This is something that I can not really comprehend. That an access from a blocked IP address results in a “wrong email or password” message is something trully baffling.
I really couldn’t believe it when I read it a couple of days ago.
Not giving away information to bad actors about why a login attempt is rejected is something that I can understand.
But flat out lying to your legitimate users is plainly wrong.
When I get that message, how am I going to know if my credentials are indeed wrong or I have been hit by a bitwarden server false positive?
Furthermore, If I get that message after a master password change I am going to assume that I did something wrong and go ahead an delete my account and restore my most recent backup (If I have one). Losing the changes made to my vault since that hypothetic backup.
And all because of a misleading error message.
Trully unbelievable.