Pro CISO’s Threat Intelligence service identifies collections of Bitwarden password manager credentials on the Darkweb

On July 2nd 2023, while performing routine analysis for its customers, Pro CISO Threat Intelligence experts identified collections of files containing entire Bitwarden vaults, presenting customer credentials in clear text.


Following the responsible disclosure practice, Pro CISO immediately notified Bitwarden through the HackerOne platform, receiving a prompt response to verify the incident.

After some analysis Bitwarden acknowledged the incident to be actual, attributing the leak of information to be caused through local compromise of the end user, possibly via Stealer malware.

When contacted, Kyle Spearrin the CTO of Bitwarden confirmed that there was no compromise of the Bitwarden product or service.

By August 2nd Bitwarden had informed all its approximately 2000 impacted customers and enabled 2FA to those accounts that didn’t have it configured.

Pro CISO has been highlighting the risk of user compromise deriving from Stealer malware and malicious Browser extensions, suggesting users to be very cautious when downloading software from non-reputable websites.

Additionally, bad actors are riding the "AI hype" initiated by ChatGPT, advertising browser extensions that allegedly allow effortless access to AI features directly in the browser. Many of these actually contain malicious stealer malware that will capture all the information present in clear text in the browser, just the way the user himself sees it.

Pro CISO recommends individuals to be very cautious when installing software from sources with a low or unknown reputation (free software websites, hacking tools, etc) and suggests organizations to implement security awareness campaigns to inform their employees of the mentioned risks.

Contact us to know more how our managed Threat Intelligence Services can identify threats to your organization and report the presence of leaked credentials or confidential information in the Darkweb.