I am the admin of a Bitwarden organization (family plan), and one of the members had their phone stolen at the gym. What’s the playbook for dealing with a compromised organization member? I’ve done the following:
Removed that user’s account from the organization.
Changed the passwords the compromised account had access to.
De-authorized all of the compromised account’s sessions.
Changed the compromised account’s master password and rotated the account encryption key.
Re-added that account to the organization.
Is there anything else I need to do? What I’ve done is probably sufficient for a simple phone theft, but what about a theoretical advanced attacker? If I understand how organizations work, then all members share the same symmetric organization key. If an advanced attacker has access to an organization member’s device, wouldn’t they theoretically have access to the organization key? Would a future data breach of Bitwarden’s vaults put the entire organization at risk? Should I delete the organization, make a new one, and rotate all of the organization’s passwords?
It’s a good question. To my knowledge, there is no mechanism available for rotating the Organization Symmetric Key (other than starting over with a new organization). An attacker would have access to to the Organization Symmetric Key if they have access to the User Symmetric Key of any organization member (and a copy of the encrypted vault cache, which will be available on any logged-in device). Typically, obtaining the User Symmetric Key would require an attacker to know (or guess) the user’s master password (or PIN, if the vault is locked using a PIN), unless the user has configured their Vault Timeout period to “Never”.
The good news is that (based on a quick experiment looking at the contents of the data.json file), it seems that the local vault cache on an organization member’s device only includes those collections to which the member has view access. Thus, an attacker who is in possession of a device that has a logged-in Bitwarden app (or extension) will not be able to acquire organization data to which that organization member did not have view access; nonetheless, if they are able to acquire a complete copy of the encrypted organization vault from other sources, then they would be able to use the stolen Organization Symmetric Key to decrypt all available organization secrets.
I think this was a problem with LastPass’s mass encrypted vault theft as well. If a member’s password could be cracked, the entire organization’s vault was at risk, and there was no easy remedy either, except restarting the organization’s vault and onboarding all the members again.
So, it seems this is a general problem for this kind of sharing architecture.
Well, I guess we’ll just have to keep our ear to the ground about potential lastpass style data breaches in the future and quickly rotate the organization’s passwords if that happens.