Rate limiting and excessive account emails

Dear Bitwarden Support,

I am writing to urgently report a security issue regarding my Bitwarden account. Over the past 30 minutes, I have received more than 30 warning emails about failed login attempts from IP addresses all over the world. Some of the IPs include:

• 217.69.193.186

• 60.51.56.49

• 102.213.207.164

• 202.175.254.218

• 5.30.184.44

These constant alerts are overwhelming, and I am extremely concerned about the security of my data.

To make matters worse, I am currently unable to access my account. I have tried using the 2FA codes generated by the Google Authenticator app, but none of them are accepted. I also attempted to use my 32-character Recovery Code, but even that does not allow me to log in.

At this point, I feel completely locked out and helpless while my account is being bombarded with access attempts.

Please treat this matter as urgent. I need immediate assistance, even if that means permanently deleting my account to prevent any further risk of a breach.

Looking forward to your swift response.

Hi Ricardo,

Bitwarden is aware of the issue and looking into steps to remediate.

If you are certain you want to delete your account, you can do this yourself by following the steps documented here: https://bitwarden.com/help/lost-two-step-device/#dont-have-a-recovery-code

@Micah_Edelblut Could you expand a bit more what that means (in general)? – If I understand it correctly, Bitwarden just activated these kind of warning emails again ([PM-24425] Add email on failed 2FA attempt by trmartin4 · Pull Request #6178 · bitwarden/server · GitHub). – Do you plan to deactivate them again?

Because honestly, I would very much prefer to see those kind of warning emails, so that I could e.g. change my BW account email address to prevent further attempts. (PS: And change my master password.)

Just in case: did you chose the correct server region in the web vault (US/.com v. EU/.eu)? If you can log in again, change your email address to a private one. – And creating an export would be a good idea anyway, if you didn’t do it already.

Same. If you time it right, you are able to get in. Just keep trying. Gotta love it, though.. "

WE DETECTED A LOGIN ATTEMPT, IF THIS WAS NOT YOU SECURE YOUR ACCOUNT

SORRY, CANT LOG IN TO CHANGE YOUR PASSWORD, TOO MANY ATTEMPTS

Two-Step Login Method: Authenticator
Date: Wednesday, August 20, 2025 at 11:29 AM UTC
IP Address: 114.5.80.178

Two-Step Login Method: Authenticator
Date: Wednesday, August 20, 2025 at 11:29 AM UTC
IP Address: 59.183.58.132

Two-Step Login Method: Authenticator
Date: Wednesday, August 20, 2025 at 11:29 AM UTC
IP Address: 65.20.223.83

Two-Step Login Method: Authenticator
Date: Wednesday, August 20, 2025 at 11:29 AM UTC
IP Address: 94.201.98.214

Two-Step Login Method: Authenticator
Date: Wednesday, August 20, 2025 at 11:29 AM UTC
IP Address: 59.184.45.205

Two-Step Login Method: Authenticator
Date: Wednesday, August 20, 2025 at 11:23 AM UTC
IP Address: 180.117.62.73

Two-Step Login Method: Authenticator
Date: Wednesday, August 20, 2025 at 11:23 AM UTC
IP Address: 182.79.86.102

Two-Step Login Method: Authenticator
Date: Wednesday, August 20, 2025 at 11:23 AM UTC
IP Address: 103.58.66.70

I am currently being hacked. I did have 2FA active, and they did not get through there (as far as I can tell). I have already changed my master password, and force-logged out of all devices. I recieved about a dozen “failed 2FA” emails about this.

However, I am now having difficulty logging in. I was able to get into one browser, but I’m getting rate limit exceeded most of the time. Sometimes I can get to the 2FA, but it then errors out. I presume this is because they are still trying to brute force their way in.

Is there anything I can do, besides wait it out? Block access to my account on physical location?

Consider switching up your email address, to a more private or uncommon one: https://bitwarden.com/help/product-faqs/#q-how-do-i-change-my-email-address

And if you’ve reused your master password anywhere else, it’s a good idea to change that too: https://bitwarden.com/help/master-password/#change-master-password

Consider switching up your email address, to a more private or uncommon one: https://bitwarden.com/help/product-faqs/#q-how-do-i-change-my-email-address

And if you’ve reused your master password anywhere else, it’s a good idea to change that too: https://bitwarden.com/help/master-password/#change-master-password

I can’t assess the scope of that and you might want to search for other topics here on the forum for more info to that.

Certainly they’re trying it - as I see, you didn’t change the email address you use in Bitwarden. That’s your main “identifier” here, so you should change that too.

Two simple ideas (you may have other one’s):

1. If you have a Google account: Google allows plus-adressing, so you could use something like mynormaladdress+skj9rkq03@gmail.com (example!)

2. E.g. DuckDuckGo allows for a free and simple alias creation and you could use one of those aliases.

Both things could also just be a temporary solution, until you find a better one.

All morning my email is on fire with “Failed two-step login attempt detected”. From multiple IPs.

I have exported my vault on my home pc

I cannot log into the web browser to change master password.

What the hell do I do?!?!?!? DO I delete my account now that i exported?

Please Help

I has just tired of it: I deleted my account, as I have my passwords stored and secure in other platforms.

exactly like me!

I have successfully changed my master, now i cant log in

Be sure to use another email address there. The problem is not Bitwarden in a way – it’s your email address (and depending on the specific email you got: your master password was probably also leaked). It could very well happen, they try it with the same email address on other services.

ok….. now what is Rate Limit Exceeded mean? Are they still trying now that ive changed?

Until you change the email address they’ll probably try it again. Don’t ask me when they’ll stop.

“Rate limit” is a protection when there are too many failed attempts…

In the past month, I have observed DDG delays of up to 45 minutes. If you need faster email notifications, other free options (Firefox Relay, SimpleLogin, Addy.io, AdGuard Mail) may be better at this point in time. If you don’t care about the email address pointing back to you, +address may be the most reliable.

I just did a quick check with a test account of mine:

In order to receive the email with the subject “Failed two-step login attempt detected“ I had to enter the correct master password for my account.

So, if you receive any of these emails and it is not you who has tried to login, then I take that this means that your master password is compromised.

You should change it immediatelly. And I would also change the account’s email address.

Exactly. And that’s how that email looks like:

We've detected a failed login attempt1162×1828 182 KB

Yup. And as always, don’t forget to export your data before making those changes, just in case.

how can you change the master password if you can’t even login?

Try again shortly, you should be able to access your account again after the rate limit resets.