Rate limiting and excessive account emails

Same problem here, 400 warning emails in 4h… this is insane

Rate limit means that there have been too many failed login attempts in a short period of time, so there is a minimum wait time before any new login attempt will be accepted.

If you successfully changed your master password (and assuming that the attackers are not using malware that would allow them to obtain your new master password as soon as you created it), then if they keep trying, you should get a (slightly different) email notification from Bitwarden after 9 additional failed login attempts. You may have already received this – it should look similar to the ones that you already received, with some key differences:

image500×353 15.2 KB

In particular, this version of the email notice does not advice you to change your master password or suggest that you use the 2FA recovery code “if you’re having trouble with two step login”.

If you don’t get this version of the notification, then the attackers have likely abandoned their brute-force attempt after they realized that the old master password no longer worked.

@Imaduffus Welcome to the forum! I want to start by making it clear that I do not work for Bitwarden — I am just a Bitwarden customer, like you (although I volunteer as a moderator on this forum). FYI, Bitwarden staff can be identified by the blue-white shield logo overlaid in the lower right corner of their avatar image (see @dwbit’s profile image for an example).

That does seem “insane”, and may be due to a server-side misconfiguration, if that is what you are seeing. It would suggest that the rate-limit for incorrect login attempts that fail at the 2FA stage is only a 30-second delay, and that the delay is not increased as the number of failed attempts increases.

Could you clarify whether your account is hosted by Bitwarden, or self-hosted? Would you be willing to share a redacted screenshot that shows the time-stamps of at least a handful of consecutive notification emails? Also, can you confirm that your email notices do end with the instruction “If this was not you, you should change your master password immediately”?

I also have had about 400 throughout all last night, starting around 4:40am PST, till about 9:30 this morning when I changed my email and master password. I’ve never had anything like this happen before. Is this actually an attack of some sort or is this an error on the bitwarden side?

My guess is that it is both. Somebody has successfully stolen (or guessed) your master password, and is/was attacking you. At the same time, Bitwarden (or you, if you’re self-hosted) needs to modify the server-side configurations for rate-limiting in this type of attack.

It would be helpful to me if you could provide answers to the questions that I had posed to @Imaduffus in my comment above.

Thanks for replying. Here are the answers that hopefully help.

Hosted by Bitwarden

This is what it says:

If you did not recently try to log in, open the web app and take these immediate steps to secure your Bitwarden account:

• Deauthorize all devices

• Change your master password

bitwarden attack792×612 49.6 KB

@crabby Thanks for the additional information. It does seem that your master password has indeed been stolen and is being used to attack your account. This is some advice adapted from instructions that I give to users whose Bitwarden accounts have been fully compromised:

1. Find a malware-free device (or thoroughly disinfect your current device). Unless you have strong reason to believe otherwise, you should assume that you vault was compromised by means of malware on a device where you used Bitwarden; none of the steps below will be effective if you perform them on a device that has malware. Cleaning your device may require reformatting the drive and reinstalling the operating system, depending on what type of malware has infected it.
2. Log in to any non-mobile app (e.g., Web Vault, Desktop app, or browser extension) and create a password-protected .json export of your vault contents; record the file password for the export file.
3. Log in to the Web Vault, and change you master password; your new master password should be a randomly generated 4-word passphrase.
4. While in the Web Vault, also change the email address used as your Bitwarden username. Ideally, choose a unique email address that you have not used elsewhere, but ensure that the email address chosen delivers email to an inbox that you check frequently.
5. If your account 2FA methods include email verification codes, then you should enable stronger forms of 2FA for your account (passkey if possible, otherwise a TOTP authenticator), and subsequently disable email codes as a two-step login method.
6. If you performed Steps 2–5 on a device different from your main device (the one that was compromised), then you need to proceed with scrubbing all malware from that device before you ever log in to Bitwarden on that device again (see Step 1).

If the attack is currently on-going, then rate-limiting by Bitwarden may make it challenging to log in to your account to complete Steps 2–5. The only recourse seems to be to wait and try again.

Going forward, you should also make a serious effort to determine how this compromise may have occurred. Was your master password re-used or non-random? Do you download pirated software or media from nonreputable sites? If you don’t change something about your security posture, the situation you’re finding yourself in now is likely to recur in the future.

Hi, have exactly the same problem and setup as crabby. Attack stopped at 1:40 am.

Will change email and master password.

Thanks so far.

Somehow I am happy, that they were not able to breach through the 2. level authentication

There were instances of the 2FA-fail emails reported in the past, although those users seemed to only receive ONE(???) email instead of many like now. Do you know if Bitwarden at one point stopped sending the email?

The email on failed 2fa was re-added here: [PM-24425] Add email on failed 2FA attempt by trmartin4 · Pull Request #6178 · bitwarden/server · GitHub . In the current configuration, one email is sent per attempt.

I tried to loggin into my web vault, and I was finally able to use my current master pw without triggering the rate limit stuff. But for some reason, when I am asked to enter my auth security code it tells me its not correct. What is this :-(?

Code sent by email is rejected too.

Hey @Imaduffus please contact support using the form at: https://bitwarden.com/help so they can assist you further.

