I agree with your comment that we want to understand how well protected we are from here forward.
But I personally would also like to hear from Bitwarden more info about how we got here.
Multiple people reported invalid totp email notifications at rates of 30-60/hr, having never received any warning prior to the day that Bitwarden finally started sending those failed-2fa emails.
Presumably those totp attempts were lodged by attackers with access to the master passwords of a small group of Bitwarden users (*). One would think those attempts were also going on for some period of time prior to the time Bitwarden started notifying users. How long did that situation exist and how did Bitwarden let it happen?
Iām not particularly technical, but that failure to email users earlier seems like a pretty darned big error in strategy to me (out of character for an otherwise-sharp Bitwarden team). We users understand that strategy errors happen (especially when attackers might be using an unforseen tactic), but in general I donāt think we like it when there is no transparency after errors. I think Bitwarden would be well served if they explained to users in more detail exactly what happened and how does Bitwarden view the significance of it.
(*) These people probably had their Bitwarden master passwords compromised through no fault of Bitwardenā¦ but that is exactly the situation where the 2fa barrier is most important.
As far as I can tell, the sequence of changes was as follows:
The previously used email notifications (for failed login with incorrect master password, and for failed log with correct master password but incorrect 2FA) were originally introduced in PR #1870 (merged March 2, 2022), but subsequently removed in PR #5675 (merged May 9, 2025), as part of a decision to remove all use and mention of hCaptcha (an approach which was evidently found to be ineffective for throttling brute-force attacks). The email notification for login failure due to incorrect 2FA was then restored in PR #6178 (merged August 11, 2025); email notifications about login failures due to incorrect master password were not restored (and are still not used). And most recently, the number of notifications about failed 2FA was throttled to one email per hour, in PR #6227 (merged August 21, 2025).
I havenāt researched the pre-2022 history, but since then, there appears to have been a period of about 3 months (May to August of this year) during which no notifications of failed login attempts were issued at all.
I donāt know if any of the recent changes (specifically, the removal of all notification emails in May) might have been related to the introduction of the New Device Login Protection (NDLP) requirement in March ā i.e., perhaps notification emails for incorrect master passwords might have been deemed less critical if Bitwarden could assume that all users have either NDLP email verification or 2FA enabledā¦ ā [pure speculation on my part]
Hey all! Just popping in to note that the PR has now been released and the failed 2FA emails are once again sending. If you receive one, you should try to change your password.
@Micah_Edelblut Just to be clear about it - you are referring to this (in the end) from the Release Notes, right?
Failed 2FA emails: Users will now receive an email notifying them of failed login attempts that were prevented by two-step login. If you receive these emails, update your master password immediately to one that is strong, unique, and has never been used before. Learn more here.
Precisely. That is the limit on the email, to avoid overwhelming a users inbox in a possible scenario where other rate limits were allowing more than one attempt per hour.