Is Bitwarden Secure? Unraveling the Google Ads Phishing Attack on Password Vaults

If you use Bitwarden as your password manager, you may have heard about the recent phishing attack that targeted its users through Google ads. You may be wondering: is Bitwarden safe to use? How can you protect yourself from such attacks? And what are the best practices for using a password manager securely? In this blog post, I will answer these questions and more. I have been using Bitwarden for over a year and I have researched its security features and policies extensively. I will share with you my insights and tips on how to use Bitwarden safely and effectively. By the end of this post, you will have a clear understanding of how Bitwarden works, how it protects your passwords, and how you can avoid falling victim to phishing scams.

Bitwarden is a safe and reliable password manager that uses end-to-end encryption to secure your passwords and other sensitive data. It does not store your master password or encryption key on its servers, so only you can access your vault. Bitwarden also offers various security features and options to enhance your protection and convenience.

However, Bitwarden is not immune to phishing attacks, which are designed to trick you into revealing your login credentials or other personal information. In fact, no password manager can protect you from phishing if you are not careful and vigilant. That’s why I will show you how to spot and avoid phishing attempts that target Bitwarden users, as well as how to report them if you encounter them. I will also give you some best practices for using Bitwarden securely, such as choosing a strong master password, enabling two-factor authentication, and using the browser extension and mobile app. If you want to learn more about how to use Bitwarden safely and effectively, keep reading this blog post.

Phishing attack that targeted Bitwarden’s users through Google Ads

First, let’s talk about the event. Earlier this week, Bitwarden users were alarmed when a Google ad titled ‘Bitward – Password Manager’ appeared in search results for the query “bitwarden password manager.”

Although our attempts to replicate this ad were unsuccessful, numerous reports on Reddit and the Bitwarden forums confirmed its presence [1, 2]. The ad directed users to a website called ‘appbitwarden.com,’ which, upon clicking, redirected them to ‘bitwardenlogin.com.’ Intriguingly, the page hosted on ‘bitwardenlogin.com’ mirrored the authentic Bitwarden Web Vault login page identically. As depicted below, this phishing page was meticulously designed to deceive unsuspecting users.

Phishing Page Deception and Uncertainty

During our investigative tests, the phishing page was observed to accept dummy credentials. Upon submission, users were then redirected to the legitimate Bitwarden login page. Unfortunately, due to timing constraints, we were unable to assess whether the phishing page also attempted to pilfer MFA-backed session cookies, which are commonly targeted by sophisticated phishing campaigns. Interestingly, opinions were divided among users regarding the legitimacy of the phishing page. While some individuals deemed the URL to be an apparent red flag, others struggled to differentiate between the genuine and fraudulent domains.

“God damn. In situations like this, how can I detect the fake one? This is truly scary,” expressed a concerned Reddit user in response to the phishing page incident. Another user commented, “People are saying to look at the URL, maybe it’s just my tiny brain, but I can’t tell which is the real one.”

Regrettably, Bitwarden is not the sole target of such malevolent phishing attempts via Google ads. Recently, security researcher MalwareHunterTeam discovered Google ads aiming to compromise credentials associated with the popular password manager, 1Password.

The Growing Threat of Google Search Result Advertisements

Google search result advertisements have evolved into a substantial cybersecurity menace in recent times. Researchers have exposed how threat actors exploit these ads to orchestrate malware delivery campaigns, gain initial access to corporate networks, exfiltrate credentials, and launch phishing attacks. This exploitation of a trusted platform not only jeopardizes individual users but also poses a significant risk to organizations and their sensitive data.

It’s a pretty chilly reality, isn’t it? So you will wonder if it’s the right decision to use a password manager, right? Now let’s examine all the information and knowledge about it that we can collect and find out:

What is Bitwarden and how does it work?

Bitwarden is a password manager that helps you create, store, and manage your passwords and other sensitive data securely. It allows you to access your passwords from any device and browser, and sync them across all your platforms. Bitwarden also lets you share your passwords with others, generate strong and unique passwords, and autofill your login credentials on websites.

Bitwarden is one of the few password managers that is open-source, which means that its source code is publicly available and can be reviewed by anyone. This ensures that Bitwarden is transparent about how it handles your data and that any security flaws can be quickly detected and fixed by the community. Bitwarden has also been audited by independent security firms to verify its compliance with industry standards and best practices.

Bitwarden uses end-to-end encryption to protect your data. This means that your data is encrypted on your device before it is sent to Bitwarden’s servers, and only you can decrypt it with your master password. Bitwarden does not store your master password or encryption key on its servers, so even if Bitwarden is hacked or compelled by law enforcement, your data remains safe and inaccessible.