I’m surprised that this notification was ever removed.*

Exacerbating this, it seems that the current rate limit settings are not working well. This comment suggests that it is possible to make at least 5 repeated failed attempts with a delay of at most 15 seconds between attempts, and at most a 6-min delay between such “bursts”; the claims of 30 attempts in 30 min, 400 attempts in 4 hours, or 400 attempts in 5 hours. This indicates that the average rate-limit delay is on the order of 30–60 seconds per attempt, and appears to suggest that the rate-limit is not escalated as the number of failed attempts accumulates.

I’m guessing that rate-limiting may be imposed (at least initially) on a per-IP basis, so that failures from one IP address does not rate-limit login attempts from other IP addresses. While this might have some benefit for users (allowing them to login to change their master password during an attack), it does seem that detection/suppression of distributed attacks can be improved, and that more aggressive escalation of rate-limiting in the face of a sustained attack is necessary.

*Addendum:

I just saw this in the description of PR #5676, which (without additional context) seems worrisome to me:

There is no longer a concept of “maximum login attempts” enforced by the server (or client).

A detailed explanation of the changes made seems warranted, so that the community can be informed of the current state of protection against brute-force attacks.

Seems like this will change:

So, presumably, that email will only contain timestamp & IP address information for the most recent attempt, which can potentially mislead the user about the severity of the attack. @kspearrin At a minimum, the new email notification needs to state the total number of failed attempts that were made since the most recent email notification (and ideally, it should include a full list of details about each attempt).

And are there no longer any notifications about attempts to log in using an incorrect master password? It used to be that users were notified after 9 such failed attempts (which also triggered a captcha requirement).

Some greater clarity about the recent changes to rate limiting, captcha, and email alerts would be greatly appreciated!

We recently released an update for email notifications about failed 2FA attempts. We turned it back off (at this moment) since it was sending some compromised users thousands of emails (as their account is actively trying to be brute forced) and was causing problems with our email reputation. We are planning to enable it back soon, but will now include throttling of the emails so that you only get at most 1 email per hour about failed 2FA attempts.

Captcha is no longer being used since it was not effective.

Are you also throttling the actual ability to attempt another login, and if so, is the rate-limit delay being increased as the cumulative number of failed attempts increases?

Is there any email notification to users who are being brute-force attacked by someone (incorrectly) guessing their master password, or do users only get notified when the master password is already compromised?

With the throttling of email alerts in PR #6227, will there be any attempt to inform the user of the true frequency of login attempts (and/or making available the full list if login attempt time stamps and IP addresses since the previous hour’s alert)?

Using a plussed email address is a very good first-line defense to protect your vault against phishing and brute force. A plussed email address is one to which you have added a plus-sign followed by something that makes it unique. For example, Joe.Doe@gmail.com may decide to use Joe.Doe+Bitwarden734@gmail.com as his plussed address for Bitwarden. The plussed portion is ignored when delivering email, but must match when logging into Bitwarden. There are a few ways this benefits you:

• When you receive an email alleging to be from Bitwarden, you can check the “To":” address. If it is joe.doe@gmail.com, you know it is a phish because that is not the address Bitwarden knows. Conversely, if the to address is Joe.Doe+Bitwarden734@gmail.com, you have a high-level of confidence that the message is genuine because nobody else knows that address.
• When a brute force attacker goes after your vault, they will use an email address they learned from a data dump, from your LinkedIn account, etc., which likely will be joe.doe@gmail.com. But, since that is not your Bitwarden account, the login-failures will not accumulate against your account, so Bitwarden will not rate limit your account and they will not send you scary emails.

For a plussed address, I like to include something easily recognizable to me (“Bitwarden”) and something random so that the plus portion is not easily guessed (the “734” above).

However (and this is important), changing the email address you have registered at Bitwarden is a bit dangerous. Not of exposing your vault to the world, but rather locking yourself out. And, if you lock yourself out this way, Bitwarden support likely can offer little more than sympathetic ear. To minimize risk, I recommend the following:

1. Create an emergency sheet. Log one device out and make sure you can back in using nothing except what is found on the emergency sheet.

2. Create a backup/export of you vault(s).

3. If using MFA (you should be), make sure your TOTP code is available in an app that is not Bitwarden. You will need to use it it after you change your email because doing so logs you out of your Bitwarden vault on all devices.

4. Change your email address following Bitwarden’s instructions.

5. Log back in to at least one device to make sure things behave (don’t forget the to select the correct vault (eu or com).

6. Update your emergency sheet to reflect the new email address.

As Kyle mentioned, Captcha is no longer used and as a result this email is no longer being sent for failed attempts with an incorrect master password.

In the current production configuration, users are receiving no emails at all notifying them of failed login attempts, either with an incorrect master password or an incorrect 2FA method.

When the PR linked above, limiting the number of emails to 1 per hour, has been released, users will once again start receiving emails notifying them of failed login attempts when that attempt is a 2FA failure. This email can serve as a confirmation (in most cases) that a users master password is known to bad actors.

And, of course, Bitwarden continues to send New Device verification emails for users who do not have 2FA enabled, which would be another indication that a master password is known to bad actors. Bitwarden also continues to send New Device login emails, which is the nightmare scenario informing you that your vault has been broken into and you should act quickly to retake control and begin rotating your account credentials.

@Micah_Edelblut Thanks for that additional explanation! – And at this point I would just like to point out again, that there are many people requesting additional “security alert” emails - also for failed login attempts of any kind: