Someone can access my vault and get passwords

Hi everyone.
Something weird is happening to me.
I began to use bitwarden password manager few days ago.After adding my passwords to the vault,I began to receive email from linkedin that there is a new login try from a new device and ask me to continue the login by responding to the 2FA sms I also received with the option of changing password if it’s not me who made the login.
I changed the site password and saved it in my vault .Fter couple of hours I received again the same email as above.Rechanged the password again but with no success.
I think the intruder has access somehow to linkedin site password but the 2FA of the site prevent him from continue the login process.
To be sure I removed the linkedin password from bitwarden and saved it in another place after changing it of cource.After that I didn’t receeive emails about any intrusion.Then I readded the password to bitwarden to receive again those emails of trying to login.Then removed again the passord from bitwarden after changing it stopped the warning emails.
All that means the intruder can get the password(linkedin one in this case) from bitwarden.
No tries are noticed for other sites passwords.
I am afraid the intruder has a way to get passwords from bitwarden in a way or another.
I am usin chrome extension and set lock after 15 minutes.
Sorry for the long message.
Thanks in advance for any help or suugestion.

Hello,

I think there can be a number of ways your Linkedin password is compromised:

1. You are physically compromised, i.e. somebody can observe you
2. The way you access Linkedin is compromised
3. Your browser is compromised
4. Your machine is compromised
5. Your BW account is compromised

The safest thing maybe is to assume the above may all be true (unless you can ascertain otherwise) and try to experiment with this from another machine or your mobile, from another browser that you don’t typically use (edge, firefox), maybe from another location. Your mobile is probably safer but is more painful. Another machine, you may need to ascertain that it is clear of malware, etc, too.

I would suggest (from your mobile, not usual browser):

1. Export your vault, encrypted, not account restricted, using a password you write down.
2. Generate a random 4-word passphrase, write it down, and change your Bitwarden password. This typically will deauthorize online access everywhere.
3. I am not sure if this is necessary, but I would login the web interface on Bitwarden again, and deauthorize access everywhere just to make sure.
4. Change your Linkedin password, using a randomly generated password, and deauthorize all previous sessions.

See if what you described still happens.

Other info:

Hi
Thanks for your response.
It’s not clear for me the use of passphrase and how it is related to Bitwarden password.

In essence, it’s a longer, safe password meant to be easy to remember and type (if you use all small letters separated by space).

So you use the randomly generated passphrase instead of the password that you might have come up yourself.

It is not possible to do a password-protected (i.e., “encrypted, not account restricted”) vault export from the mobile app, so this step would have to be done by accessing the Web Vault app (e.g. vault.bitwarden.com) using a browser on your mobile device. Alternatively, this step could be done on a non-mobile device (e.g., using the Web Vault, Desktop app, or a browser extension) — I think that the main point was to ensure that you do this step and the other steps on a device that is malware-free.

@yahiadal Once you have access to a clean, uncompromised device, I would suggest doing the following:

1. Generate a random 4-word passphrase as well as a random 6-word passphrase (using the links provided here, or using the passphrase generator available in Bitwarden), and write them down on an Emergency Sheet. The 4-word passphrase will become your new master password, while the 6-word passphrase will become your backup file password. Passphrases (when randomly generated and of sufficient length) make for secure passwords that are relatively easy to memorize and to manually type.

2. Log in to the Web Vault app in a browser, go to Tools > Export Vault, select .json (Encrypted) as the File Format, the select “Password Protected” as the Export Type. In the “File Password” and “Confirm File Password” fields, enter the 6-word passphrase that you had generated in Step 1 above, then click Confirm format. At the “Confirm Vault Export” prompt, enter your old (current) master password and click Export vault; if prompted to save the export file, do so (if there is no such prompt, the file will be automatically saved in your default Downloads folder).

3. In the Web Vault app, go to Settings > Security > Two-Step Login, click View recovery code as shown here, and print the code (printing as a PDF if you do not have a printer).

4. If you get an error message when attempting to view the recovery code (because the code does not exist), this means that you have never set up 2FA for your Bitwarden account. If this is the case, then you must set up a Two-Step Login method for your Bitwarden account, as soon as possible. The Passkey method is the safest, but any other method is much, much better than having none. Please note that the instructions provided for the Passkey method assume that you are using a hardware key (like a Yubikey), but I’m fairly certain that you can also store the passkey on a phone. After setting up your Two-Step Login method, get your recovery code (as explained in Step 3 above), and then perform only Step 5 and Step 8 from the instructions below.

5. In the Web Vault app, go to Settings > Security > Master Password, enter the 4-word passphrase that you had generated in Step 1 above in to the fields “New master password” and “Confirm new master password” (also type your old master password into the “Current master password” field), then enable the option “Also rotate my account’s encryption key” before clicking Change Master Password.

6. If you were able to view the Recovery Code in Step 2 above, then it is best to assume that any intruders who accessed your account also have a copy of the Two-Step Login Recovery Code. Thus, disable the code by entering it on the 2FA recovery form. If you received an error message in Step 2 because you had never previously enabled two-step login for your Bitwarden account, then you should skip Step 6 as well as Step 7.

