Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Support
Windows Malware Removal Help & Support
Is my windows laptop compromised in any way?
Message
<blockquote data-quote="Wrecker4923" data-source="post: 1121530" data-attributes="member: 110877"><p>Hello Nick3426,</p><p></p><p>I would like to comment on the Bitwarden (BW) penetration aspects. It's clear they gained access to your account, which usually requires the master password and 2FA. The machine you worked on with the mod seems to NOT have persistent malware or an info-stealer from the outset, but that doesn't mean there wasn't an info-stealer on it at some point. There are info-stealers that can infect a system, steal the necessary information, and then eventually disappear, possibly without a trace. Additionally, there are other devices on which you have used Bitwarden, both present and past; these should all be considered suspects.</p><p></p><p>They definitely need the password; there's no way around it. They can obtain it through 1) keylogging, 2) where you save it on the machine, such as in the browser's password manager or elsewhere on your device, or 3) phishing.</p><p></p><p>They must also have the 2FA, which in this case can be either access to your email or a 2FA token saved on your machine. If they lifted a Google session cookie from your device, they would presumably have access to all your emails without generating a login record (from another location) because they are simply reusing your access token without logging in. If you have checked "Remember me" in the past, the BW client may have saved a 2FA token on the machine, which can be stolen and used for login, again without generating a "New Device Logged In" email from Bitwarden, as the attacker's client would appear to be a familiar device due to all the tokens.</p><p></p><p>I would encourage you to do the following if you haven't done so already:</p><ol> <li data-xf-list-type="ol">Change your Google password and deauthorize all devices. Go through the Google account security checkup at <a href="https://myaccount.google.com/security-checkup" target="_blank">Account settings: Your browser is not supported.</a>, checking connected apps, forwarding rules, security events related to 2FA setups, passkeys, <strong>and resetting the 2FA recovery codes</strong>. You want to be absolutely sure that they no longer have access. Remember that if they had your session cookie, they might have been able to access your emails without generating a login event from another location. If they had the password, they might have beem able to change many security settings (but presumably generating logs).</li> <li data-xf-list-type="ol">Change your Bitwarden master password and deauthorize all devices. Bitwarden now has a new screen in the web app that allows you to view all clients that have ever connected: <a href="https://vault.bitwarden.com/#/settings/security/device-management" target="_blank">Bitwarden Web vault</a>. However, this may not mean much if they were able to use the access tokens they might have stolen. <strong>You may also want to use the 2FA recovery code to log in to reset it (and not forgetting to grab a new one)</strong>. Consider using a different 2FA method (for example, a TOTP authenticator app) just in case the attacker somehow retains access to your email.</li> <li data-xf-list-type="ol">You need to treat this as a total breach because the attacker likely obtained the entire set of passwords from BW, and possibly more sensitive information from the system. You should reset all passwords and deauthorize all existing devices when such an option is available. For important accounts, also pay attention to 2FA and recovery codes, as you did with your Google and BW accounts. If you keep TOTP seeds in Bitwarden, those will need to be reset as well. Even if they don't use the information now, these compromised accounts may come back to haunt you later.</li> </ol><p>If you need more suggestions and tips, I encourage you to look at the BW community forum at <a href="https://community.bitwarden.com/" target="_blank">Bitwarden Community Forums</a>. There are people there who are familiar with BW and can provide helpful guidance. There is also a subreddit, but the comments there can often be fast and furious.</p><p></p><p>Good luck.</p></blockquote><p></p>
[QUOTE="Wrecker4923, post: 1121530, member: 110877"] Hello Nick3426, I would like to comment on the Bitwarden (BW) penetration aspects. It's clear they gained access to your account, which usually requires the master password and 2FA. The machine you worked on with the mod seems to NOT have persistent malware or an info-stealer from the outset, but that doesn't mean there wasn't an info-stealer on it at some point. There are info-stealers that can infect a system, steal the necessary information, and then eventually disappear, possibly without a trace. Additionally, there are other devices on which you have used Bitwarden, both present and past; these should all be considered suspects. They definitely need the password; there's no way around it. They can obtain it through 1) keylogging, 2) where you save it on the machine, such as in the browser's password manager or elsewhere on your device, or 3) phishing. They must also have the 2FA, which in this case can be either access to your email or a 2FA token saved on your machine. If they lifted a Google session cookie from your device, they would presumably have access to all your emails without generating a login record (from another location) because they are simply reusing your access token without logging in. If you have checked "Remember me" in the past, the BW client may have saved a 2FA token on the machine, which can be stolen and used for login, again without generating a "New Device Logged In" email from Bitwarden, as the attacker's client would appear to be a familiar device due to all the tokens. I would encourage you to do the following if you haven't done so already: [LIST=1] [*]Change your Google password and deauthorize all devices. Go through the Google account security checkup at [URL='https://myaccount.google.com/security-checkup']Account settings: Your browser is not supported.[/URL], checking connected apps, forwarding rules, security events related to 2FA setups, passkeys, [B]and resetting the 2FA recovery codes[/B]. You want to be absolutely sure that they no longer have access. Remember that if they had your session cookie, they might have been able to access your emails without generating a login event from another location. If they had the password, they might have beem able to change many security settings (but presumably generating logs). [*]Change your Bitwarden master password and deauthorize all devices. Bitwarden now has a new screen in the web app that allows you to view all clients that have ever connected: [URL='https://vault.bitwarden.com/#/settings/security/device-management']Bitwarden Web vault[/URL]. However, this may not mean much if they were able to use the access tokens they might have stolen. [B]You may also want to use the 2FA recovery code to log in to reset it (and not forgetting to grab a new one)[/B]. Consider using a different 2FA method (for example, a TOTP authenticator app) just in case the attacker somehow retains access to your email. [*]You need to treat this as a total breach because the attacker likely obtained the entire set of passwords from BW, and possibly more sensitive information from the system. You should reset all passwords and deauthorize all existing devices when such an option is available. For important accounts, also pay attention to 2FA and recovery codes, as you did with your Google and BW accounts. If you keep TOTP seeds in Bitwarden, those will need to be reset as well. Even if they don't use the information now, these compromised accounts may come back to haunt you later. [/LIST] If you need more suggestions and tips, I encourage you to look at the BW community forum at [URL='https://community.bitwarden.com/']Bitwarden Community Forums[/URL]. There are people there who are familiar with BW and can provide helpful guidance. There is also a subreddit, but the comments there can often be fast and furious. Good luck. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
