Bitwarden hacks?

khoidang · May 7, 2021, 7:44pm

I’ve been seeing what I would consider an abnormally high amount of activity about people getting their accounts hacked on the Bitwarden reddit page. The affected users all seem to not have 2FA turned on. I’m curious if anyone has seen other reporting on this.

TheCakeIsNaOH · May 7, 2021, 8:31pm

This makes it likely that someone has started trying user/pass combinations from another hack/breech and anyone reusing a password is getting pwned.

There is also a small chance that there is an issue with Bitwarden.

Trooper_ish · May 7, 2021, 8:37pm

I count 3 posts.

Is there more?

Nothing reported on the BW forum from actual users.

Not sure BW breached/compromised at this point

khoidang · May 8, 2021, 12:22am

3 around the same time seems a little abnormal. But I agree that there’s probably not a breach of any kind, but just individuals who have poor passwords or reused passwords so probably from some other leak

Trooper_ish · May 8, 2021, 12:24am

Probably more noise as there was a load of new users across from Last Pass.

Not a bad heads up though, I use BW, and am for sure keeping an eye out in case there was an issue.

SgtAwesomesauce · May 8, 2021, 8:55pm

Their bitwarden accounts or associated accounts?

khoidang · May 8, 2021, 10:11pm

Looks like their bitwarden accounts were hit

SgtAwesomesauce · May 8, 2021, 10:46pm

And what was their master password? 12345?

If the master password is in rockyou, or hydra permutations, it’s not a secure password.

khoidang · May 9, 2021, 12:56am

Could be something simple, but more likely in a data leak where the server stored info in plain text

Trooper_ish · May 9, 2021, 3:25am

Any new reports since?

Or just the couple of guys who look to have re-used passwords?

anon35662433 · May 9, 2021, 3:44am

I know a little off-topic but, It’s really a shame that developers don’t understand what “salts” are for password hashes. I do stuff like take the users password append their username, the date they joined, their pass hashed with sha1, and a hardcoded salt to hash a password, and then double hash ( SHA256 into SHA3 384 bit or Argon2). So at that point, even if they do make it past my other password requirements, it’s not going to be a “simple” password; but they still only have to remember their “simple” password.

To be fair, I guess this won’t help against a leak from another site that doesn’t take these steps breaching an account on one of my sites, but the inverse will likely never happen.

MetalizeYourBrain · May 9, 2021, 10:50am

I think (and hope too) that those “hacked” accounts are just the result of re-used master passwords and not an issue with Bitwarden itself.
I also think that everyone should take courses on online security, from kids to adults. I’m even willing to condone sponsored ones by serious companies like RSA, for example.

khoidang · May 9, 2021, 11:00am

My feed has been quiet since. Probably just reuse/minimal modification of old password

Or maybe it was some lastpass guys trying to make bitwarden look bad

SgtAwesomesauce · May 10, 2021, 2:06am

Wouldn’t be surprised. Bitwarden has been raking in users.