Bitwarden offers various client applications that you can use to access your vault. You can use the web interface, desktop applications, browser extensions, mobile apps, or command-line interface. You can also self-host Bitwarden on your own server if you prefer to have more control over your data. Bitwarden supports multiple vaults for different purposes, such as personal, family, or business use. You can also organize your vault items into collections and folders for easier management.

How secure is Bitwarden and what are its security features?

Bitwarden is a highly secure password manager that uses industry-leading encryption and security standards to protect your data. Bitwarden has several security features that make it a trustworthy and reliable choice for password management. Here are some of the main security aspects of Bitwarden:

• End-to-end encryption: Bitwarden encrypts your data on your device before it is sent to Bitwarden’s servers, using AES-256 encryption, the same standard used by the US government and banks. This means that only you can decrypt your data with your master password, which is never stored or transmitted by Bitwarden. Bitwarden also uses salted hashing and PBKDF2 SHA-256 to strengthen your encryption key and prevent brute-force attacks¹.
• Zero-knowledge architecture: Bitwarden follows the principle of zero-knowledge, which means that Bitwarden does not know anything about your data or how to access it. Bitwarden does not collect or store any personal information about you or your online activity. Bitwarden also does not have access to your encryption key or master password, so even if Bitwarden is hacked or compelled by law enforcement, your data remains safe and inaccessible².
• Open-source software: Bitwarden is one of the few password managers that is open-source, which means that its source code is publicly available and can be reviewed by anyone. This ensures that Bitwarden is transparent about how it handles your data and that any security flaws can be quickly detected and fixed by the community. Bitwarden has also been audited by independent security firms and researchers to verify its compliance with industry standards and best practices³.
• Two-factor authentication: Bitwarden supports various methods of two-factor authentication (2FA), which adds an extra layer of security to your account. 2FA requires you to enter a second factor, such as a code or a device, in addition to your master password when logging in to your vault. Bitwarden supports email verification, authenticator apps, Duo Security, YubiKey, and FIDO U2F-compliant USB security keys as 2FA options¹².
• Secure sharing and management: Bitwarden enables you to securely share and manage your passwords and other sensitive data with other users across an organization. You can create multiple vaults for different purposes, such as personal, family, or business use. You can also organize your vault items into collections and folders for easier management. You can grant different levels of access and permissions to other users, such as view-only or edit rights. You can also revoke access at any time .

How to spot and avoid phishing attacks that target Bitwarden users?

Phishing attacks are attempts to trick you into revealing your login credentials or other personal information by impersonating a legitimate website or service. Phishing attacks can come via email, text message, voice message, chat apps, or when accidentally mistyping the URL for an intended website and ending up on a fake site.

Phishing attacks can have different objectives, such as stealing your passwords, bank account or social security numbers, or infecting your device with malware. Phishing attacks can also target specific services or platforms, such as Bitwarden, by creating fake websites or ads that look like the real ones.

To spot and avoid phishing attacks that target Bitwarden users, you need to be alert and cautious when entering your credentials or accessing your vault. Here are some tips to help you prevent phishing attacks:

• Check the sender’s email address and name: If you receive an email that claims to be from Bitwarden, make sure that the sender’s email address and name match the official ones. Bitwarden will only send emails from @bitwarden.com addresses and will never ask you for your master password or encryption key⁴. You can also check the list of emails that Bitwarden sends to verify their authenticity⁴.
• Hover over links and check the URL: If you see a link that claims to lead you to Bitwarden’s website or vault, hover over it and check the URL before clicking on it. The URL should start with https:// and match the official domain name of Bitwarden, which is bitwarden.com. Avoid clicking on links that have misspellings, extra characters, or unfamiliar domains .
• Use a password manager: A password manager like Bitwarden can help you avoid phishing attacks by autofilling your credentials on legitimate websites and not filling them on fake ones. Bitwarden will only autofill your credentials on websites that match the URL that you saved in your vault. If you see a website that looks like Bitwarden but does not autofill your credentials, it is likely a phishing site .
• Use two-factor authentication: Two-factor authentication (2FA) adds an extra layer of security to your account by requiring a second factor, such as a code or a device, in addition to your master password when logging in to your vault. Bitwarden supports various 2FA methods, such as email verification, authenticator apps, Duo Security, YubiKey, and FIDO U2F-compliant USB security keys⁵⁶. 2FA can prevent hackers from accessing your vault even if they manage to steal your master password through phishing.
• Report phishing attempts: If you encounter a phishing attempt that targets Bitwarden users, you should report it to Bitwarden and Google as soon as possible. You can contact Bitwarden’s support team at [email protected] and provide them with details of the phishing attempt, such as the sender’s email address, the link or URL of the fake website, and a screenshot of the email or website if possible⁷. You can also report the phishing attempt to Google by filling out this form . Reporting phishing attempts can help Bitwarden and Google take action against them and protect other users from falling victim to them .

