Bitwarden account - Attempted hack today

[aja8888]

Just got this email from Bitwarden. Thank God I don't keep investment or bank account login data in these password managers. I use Bitwarden as a backup to my LastPass account which is active. At least they were unsuccessful in getting in and stealing things like my Seeking Alpha username/password and a slew of logins for other non-essential websites I visit.

Well Bitwarden, thanks for the EXTRA security, whatever it is. (why wait until a hack attempt before you add the EXTRA SECURITY?)

Additional security has been placed on your Bitwarden account.

We've detected several failed attempts to log into your Bitwarden account. Future login attempts for your account will be protected by a captcha.

Account: XXXXX-XXXX-XXXX Date: Monday, May 13, 2024 at 8:50 PM UTC IP Address: 200.232.171.138

If this was you, you can remove the captcha requirement by successfully logging in.

If this was not you, don't worry. The login attempt was not successful and your account has been given additional protection.

 

[Koolau]

Still very scary.

Glad you remain safe.

 

[walkinwood]

Hopefully, you have multi-factor authentication.

 

[Sunset]

Hopefully you have a LONG password for the Bitwarden.

Could be a scam email itself.

Also could have been a random attempt with random guesses to the password. It's insane but the most common passwords for 2023 were:
"
Here are the most common passwords and phrases used in passwords by people around the world in 202312345:

• 123456
• 123456789
• qwerty
• password
• 1234567
• 12345678
• 12345 "

 

[Koolau]

Hopefully you have a LONG password for the Bitwarden.

Could be a scam email itself.

Also could have been a random attempt with random guesses to the password. It's insane but the most common passwords for 2023 were:
"
Here are the most common passwords and phrases used in passwords by people around the world in 202312345:

• 123456
• 123456789
• qwerty
• password
• 1234567
• 12345678
• 12345 "

That's truly amazing. Might as well have a password "hackme" - it would be safer!

 

[aja8888]

I have 2FA on all my important accounts. It was an authentic email from Bitwarden and I have a very rigorous password on that password manager (actually, all my important passwords are hard to crack). I really have BW as a backup to Lastpass.

 

[GrayHare]

If privacy is any concern, note that captcha is probably operated by Google, which means Bitwarden can find out from Google who you are. That associates the passwords you keep at Bitwarden with your known information, thereby reducing the security of those passwords and the accounts they open. Just sayin.

 

[CaptTom]

I'm a bit leery of cloud-based password managers, too. Seems like a "single point of failure" situation to me. And a tempting target for any would-be hackers.

Still, you have to give Bitwarden credit on this one. It's good that they have procedures in place to catch brute-force password attempts, to take action when it's detected, and to communicate that to you.

 

[Gotadimple]

And isn't that the point of having a strong and reliable password manager? That there are controls in place to add additional security when there are brute force attempts to log into the account. I'm sorry you got the email, and glad to see they have protocols in place.

 

[aja8888]

And isn't that the point of having a strong and reliable password manager? That there are controls in place to add additional security when there are brute force attempts to log into the account. I'm sorry you got the email, and glad to see they have protocols in place.

Yes, me too.

 

[Sojourner]

If privacy is any concern, note that captcha is probably operated by Google, which means Bitwarden can find out from Google who you are. That associates the passwords you keep at Bitwarden with your known information, thereby reducing the security of those passwords and the accounts they open. Just sayin.

I don't understand your logic here. Bitwarden already "knows who you are" if you have an account with them, so how does using Google's reCAPTCHA reduce your online security in any way?

 

[aja8888]

I don't understand your logic here. Bitwarden already "knows who you are" if you have an account with them, so how does using Google's reCAPTCHA reduce your online security in any way?

I think my account was hit by a Bot and not a person The Captcha asks you to match an object in one photo with choices from another photo. A human must do that as the bot is software and just runs password attempt routines.

 

[Sojourner]

I think my account was hit by a Bot and not a person The Captcha asks you to match an object in one photo with choices from another photo. A human must do that as the bot is software and just runs password attempt routines.

