bitwarden account was just logged into from a new device”?
Also, did you have a 2FA method set up for logging in to Bitwarden, and if so, was the method either TOTP or Email?
If you are able to log in to your account using the vault.bitwarden.com site or the Bitwarden Desktop app, make a backup of your vault, selecting the “password protected” encrypted JSON option (not the “account restricted” option !). Write down the chosen password (which should be different from your compromised master password) in a safe location.
Then, change your master password, and enable the option to rotate your account encryption key. In addition, temporarily disable your 2FA by using your 2FA recovery code, then set up your 2FA again and print out the new 2FA recovery code. Change the password for your email account (the one associated with your Bitwarden account). If you had stored a TOTP authentication seed in Bitwarden for your email account, then reset the 2FA for your email account to get a new TOTP seed.
The above are the most urgent things to do first, without knowing the answer to my first question above. If you’re answer is that you made both login attempts (the unsuccessful attempt and the successful attempt) on the same fraudulent site, then all contents of your Bitwarden vault are known to whoever was running that phishing scheme. If so, you should reset passwords (and 2FA, if TOTP seeds were stored in your vault) for all of your accounts, starting with the most important (e.g., bank accounts, etc.).
I’m not sure because I no longer have the history. In practice I believe that the first attempt was on the phishing site, I got an error and was redirected to the right site. Since I had recently created the account, I can’t say for sure if I had already activated 2FA. I use an app to authenticate. I received some emails from Bitwarden but since I have used different devices in this period I had not noticed. I thought you were always and still only with IP I can’t figure out if it’s always me or not. I activated 2FA both TOTP and by email, but I can’t remember for sure what passwords I had saved. Also I find myself in another absurd situation. I had backed up my passwords from google account, which I deleted them from. Also I also deleted them from my bitwarden account so I don’t actually know what passwords were there and if I logged into the phishing url before or after deleting all the passwords. For security reasons I think to delete at least the passwords for the most important sites
This is not a reasonable assumption. It would make more sense if the phishing website was set up to act as a “Man-in-the-Middle”, so that it would use the credentials you entered to attempt to access your Bitwarden account. Perhaps it failed the first time because of the time delay in transferring your TOTP from the phishing site to Bitwarden. Just because you can see your vault contents doesn’t mean that you were looking at the legitimate Bitwarden web vault. Once the attacker has successfully broken into your vault using phished credentials and 2FA, it would be trivial for the phishing site to display the vault data that it stole from your Bitwarden account.
I would consider this one also as a questionable login and probably a phishing site.
The site https://bitwarden.devol.it/#/ looks quite like the original, besides it got both passwords and password at the same place. So it’s likely someone getting tricked here as well.
Please only use the Bitwarden original webpage to find the login to web vault.
As far as I can see, all self-hosted Bitwarden instances look just like the original. In this case, the owner also has an article about password managers on his website (though I don’t speak much Italian), so I suppose this could be a legit self-hosted instance.
Maybe Bitwarden could include some information on self-hosted login pages or otherwise make self-hosted instances look different from the official vault.bitwarden.com site. People running legit instances probably wouldn’t care about this – I certainly won’t.
On the other hand, if somebody is trying to run a phishing site, they can always copy the official Bitwarden login page, just like any other login. And just like people have to learn that paypal.criminaldomain.com is not PayPal’s login page, they also have to be clear that there is just one login page for (cloud-hosted) Bitwarden.