I just received an email about someone logging into my Bitwarden account, even though TOTP via Authy was enabled. That’s the only two-factor I’m using.
My master password was pretty secure (more than 12 characters, lowercase, uppercase, special characters etc.) and that password was never saved in another password manager or in a file on my PC. I also never used this password anywhere else.
I’m from Germany and mainly use Chrome, the attacker was using Firefox and their IP is from Russia, Moscow.
Now I’m wondering:
How is it possible that someone can log into my account, when I have a TOTP set up?
Yes I made sure to not click anything in that email, even though I made sure it definitely is legit by checking the source code of the email. After I logged into my Bitwarden Account to first, change my master password and then actually deleting my account because of what happened now, I was also able to see the session from the attacker 5 minutes prior to my login.
Why I deleted my Bitwarden account? I switched to another password manager a few weeks ago, so I kept Bitwarden as some kind of “backup”, until now…
Here’s a problem. They have your password and some form of 2FA authentication (not the recovery code, maybe the TOTP seed itself, maybe some form of 2FA token). There is no known way from the user side to bypass either of these. There is no known Bitwarden vulnerability that would have allowed this. There is no known Bitwarden data breach that would have leaked TOTP secrets associated with the accounts. Typically, when helping a user, we look for ways in which the passwords and 2FA may have been leaked. Often, especially recently, we don’t find any.
As a response to this security breach, you can:
Scan all your devices for malware using third-party tools. If you use a Windows machine, try confirming that you have no malware on BleepingComputer’s malware removal help forum.
Consider re-encrypting your Authy entries with a new backup password. If you already have multiple Authy devices, make sure to disable the Authy multi-device feature. If your Authy account is keyed to your phone, then adding an authorized device may be unlikely, but it has happened in the past with Authy’s security breach.
Once you have a malware-free device (maybe the desktop is easiest), change all the passwords and TOTP seeds (you might not have had any) stored in your Bitwarden vault. Since you have deleted your vault, I hope you have some way to find out.
I think @Neuron5569 mentioned this in regard to your Bitwarden vault – but you definitely use TOTP seed codes in Authy. TOTP seed codes are the thing that you store in Authy, to get the TOTP verification codes generated. (–> if you scan a QR code when you set up “TOTP”: those QR codes contain the TOTP seed code… which BTW, can often also manually be entered, alternatively, when you can’t scan the QR code)
(And another way to put it: essentially, @Neuron5569 meant, if you used Bitwarden’s integrated authenticator → then you would have stored TOTP seed codes also in the Bitwarden vault… and BTW, Bitwarden calls the TOTP seed codes Authenticator keys… another synonym would be TOTP secret keys)
I assume your question is “Why is only Bitwarden affected?” My answer is I don’t know. One way to find out (and actually give you and me more data) is to wait and see if more accounts (with better logging) will get breached. We know they have your Bitwarden password and the passwords stored in Bitwarden, though. Suggesting that you wait without responding may be considered irresponsible.
P-1: Does anyone else know your Bitwarden password?
P-2: Is the password only kept in your memory? Did you write it down? Do you keep the password in electronic forms beyond your password managers and files on your PC (USB)? Did you have the master password stored in Bitwarden itself?
P-3: Presumably, you no longer use/need this password. Have you checked it against breach databases like HaveIBeenPwnd?
P-4: Have you checked your emails (especially the one used with Bitwarden) against breach databases like HaveIBeenPwnd and HudsonRock?
P-5: Have you ever exported your Bitwarden vault, as plaintext or encrypted. If encrypted, did you supply a different password, or use the same Bitwarden password?
2FA-1: Authy had a desktop PC version. Did you ever use this on the PC?
2FA-2: When you logged on to BW on the PC in the past, have you ever used “Remember me” options to avoid supplying TOTP codes repeatedly?
Please do remember what I said earlier about no known vulnerability or breach with Bitwarden. Unless somebody comes up with a vulnerability report, possibly with a proof of concept (like in HackerOne’s report), it is unlikely to be acknowledged, even if you may suspect it must be Bitwarden. As Bitwarden users, we also have suspicions, but unless we can pinpoint specific ways that the “hack/breach” happened, the murky circumstances are unlikely to get us anywhere either.
Here’s Authy explanations about the different protections and terms they have had in the past, including master password, backup password, and PIN.
2FA-3: Is your Authy account keyed to your phone number? If you start with a phone that has no Authy installed, do you use a phone number to identify your Authy account?