How to report phishing attempts to Bitwarden and Google?

Reporting phishing attempts that target Bitwarden users is an important step to help Bitwarden and Google take action against them and protect other users from falling victim to them. Reporting phishing attempts can also help you recover your account if it has been compromised by hackers.

Here are the steps to report phishing attempts to Bitwarden and Google:

• Contact Bitwarden’s support team: If you receive an email or see a website that claims to be from Bitwarden but looks suspicious, you should contact Bitwarden’s support team at [email protected] and provide them with details of the phishing attempt, such as the sender’s email address, the link or URL of the fake website, and a screenshot of the email or website if possible. Bitwarden’s support team will verify the authenticity of the email or website and advise you on what to do next. They will also take measures to block or remove the phishing source and alert other users about it.
• Fill out Google’s report form: If you see a phishing ad or website that appears on Google’s search results or ads network, you should fill out this form and provide Google with information about the phishing source, such as the URL of the fake website, the search query that led you to it, and a screenshot of the ad or website if possible. Google will review your report and take action against the phishing source if it violates Google’s policies. Google will also update its Safe Browsing database to warn other users about the phishing source.
• Change your master password and 2FA settings: If you suspect that your Bitwarden account has been compromised by a phishing attack, you should change your master password and 2FA settings as soon as possible. You can do this by logging in to your vault and going to Settings > Change Master Password and Settings > Two-step Login. You should also check your vault for any unauthorized changes or additions and delete them if necessary. You should also scan your device for any malware that may have been installed by the phishing attack.

How to use Bitwarden securely and effectively?

Bitwarden is a powerful and versatile password manager that can help you create, store, and manage your passwords and other sensitive data securely and conveniently. However, to get the most out of Bitwarden, you need to use it properly and follow some best practices. Here are some tips to help you use Bitwarden securely and effectively:

• Choose a strong and unique master password: Your master password is the key to your vault and the only way you can unlock it. Therefore, you should choose a master password that is strong, unique, and memorable. A strong password should be at least 12 characters long and include a mix of uppercase and lowercase letters, numbers, and symbols. A unique password should not be used for any other account or service. A memorable password should be something that you can remember without writing it down or storing it anywhere else. You can also use a passphrase, which is a sentence or a phrase that is easy to remember but hard to guess.
• Enable two-factor authentication: Two-factor authentication (2FA) adds an extra layer of security to your account by requiring a second factor, such as a code or a device, in addition to your master password when logging in to your vault. Bitwarden supports various 2FA methods, such as email verification, authenticator apps, Duo Security, YubiKey, and FIDO U2F-compliant USB security keys⁸. You should enable 2FA for your Bitwarden account and keep your 2FA recovery code in a safe place in case you lose access to your 2FA device.
• Use the password generator: Bitwarden has a built-in password generator that can help you create strong and unique passwords for your online accounts. You can access the password generator from the web vault, desktop app, browser extension, or mobile app. You can customize the length and type of characters for your passwords, as well as copy or save them to your vault. You should use the password generator whenever you create or change a password for an online account.
• Use the browser extension and mobile app: Bitwarden has a browser extension that can help you autofill your login credentials on websites and generate passwords on the fly. The browser extension works with Chrome, Firefox, Edge, Opera, Safari, Brave, Vivaldi, and Tor Browser. You should install the browser extension on your preferred browser and log in to your vault. Bitwarden also has a mobile app that can help you access your vault on your smartphone or tablet. The mobile app works with Android and iOS devices. You should install the mobile app on your device and log in to your vault. You can also enable biometric logins (such as fingerprint or face recognition) on compatible devices for faster and easier access⁹.
• Backup your vault: Bitwarden syncs your vault data across all your devices and platforms automatically whenever you make any changes. However, it is still a good idea to backup your vault data periodically in case something goes wrong or you lose access to your account. You can backup your vault data by exporting it to a CSV or JSON file from the web vault or desktop app. You should keep your backup file in a secure location, such as an encrypted USB drive or cloud storage service. You should also encrypt your backup file with a strong password that is different from your master password.

Summary

I hope this post helps you confirm that Bitwarden is the right choice for your password management needs. The tips provided here will enhance your online security while using Bitwarden. If you find this helpful, I’d be delighted. Feel free to leave any questions or feedback in the comments below. Thank you for reading!