The Hidden Threat: Bitwarden Password Manager Targeted by Phishing Scams

Jan 30, 2023
Updated • Feb 1, 2023

Scammers are targeting users of cloud-based password managers, including Bitwarden, with phishing attacks. And the mode of attack was malicious ads.

Users have reported that they have seen fake advertisements for Bitwarden on Google, the links in the ads were however not related to the password manager's websites. The above image is from a reddit user who posted it a couple of days ago. This particular website closely resembles Bitwarden's login page. Now what would happen if a user entered their username and the master password that unlocks their vault, and the scammers get hold of that information. The attackers could try using the obtained credentials and login to the accounts on Bitwarden's servers, to steal the contents of the password vault. But these phishing campaigns are actually a little more sophisticated, hackers often steal authentication tokens too.

Here's a look at the malicious ad (h/t reddit), shockingly these malicious pages were placed at the top of the search results, above the legitimate URL itself. Do you see what happens when you don't use an ad blocker? uBlock Origin is my recommendation, feel free to check AdGuard or something else that fits your bill, just make sure it's a reputable extension/app, do your homework.


Another Bitwarden user created a thread on the company's support portal, to alert others about the website that was trying to impersonate the official website's login page. It is quite alarmingly similar, isn't it? Everything from the fonts, icons, and other elements on the phishing site looks identical to the original login page.

BleepingComputer says it ran some tests by entering some credentials on the site, but once it accepted them, the malicious web page redirected users to the official Bitwarden site. The writer states that they were unable to test the phishing page with real login information, or authentication tokens, as the site was taken down by then.

I suppose users might still be safe if they have 2-factor authentication enabled for their accounts, but still, this is pretty scary. It emphasizes the need to check the URLs with a close eye. If you want to access your web vault, you can use the Bitwarden Desktop app's Help > Go to vault option to access the correct web page, which is You may want to save that to your browser's bookmarks. Users of the Bitwarden browser extension for Firefox and Chrome can access the page by clicking the add-on's icon > Settings > Bitwarden web vault. Make sure you use a strong and unique master password, enable two-factor authentication (2-step verification) on your account, and pay attention to the web page that you are on before providing your username and password to it.

Malvertising and phishing attacks could happen to any cloud-based password manager or any cloud service for that matter, Bitwarden users aren't the only ones who have been targeted by these, MalwareHunter reports that a similar phishing campaign was used to lure and trick 1Password users, also using malicious ads on Google. This is a serious problem. Recently, Norton Password Manager users were victims of a password stuffing attack. The biggest password manager breach in recent times (biggest in history?), was of course the LastPass incident, which resulted in hackers gaining access to cloud servers that contained the password vaults of the company's users.

I'm never going to stop recommending KeePass to people who are afraid of cloud services. KeePass is free, open-source, works offline, supports physical security tokens, has excellent forks and ports for iOS, Android, Linux, macOS and Windows. What's not to like about it? Even if you do use cloud-based services, you should consider exporting a copy of your password vault and import it to KeePass. This way, even if the cloud-app suffers an outage, you won't be locked out of your accounts.

Article Name
Bitwarden Password Manager users are being targeted by phishing ads on Google
Scammers are using phishing campaigns to target users of Bitwarden Password Manager, via Google search ads.
Ghacks Technology News

Previous Post: «
Next Post: «


  1. Rex said on February 1, 2023 at 10:03 am

    Phishing scams are the Darwin awards of the internet. Those who are so utterly clueless even today about clicking on shady emails, not using a freaking adblocker and lastly, not even bothering to check the name of the website they’re going to (appbitwarden dot com vs Really?) totally deserve to get hacked and lose their data.
    The public internet will have its 30th anniversary today. To remain so ignorant about online scams that date to the early 00s is like a licensed car driver who doesn’t know the difference between the brake and the accelerator pedal and claims that it is ‘too technical’ to learn.

    1. Tom Hawack said on February 1, 2023 at 10:35 am

      The gullibility of some people is incomparable, indeed. I wouldn’t say that they ” totally deserve to get hacked and lose their data.” because gullibility is not a sin. It remains a pity that being hacked for such reasons is the only way for some to learn their lessons, those of being aware. Not to mention the impact on all : like drugs, no demand, no offer. Because in a certain way not being aware is a demand for troubles.

      1. Rex said on February 3, 2023 at 5:11 am

        There needs to be a ‘how to be safe on the internet 101’ updated course for these people, before they ever start using the net.

  2. Anonymous said on January 30, 2023 at 9:24 pm

    @Ashwin. The term is not “Bitwarden Password Manager Targeted by Phishing Scams”. The target is not Bitwarden but aspiring users.

  3. anonymous said on January 30, 2023 at 5:32 pm

    > Even if you do use cloud-based services, you should consider exporting a copy of your password vault and import it to KeePass. This way, even if the cloud-app suffers an outage, you won’t be locked out of your accounts.

    Bitwarden stores an encrypted copy of your vault on all clients, just like Keepass.

    If the cloud-app suffers an outage, the only thing that breaks is sync between devices. Bitwarden works as well as Keepass does during any outage.

