Someone accessed my account with codes from my email

Ask the Community Password Manager
, ,
1

Hi,
I received a notification saying that someone logged into my bitwarden account in my email, also someone has received my gmail codes and logged into the account.
This is creepy and am scared now, I have unauthorized all the devices now. created strong pass and 2 factor auth. But I don’t see anyone logged into my gmail in the logs, I recently rooted my phone, could that be causing this issue or something is off. I can see that someone logged in in the bitwarden sessions too, so some has access it for sure but I don’t know how this happened and how to tighten the loose ends here.
Best,
DB

2

Hello and welcome to the community,

Someone accessing your account means they have both your password and the means to access your email. You may need to walk through how they might be able to get either or both. People will need to ask you about how you generate and keep your passwords, your cybersecurity habits, etc.

Rooting your phone means you can’t rely on having OS protections on your data anymore. I wouldn’t recommend anyone doing this, but there needs to be more data to indicate that this might be an issue.

Someone with access to your email session tokens will be able to access your email without logging in. This usually comes from malware.

To find out more initially, I would suggest:

  1. Download the ESET online scanner and scan your PC (if applicable).
  2. Check for InfoStealer breaches on your BW email at: a) Hudson Rock (about infostealers only), and b) Have I Been Pwned. If you have an infostealer breach, this might help you draw a conclusion.
  3. Download mobile scanners (I don’t know which, but I’d pick ESET and Bitdefender) to scan your mobile as well.

To fend off the attacks initially, I’d suggest (if you haven’t done all of them already):

  1. Find a malware-free system to do all these.
  2. Change your BW password, deauthorize all BW sessions, and use TOTP 2FA or stronger.
  3. Change your email password, deauthorize all sessions, disconnect all apps, use TOTP 2FA or stronger, check email forwarding, check email deletion rules, check for unknown devices, check security info changes, and use the Gmail security-check workflow: https://myaccount.google.com/security-checkup.
  4. Change passwords for all important accounts now. You will have to change all the secrets stored in BW as well, all passwords, all TOTP seeds (if applicable), etc.

I wouldn’t rely on using this Gmail account for 2FA for any accounts for a while until you clear things up. Personally, for a while probably means at least a year, possibly forever, just to make sure.

2 Likes
3

@dinesh Welcome to the forum! Sorry to hear that this happened to you.

You received this advice from @Neuron5569:

I would strongly advice that you also do the following:

  • In Step #2, make sure to select the option “also rotate my account’s encryption key” when you change your Bitwarden master password. Ensure that your new master password is randomly generated (the best practice is to use a random passphrase consisting of at least 4 randomly generated words).
  • If you ever had any 2FA enabled for your Bitwarden account prior to this breach, then use the existing Two-Step Login Recovery Code to disable 2FA (which also rotates the Recovery Code), by submitting the recovery code on this form. You must then enable two-step login in your Bitwarden account again (and as recommended by @Neuron5569 above, you should enable the “Authenticator app” option or the “Passkey” option for optimal security).
  • In Step #4, start by changing the passwords on your email account(s), since these can be used (by the attacker) to reset other account passwords. Also, after changing the email account passwords, deauthorize all logged in devices (including your own) from the email accounts, and enable 2FA for the email accounts (or reset the email account 2FA, if you already had 2FA).

:backhand_index_pointing_right: I cannot stress strongly enough that you must not skip Step #1 in @Neuron5569’s instructions:

  1. Find a malware-free system to do all these.

If you have done any of the subsequent steps while on your original device, then it is as if you never even did those steps — anything you’ve done on a compromised device could be recorded and/or reversed by the attacker.

1 Like
4

If you’re interested in exploring possible answers to this question, you must provide additional information:

Your Bitwarden Account Password:

  1. What was its general form (e.g., a passphrase, a string of characters, etc.), and what was its approximate length (number of words in a phrase, or number of characters in a character string)?
  2. Was the password randomly generated with the help of a random number generator (e.g., a password/passphrase generator), or did you create it yourself?
  3. Was the password ever used for any other account, or for any purpose other than registering for and logging in to your Bitwarden account?
  4. Did you ever disclose (intentionally or accidentally) the password to anybody else (including individuals whom you may have trusted, such as family members, employers, Bitwarden staff, government representatives, or law enforcement officials)?
  5. Did you ever store the password in a digital medium (e.g., store it in a computer file, or in notes on your phone)?

Your Computing Devices and Habits:

  1. Do all of your devices (e.g., computers, tablets, phones) have up-to-date antivirus protection, firewalls, and other malware defenses?
  2. Do all of your devices have up-to-date operating systems and up-to-date browsers?
  3. Have you ever downloaded pirated materials (e.g., pirated software) online, or visited non-reputable websites?
  4. Do you always carefully examine any pop-up notices from the operating system before clicking them?
  5. Do you always deny requests that appear in pop-up notices asking for acceptance of certificates, elevation of security privileges, bypassing of security barriers, or any requests that you do not fully understand?
  6. Do you ever open files attached to email messages, or files downloaded from the internet without prior analysis and inspection (e.g., examine the source of the file to determine whether the email or webpage appears to be legitimate, and then scan the file using antimalware software before opening it)?
  7. Have you ever left your devices unlocked and unattended, or allowed other persons to use your devices?
  8. Have you ever used your devices on a public WiFi network?
  9. Have you ever accessed your email accounts and/or Bitwarden account using a device that was not yours?
1 Like
5

Additionally, if you decide to use a physical security key - e.g. YubiKey – those CANNOT be phished or hacked remotely by any known means. You will need to touch the exact security key to login and ONLY someone with the physical key would be able to login to your BW account-- no exceptions. A thought due to where you are right now???

6

Thank you guys, Am following these instructions.
From the replies I received I can see how vulnerable I have been, there have been gaps and loose ends as far as I can see. This is going to take me some time to digest all these.

So I went through Have I Been Pwned - there have been 19 breaches for my gmail account. That is an eye opener for me. These breaches had passwords in it, but there 2 step verification enabled in all these cases but somehow there is gap.

As I mentioned, there is so much to digest for me at the moment. taking one step at a time. Thank you for the support. I will keep my progress posted here.

3 Likes