Phishing website bitwardenlogin.com

Hi all,

I found this phishing website https://bitwardenlogin.com/ yesterday, trying to impersonate vault.bitwarden.com. I’ve created a “Report Abuse” ticket with the domain registrar (Tocows Domain). Perhaps someone from the compliance team at Bitwarden can look into this. The phishing page is very similar to the vault login page, along with an SSL cert and similar sounding domain name to make it look legit.

I hope Bitwarden can take down this domain before someone gets their account compromised.

3 Likes

It’s a real looking site. Could be used to trick someone who isn’t so competent.
Thanks for the find and warning

1 Like

Hopefully, this website is taken down and Bitwarden can purchase similar domains to prevent people from being phished.

2 Likes

Thanks all, the team is following up on this one!

2 Likes

There are multiple domains being used for this. Here is some examples: gist:328892692ac5a90564fbcd76e7aa40eb · GitHub

1 Like

Many (or all) of those may be legitimate, self-hosted instances of Bitwarden. A few of them are in violation of Bitwarden’s Trademark Policies, but my guess would be that none of those are actual phishing sites (unless you have evidence to the contrary).

I’m not sure if i have made login into https://bitwardenlogin.com What can I do to be sure?

I would consider my master password compromised and changing it. Please make a backup before changing your MP. Don’t know if the encryption key is compromised as well
Also consider reinstating your 2FA so it’s makes the old one invalid.

That what I would have done.

It’enough change only MP and 2FA and not change all the other pw saved?

I am honestly not sure, haven’t been involved with it myself. Could be a security risk not to do anything. But by changing MP and 2FA you have at least made your self a little bit safer.

Hopefully someone from the team or got a bit more knowledge can give a better answer.

FYI: it appears that “https://bitwardenlogin.com/” is now offline, at least as of right now
01/28/2023: 1:01 PM Pacific time

you could check all of your web browser’s browsing history, but yeah, probably best to also change your master password if your not 100% sure.

99% i have done the login. I have cleared the browsing history . It has been suggested to bookmark the right link. Ironically, having created the right account 3 days ago, I had exactly the wrong url as a bookmark. Also if it can be useful to someone I had noticed an anomaly. That is, the first time I logged in I could not enter while the second time it went and I entered the safe

Were both attempts made on the same site (i.e., on the phishing site), or was the first attempt on the phishing site and the second attempt on the legitimate vault.bitwarden.com site?

When you successfully logged in (i.e., the second time you attempted), did you receive any email message from Bitwarden saying “Your Bitwarden account was just logged into from a new device”?

Also, did you have a 2FA method set up for logging in to Bitwarden, and if so, was the method either TOTP or Email?

If you are able to log in to your account using the vault.bitwarden.com site or the Bitwarden Desktop app, make a backup of your vault, selecting the “password protected” encrypted JSON option (not the “account restricted” option !). Write down the chosen password (which should be different from your compromised master password) in a safe location.

Then, change your master password, and enable the option to rotate your account encryption key. In addition, temporarily disable your 2FA by using your 2FA recovery code, then set up your 2FA again and print out the new 2FA recovery code. Change the password for your email account (the one associated with your Bitwarden account). If you had stored a TOTP authentication seed in Bitwarden for your email account, then reset the 2FA for your email account to get a new TOTP seed.

The above are the most urgent things to do first, without knowing the answer to my first question above. If you’re answer is that you made both login attempts (the unsuccessful attempt and the successful attempt) on the same fraudulent site, then all contents of your Bitwarden vault are known to whoever was running that phishing scheme. If so, you should reset passwords (and 2FA, if TOTP seeds were stored in your vault) for all of your accounts, starting with the most important (e.g., bank accounts, etc.).

I’m not sure because I no longer have the history. In practice I believe that the first attempt was on the phishing site, I got an error and was redirected to the right site. Since I had recently created the account, I can’t say for sure if I had already activated 2FA. I use an app to authenticate. I received some emails from Bitwarden but since I have used different devices in this period I had not noticed. I thought you were always and still only with IP I can’t figure out if it’s always me or not. I activated 2FA both TOTP and by email, but I can’t remember for sure what passwords I had saved. Also I find myself in another absurd situation. I had backed up my passwords from google account, which I deleted them from. Also I also deleted them from my bitwarden account so I don’t actually know what passwords were there and if I logged into the phishing url before or after deleting all the passwords. For security reasons I think to delete at least the passwords for the most important sites

This is not a reasonable assumption. It would make more sense if the phishing website was set up to act as a “Man-in-the-Middle”, so that it would use the credentials you entered to attempt to access your Bitwarden account. Perhaps it failed the first time because of the time delay in transferring your TOTP from the phishing site to Bitwarden. Just because you can see your vault contents doesn’t mean that you were looking at the legitimate Bitwarden web vault. Once the attacker has successfully broken into your vault using phished credentials and 2FA, it would be trivial for the phishing site to display the vault data that it stole from your Bitwarden account.

Good luck!

Hello. Opinions on this one? :
https://bitwarden.devol.it
This website is on the first page on Google Search, 6th position. It comes out if I search for: bitwarden web.

Just out of curiosity, the other phishing website (bitwardenlogin) was in what position on Google Search?

Thanks

I would consider this one also as a questionable login and probably a phishing site.
The site https://bitwarden.devol.it/#/ looks quite like the original, besides it got both passwords and password at the same place. So it’s likely someone getting tricked here as well.

Please only use the Bitwarden original webpage to find the login to web vault.

1 Like

As far as I can see, all self-hosted Bitwarden instances look just like the original. In this case, the owner also has an article about password managers on his website (though I don’t speak much Italian), so I suppose this could be a legit self-hosted instance.

Maybe Bitwarden could include some information on self-hosted login pages or otherwise make self-hosted instances look different from the official vault.bitwarden.com site. People running legit instances probably wouldn’t care about this – I certainly won’t.

On the other hand, if somebody is trying to run a phishing site, they can always copy the official Bitwarden login page, just like any other login. And just like people have to learn that paypal.criminaldomain.com is not PayPal’s login page, they also have to be clear that there is just one login page for (cloud-hosted) Bitwarden.

1 Like

Was wondering if that one was a self host or a type of phishing. But I don’t really know, so I hope there will be some kind of clarification and clear difference between self hosted and the official website.