7. Because the above action (Step 6) disables any 2FA that you have enabled for your Bitwarden account, log back in to the Web Vault app immediately (using your new master password from Step 5), re-enable two-step login for your Bitwarden login (see instructions under Step 4), and obtain a copy of your Two-Step Login Recovery Code (as explained under Step 2). If you skipped Step 6, then you should also skip Step 7.

8. Record your active (most recent) Two-Step Login Recovery Code on your Emergency Sheet (from Step 1), and ensure that the Emergency Sheet is stored securely.

Why do you suggest a significantly stronger passphrase for the backup?

Because for the vault, you are able to update the KDF settings over time to compensate for future improvements in computing technology for password cracking (e.g., Bitwarden’s recent update in default KDF settings from 100k to 600k iterations of PBKDF2).

In contrast, for your encrypted vault exports, the KDF settings used for the file encryption are locked in at whatever was being used for your vault at the time that the export was made. Thus, if a hacker gets access to a decades-old backup file, they would have a decent chance of cracking the file password by brute force if the password only had 52 bits of entropy (e.g., a 4-word passphrase). Adding 2 more passphrase words will future-proof the file encryption for approximately 50 years past the date at which today’s KDF configuration will become vulnerable (at 52 bits of password entropy).

Thank you for your help.I’ll try your suggestions.
The weird thing is if the intruder has access to my bitwarden or computer or…then he can access any of my sites among which are more important than linkedin one but this is not the case.No aspect of any tries to access any of other accounts.
Thank you

I’d like to stress that you should:

• Take some time to attempt to determine what has happened. Have you received any emails from <[email protected]> warning about failed login attempts, and/or logins from a “new device”? Did you have 2FA on your Bitwarden account, and if so, how might an attacker obtain access to it? If you are able to check login sessions or access to your email accounts (especially the email address that serves as your Bitwarden username) and/or your authenticator app, is there anything potentially suspicious there? Have you run any malware scans (using the most exhaustive settings — e.g., Microsoft Defender Antivirus off-line scan)?

• If no alternative explanation other than information-stealing malware is found, make every effort to ensure that your computer (and other devices) are malware-free — to the point of wiping the disk and doing a clean reinstall of the operating system.

Also, when lacking detailed information, it may be better to assume the safest position. Normally, I’d say the most likely explanations would be:

1. the user reuses passwords
2. the user uses easy-to-guess/common passwords

In the above cases, checking haveibeenpwned may shed some lights.

You have changed the passwords multiple time, but how did you come up with these passwords? Randomly generated? Something you often use? We don’t know, so securing your BW account and then trying changing to a random password would have eliminated the above possibilities too. Additionally, having exported backup and strong master password are always good ideas.

Never

Yes I have.

Really I don’t know.

Nothing suspicious.

I am using Malwarebytes app for online protection and do regular scans on my computer.No malware found so far.

I am using BW password generator to generate new passwords for all entries without reusing any password.
My question is after changing say my linkedin password with 24 chrs new one,how can the intruder get this password after a short period of time and try to access the account (but the 2FA prevent him)?
Is he has access to to my BW vault?If yes why there is no tries to access any of my other accounts whose passwords are also stored in BW?Then why if I remove the password from BW there is no more visible tries to access the linkedin account?
Thank you

Is it possible there is no breach anywhere? Might Linkedin automated security be responding to BW autofill after the fact?

On the face of it, your description of what happens and what has not happened appear to exclude or make highly unlikely an actual breach at either end. If it is anywhere, it seems more likely to be at Linkedin or mitm there, or else you would expect more serious compromise through your other passwords.

Edit to add a suggestion:
Put your LinkedIn password into Bitwarden but do not use Bitwarden to log in. If you need to access Linkedin do so manually. See whether you then get any warnings.

There’s a lot in your situation that doesn’t make sense, so we need to carefully evaluate the evidence that a breach actually occurred — evidence which seems to be limited to the emails you have received about supposed new login attempts on LinkedIn.

The questions/comments I have are:

• Are you sure that the emails are from LinkedIn? Examine the email headers, including any SPF, DMARC, or DKIM headers.

• What kind of notification (if any) does LinkedIn send if you attempt to log in with the correct username, but an incorrect password? Are you sure that the notifications you have received (if genuine) imply that your password has been compromised?

• Could there have been some technical glitch on LinkedIn’s side, causing its servers to randomly send out notification emails (and SMS codes) even when no login attempts were made by anybody? I suggest reaching out to LinkedIn technical support to investigate this possibility.

• As previously suggested, go to haveibeenpwned.com to check whether any known data breached include a leak of your LinkedIn username or password.

It seems the emails are from linkedin.

No notifications in this case.

I will.

If there is any breach,I bypassed it through changing my passwords multiple times.Anyway no breach was found.
Thank you

Hi
I kept an old password for linkedin site in BW,and logged in manually to LI.The same problem appeared which means that BW is not the source of the problem but the Linkedin site.
I added the option to login with pin code and logged in with that pin code.No message was received about any login try.
I sent a case request to linkedin support and waiting for response from them.
Thanks

This is a good trick. Thanks for sharing the technique.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.