Hi team,
I just got a email notification from a new device in South Korea.
It’s obviously not me and I have changed my master password and activated 2FA less than 20mins after the login time.
That being said, 20mins is a lot of time for someone to access by vault.
Is there anyway I can know what activity occured from that IP during these 20mins please?
Many thanks,
Steph.
Hello Stephane,
You do not receive activity reports from BW beyond the email notifications you mentioned. The web vault now includes a list of clients you have ever used to log in, but this provides less detail than the login emails you received.
Since the attacker had your master password, once they logged in, they would likely export your vault, allowing them to access all your credentials stored in BW. You need to change the passwords/passkeys/2FAs stored in BW for all your accounts in order of importance, and enable two-factor authentication (2FA) wherever possible.
An important question is how they obtained your master password. If you reuse passwords or use patterned passwords that have been leaked, that could explain the breach. If your password is unique and difficult to guess, you should ensure that your devices are free of malware. Otherwise, if you make changes on those devices, the attacker may receive the updated information immediately, rendering your changes ineffective.
You can check your email/password leaks at:
@Stephane_Thao Welcome to the forum!
Just some small additions to @Neuron5569 :
A first check should also always be, if this was a “fake Bitwarden” email, not coming from Bitwarden. - But as @Neuron5569 suggested, it is now possible to check in the web vault, whether a login indeed occured:
You can find that in the Web Vault following this path: Settings → Security → Devices (sort by date should show it the best)
Just FYI, “we” here in the community usually recommend an at least 4-random-words passphrase as a master password. (like the BW passphrase generator would produce) – Passphrases are easy to remember and type, but if they are random words, they are still strong.
When you set up 2FA for your Bitwarden account, you should always also store the 2FA recovery code then.
And you should also create an emergency sheet now (if not already done), with at least your BW email address, master password, server region, 2FA recovery code and your full login credentials for your BW email address on it. (the latter because if you ever get subjected to the new device login protection)
Here’s a template for such an emergency sheet: Bitwarden security readiness kit | Bitwarden
Yeah, and to say it bluntly, you really should consider your whole vault as compromised now. (if it wasn’t a fake-Bitwarden email and a login really occured)
Maybe this blog article contains also some further tips for you: What to do if you think one of your online accounts has been hacked | Bitwarden