    1. Disorganise said on January 30, 2023 at 10:08 pm

      TBF the article is talking about Web page access rather than extension/desktop app, so vault wouldn’t be cached.
      OTOH keepass *requires* the desktop app so a fair comparison would be to the bitwarden desktop app, in which case, quite right.

  4. Micah said on January 30, 2023 at 3:44 pm

    I’ve been noticing many different sites being advertised such as my bank and best buy even that when clicked through look almost identical to the site just in the last month. These phishing scams are getting ridiculously common.

  5. Jeffrey said on January 30, 2023 at 1:11 pm

    Just enable 2 factor Authentication and you will be fine

  6. Anonymous said on January 30, 2023 at 7:46 am

    Yeah Anon, I was about to say, easiest way to defeat is to either use extensions and desktop app, no need to look for or remember url once set or you can memorize the domain name which is kind of simple, only danger there is I suppose, mistyping, in which case, make a bookmark

  7. Anon said on January 30, 2023 at 4:52 am

    Here’s a very easy way to prevent this, use the extensions and desktop apps only

  8. zircon said on January 30, 2023 at 1:40 am

    +1 for KeePass.

    However, I do recommend Bitwarden for non-techies that want a cloud-based solution. The attack here is easily mitigated if they’re using an adblocker (ideally, at the VPN level), which is always my first recommendation.

    1. Ryba said on January 30, 2023 at 3:15 pm

      Used keepassx for almost 15 years. Switched to bitwarden because concurrency with keepassx is not a thing really. So many times my wife and I making changes to the same shared vault or doing things at the same time causes issues.

      If you’re single keepassx with Dropbox or next cloud sync is the best. If you have a family and need to share info bitwarden or 1password are the best I have found with the latter being completely crappy experience on android devices. So self hosted bitwarden is absolutely better than keepassx I’d you have any kind of sharing going about.

      1. Disorganise said on January 30, 2023 at 10:18 pm

        Same. Very long time keepass with owncloud/nextcloud user but am now creating a self hosted vaultwarden for sharing those utility accounts with my wife since utilities still only allow one login, and sharing with keepass is not that easy, which makes changing utility providers more difficult.
        I’m finding the bitwarden browser extension is allowed at work too, whilst keepassxc is not.

  9. Anonymous said on January 29, 2023 at 5:35 pm

    all my accounts are 2FA hw key protected so no fear at all to use a cloud pwd manager. that sai Bitwarden is my preferred choice.


    1. Anonymous said on January 30, 2023 at 8:46 am

      The only thing I hate about Bitwarden is their use of CloudFlare for online vault. That makes it impossible to check the website validity by examining the certificate.

      1. omnichad said on January 30, 2023 at 2:50 pm

        They do have a self hosted option

  10. ard said on January 29, 2023 at 5:30 am

    Longtime I have some fear to use cloud based apps, most likely also pw managers; not for nothing it seems now.
    I am using KeepassXC and are happy with it.

  11. Anonymous said on January 29, 2023 at 12:08 am

    phishing campaign that buy google ads
    just like all sponsored post in meta cannot be trusted

    1. El Gonzorito said on January 29, 2023 at 7:27 am

      There getting into people’s Google accounts to create Ads, it recently happened to me about 7 days ago.

  12. Igor said on January 28, 2023 at 11:51 pm

    :What’s not to like about it?”

    It store passwords in an encrypted file (vault). This file can be hacked, stolen, broken, confiscated, damaged, etc.

    The better alternative is to use generated on demand passwords, which are not stored in any place.

    1. Shoop said on January 31, 2023 at 2:13 pm

      Second reply:

      I did a bit of reading about dynamic passwords and came across This seems like a much more workable solution. However, it still has a lot of usability problems. In its pure form (no profiles, no syncing) you have to give the tool the correct master password as well as the correct website you’re logging in at, and spell out any special restrictions that the website might have for passwords (I would never want to memorize these and they aren’t made clear when trying to log in.) Not to mention you can’t change your master password without invalidating every password you’ve generated with the site (though I suppose you don’t really need to change it if it’s unique since you aren’t ever transmitting or storing it anywhere).

      A cool idea but still inferior in usability to a simple synced vault.

    2. Shoop said on January 30, 2023 at 1:49 pm

      If I’m reading this guide correctly, you have two lists of passwords that you Frankenstein together to generate “stateless” passwords for all your services? Instead of remembering the password I have to remember the countless procedures that I used to generate the passwords for my scores of online services…and each time I need to input those passwords I need to have both of those initial lists handy? That might be the least practical password solution I’ve heard of. I can’t think of a single person I know who would be willing to do that, certainly not myself.

      An encrypted file vault with one strong password that you have to remember is way, WAY better. It can’t be hacked like you’re suggesting as long as your password is decent, and all of the scenarios you listed are practically impossible or not concerns. We could argue whether it should be hosted on a cloud based service or not but the vault itself is certainly a better solution than dynamic passwords.

  13. Anonymous said on January 28, 2023 at 9:35 pm

    KeePass and sync the database with your own services all you really need. None of this Bitwarden, lastpass nonsense.

    1. Ben said on January 30, 2023 at 7:03 pm

      What about Bitwarden is inherently insecure, pray tell?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.