Unauthorized access: log activities

My girlfriend received an email that notified a login to her bitwarden wallet, from someone else.

I changed her password, canceled all authorizations and enabled 2FA,
and changed all the most important passwords.

But… is there a way to find if this hacker in the meantime downloaded the entire vault before these actions?

Unless this was an opportunistic breach (perhaps by an acquaintance who happened to find out your gf’s master password and was just curious), one of the first things an attacker would do after gaining access to a Bitwarden vault would be to export the vault contents. So, yes, unless you are able to find out who accessed her vault and why, you should assume that everything in her vault has been stolen.

It is possible that the intruder obtained a copy of the 2FA recovery code, which would allow them to bypass the 2FA that you have now set up. The only way to disable the current recovery code is to use it. Thus, you should get the current code, and enter it on the 2FA recovery form (https://vault.bitwarden.com/#/recover-2fa or https://vault.bitwarden.eu/#/recover-2fa, depending on where her account is hosted). This disables all 2FA on the account, so you would then need to enable 2FA again. And you should then get the new 2FA recovery code and store it in a secure location (e.g., on your Emergency Sheet).

In addition, when you changed the master password, did you also enable the option to “Also rotate my account’s encryption key”? If not, you should go back and rotate the account encryption key.

I enabled 2FA after canceling auth and changing master password: do you think it is still necessary the procedure you described?

thank you!

I think it is best. If the intruder knew what they were doing, they would have grabbed a copy of the 2FA recovery code while they were logged in to your gf’s account. Exporting the vault contents and getting the 2FA recovery code would only take seconds, so it is very possible that this was done before you had time to deauthorize the active sessions.

As far as rotating the account encryption key, that is an absolute must. The intruder now has a copy of the existing encryption key, so if they ever get a copy of the encrypted vault in the future (e.g., by stealing one of your gf’s devices, or by breaking in to Bitwarden’s servers), they can easily decrypt all of the stored secrets — without needing the new master password or the 2FA.

Ok thank you.
Do you know if activities are logged and I can check what data he has acquired?

Not unless you have an Enterprise Plan.