Ask HN: Anyone else Bitwarden account being attacked

31 points by thedangler ↗ HN
My Bitwarden is being attacked. I get emails from Bitwarden about someone trying to access my account. Emails look legit.

Anyone else experiencing this today?

17 comments

[ 0.21 ms ] story [ 20.2 ms ] thread
I don't use that service. Do you have two-factor authentication? If not, you should really consider using it. The 2fa is a major security upgrade for any account.
I had problems with their 2FA where the code would come via SMS but be rejected. I was able to recover via email but it was distressing. Do they have OTP service now?
I use an auth app for 2FA.
They also support Yubikey.
Nope. Someone may just be targeting you. May be worthwhile to change your master password.
I would not recommend ever changing credentials while under attack, unless they are known to be weak (but the time to change them is before the attack, in that case). The process of changing them opens up several vectors of attack. Additionally, if the attacker already obtained the encrypted payload, it would only be harmful to give them the same data encrypted under a new key.
What additional vectors?

If they already had the data, would they be using the web account login page?

E.g. PITM attack on password reset endpoints.

And yes, if I had a bitwarden vault I wanted to crack I'd absolutely be using the web account login page. The latter is more likely to yield to have some vulnerability than the at-rest encryption, which when exploited would yield the password; or it could scare the target into falling into my PITM attack, or otherwise act irrationally.

PITM?

What type of vulnerability could the web interface have that the offline password file wouldn't? Unless they have a backdoor. The speed difference would also be tens or millions of times faster.

This happened to me too (from a NordVPN IP). I presume someone is spamming Bitwarden with login credentials they found in some stolen database. It’s possible that Bitwarden had a database breach but that’s very unlikely.
Yes on Sunday, June 11, 2023 at 11:51 AM UTC
Yes I got the same email alert. Someone with a Bangladesh IP address was attempting to gain access.
Is this within bitwarden server or on your self hosting server ?
I reset my password from the app not the web service. I also do not have my username in bitwarden only the passwords.
Never got this.

Depending on your threat model, I suggest using a unique email address to register your password manager account. Harden that email account and set up email forwards if it's separate or just give the password manager a unique name for your catch-all email address (I believe iCloud offers something similar to this as well).