Sure, that all makes sense, but my reply was directed at GrayHare's comments about the security issues with Bitwarden's use of Google's reCAPTCHA... which I fundamentally do not understand.

 

[aja8888]

Sure, that all makes sense, but my reply was directed at GrayHare's comments about the security issues with Bitwarden's use of Google's reCAPTCHA... which I fundamentally do not understand.

Sorry, I wasn't paying attention to the quoted text, My bad.

 

[GrayHare]

Yes, if Bitwarden already knows your identity, Google sharing that won't change anything.

 

[pjigar]

2FA with something other than cell phone is a MUST NEED feature for any password manger. I use over 24 characters long password AND UbiKey with BitWarden which makes it very hard to hack into my BitWarden account.

 

[MdaPetralia]

We've detected several failed attempts to log into your Bitwarden account. Future login attempts for your account will be protected by a captcha.

think my account was hit by a Bot and not a person

Where did the "Bot" attempt to log into your Bitwarden account? Through your computer or an app on your phone? I don't believe there is login functionality on the Bitwarden.com website, right?

 

[MdaPetralia]

I don't believe there is login functionality on the Bitwarden.com website, right?

Well, I just found out I was not right. You CAN login to your account at Bitwarden.com. I recently downloaded the phone app and browser extension (for Brave) and have been playing around with it. Not using for critical financial accounts though.

I thought from reading their security policy that it said Bitwarden encrypts your data on your device and that only your encrypted data is sent to internet servers for storage and sharing with your other devices. Well, if this is the case, then I think that signing-in to the online account would not expose your accounts/passwords, right? I'm going to dig further into their policy and online account so I can truly understand the vulnerability here.

 

[aja8888]

Well, I just found out I was not right. You CAN login to your account at Bitwarden.com. I recently downloaded the phone app and browser extension (for Brave) and have been playing around with it. Not using for critical financial accounts though.

I thought from reading their security policy that it said Bitwarden encrypts your data on your device and that only your encrypted data is sent to internet servers for storage and sharing with your other devices. Well, if this is the case, then I think that signing-in to the online account would not expose your accounts/passwords, right? I'm going to dig further into their policy and online account so I can truly understand the vulnerability here.

I "suspect" that my account (online) was attacked by a Bot that runs a routine to try to crack the password. Bitwarden didn't say who did the "attempted password" hacks. But my strong password stopped them, I guess.

 

[Mr._Graybeard]

LastPass seems to be a popular hacker target, FWIW.

 

[aja8888]

LastPass seems to be a popular hacker target, FWIW.

No doubt, all the password managers are in that scenario, I would guess.

 

[Sunset]

No doubt, all the password managers are in that scenario, I would guess.

Certainly all the ones in the cloud.
I run mine on my machine, so it's not a giant target for brute hacking. They could of course trick me with phishing attempts.

 

[MdaPetralia]

Certainly all the ones in the cloud.
I run mine on my machine, so it's not a giant target for brute hacking.

What password manager are you using that is not in the cloud? Or do you mean you are using the Bitwarden app/browser extension on your machine?

I'm using the Bitwarden browser extension/add-on on my pc and phone but not liking the thought of there being an online account that I, or some hacker, can also sign into to see all my credentials in the cloud. I'm also not happy with having to use an email address (more prone to brute force attacks) to sign-in to my account (would rather be able to create my own, non-email, username) to go along with the password.

 

[tulak]

This is why you want to have multiple layers of security. Even if I gave you my Vanguard account password, you couldn’t login.

 

[CaptTom]

What password manager are you using that is not in the cloud?

I use KeePass. It's free and open source. I control where I store the (encrypted) database containing my passwords. It's easy enough to keep them synch'd among multiple devices, since I do that with a lot of other data, too.

Admittedly, this method is a lot more hands-on than just letting Google or Apple or various apps manage your data for you, in their cloud. But worth it, IMHO.