Press "Enter" to skip to content

My Password Vault Was Hacked, but 2FA Saved My Ass! – Ongoing Bitwarden Incident

Published 21. August 2025 by Javan Rasokat

Right now, as I’m writing this, Bitwarden is still under a mass attack.

Many users (including me) are stuck in a weird deadlock state where logging into the vault is close to impossible.

This made me stop and think:

  • What if my cloud vault is offline — can I still access my passwords?
  • Do I actually have a paper or hard-drive backup somewhere that I can read?

Luckily, I did. I found my 2FA recovery code (yep, printed on paper).

But then another thought hit me: What if I was travelling without that backup?

This whole situation is a big Business Continuity reminder. Yesterday I simply wanted to book flights for my holiday — and suddenly nothing worked anymore.

The Inbox Flood

Instead of logging in, my email exploded with messages like:

“Failed two-step login attempt detected.”

(Imagine 90+ emails of that… and counting.)

Someone was actively brute forcing my 2FA code.

That means they had already figured out my Master Password.

And here’s the scary part:

My vault contains 702 unique credentials (I know, insane).

The only thing standing between me and total compromise was a six-digit number.

Something like 235-654. Just guessed at the right moment.

But Wait – Isn’t 2FA Safe?

In theory, yes. In practice, not so much.

If you think about it:

A six-digit code has ~1,000,000 combinations.

So why would anyone brute force it? That sounds impossible, right?

Not exactly.

At OWASP Global AppSec 2022, Santiago from Twilio did a brilliant talk about this.

Here’s the gist:

  • 2FA codes are often valid for longer than the app shows.
  • Codes overlap, meaning multiple are valid at once.
  • For each code, you usually get several attempts.

Do the math, and suddenly brute forcing isn’t “impossible” — it’s just a matter of hours or days, depending on code length and type (numeric only vs. alphanumeric).

My Next Steps

As soon as I realised what was happening, I acted fast:

  1. Found my recovery code.
  2. Logged into my vault.
  3. Changed my Master Password.
  4. Deauthorised all existing devices.

Great, right? Problem solved.

Not really.

Because the attack was still ongoing, I hit rate limits.

Bitwarden basically locked me out of my own account — even 24 hours later.

I was in a deadlock: attacker keeps hammering, I can’t log in either.

Lessons Learned

This incident left me with some big takeaways:

  • Can you access your backup if your vault is down?
  • Do you have a printed backup?
  • Is your 2FA method (App, SMS, Hardware Key) strong enough?
  • Is your password in any breach? (check it!)
  • And the hardest question: Is an online vault secure enough for your use case?

👉 For me, this was a wake-up call.

Yes, 2FA saved me this time — but the whole situation showed just how fragile relying 100% on a cloud vault can be.

Published in AppSec

Leave a Reply

Your email address will not be published. Required fields are marked *