Bitwarden's web vault suffers an outage; apps and extensions are safe and unaffected

Ashwin
Feb 9, 2023
Updated • Feb 9, 2023
Security
|
14

Bitwarden's web vault suffered an outage today.  The issue affected all users that use the web service, though the password manager service's apps and extensions were unaffected and are completely safe

Bitwarden's web vault suffers an outage, apps and extensions were unaffected

Bitwarden's web vault goes down due to server issues

I came across a few complaints from users that they were unable to access Bitwarden on the web, but I thought it was just downtime caused by some routine maintenance on the server. But a screenshot posted by another user got me curious, and when I tried to open the web vault, it gave me an error too. The above image is from my computer, and you can see that I was logged into the web extension, which obviously is accessed via the same browser and IP address. What gives?

This should not be a big issue for most people, since Bitwarden's apps and extensions were working fine, you would rarely need to rely on the web vault, for example to change your account settings, password, etc. But when a cloud-based password manager goes offline, even if it is a partial outage, it is only natural that users get a little bit concerned about it. Who could blame them for panicking given the recent LastPass data breach and Norton Password Manager brute force attacks?

It's also worth noting that scammers were (possibly still are) targeting Bitwarden users (and 1Password users) via phishing campaigns in subtly-placed ads on Google's search results. These attacks directed users to web pages that were in fact meticulously designed clones of Bitwarden's web vault, only these were malicious in nature and stole the username and password given by the users.

This is actually what threw me off. The URL of the web vault that I accessed was correct, i.e., https://vault.bitwarden.com/. But, the error that was displayed said, "Sorry, you have been blocked. You are unable to access web-vault.pages.dev".

 

This was quite confusing. A discussion at the Bitwarden community forums indicates that this issue actually began 2 days ago (February 7th, 2023). One of the developers had cleared the air by stating that there was an issue with the service, and that the Cloudflare URL that is used by Bitwarden was visible to users during the outage. Well, clearly the issue has resurfaced, as I ran into it today. Cloudflare's status page says some servers are being rerouted, but I'm not sure if the two issues are related.

bitwarden password manager web vault url blocked

 

You may track the status of the web vault's outage at this page on Bitwarden's site. The updates logged on the page say that the company has been investigating the issue, and worked with its upstream provider to resolve it. Another message posted at the issue tracker says that Bitwarden has applied a fix, and is monitoring the components. A recent update published about half an hour ago on the status page states the service is experiencing intermittent issues again, and is working on fixing the problem.

bitwarden web vault server issues status tracker

 

I tried accessing the vault again, and it didn't load the first time, but when I refreshed the web page's cache with Ctrl + F5, it worked. I can confirm that I am able to access the web vault at the time of writing this article. Maybe you could try the same to view your vault?

One user claimed that they had received alerts about multiple login attempts on their account, and that they were unable to sign in when they had tried to, wondering if the service had been hacked.

Summary
Bitwarden's web vault suffers an outage
Article Name
Bitwarden's web vault suffers an outage
Description
Bitwarden's web vault has suffered a server outage. The password manager's apps and extensions were unaffected by the issue.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. SCmCsyF said on February 11, 2023 at 9:52 am
    Reply

    From a different article:https://www.ghacks.net/2023/02/01/keepass-password-manager-vulnerability-what-you-need-to-know/ “Option 2: Switching to KeePassXC or another fork
    KeePassXC does not support triggers. It loads KeePass database files and may be used instead of KeePass. Other KeePass forks may also be used.”

    KeepassXC was never vulnerable to begin with, in the same article you refer to it says the problem was resolved.

    You’re right, it goes without saying all software is vulnerable, some have more problems than others. Using a local client resolves the problem of online connectivity, if the servers are down people cannot use it. That’s why we’re recommending KeePass and its forks.

    1. Anonymous said on February 12, 2023 at 2:55 pm
      Reply

      And a local client server is not without its own outages and issues. You just need to know if and when it occurs if you have the time and knowledge to resolve.

      Also Bitwarden vault system also has the ability to be setup locally.

  2. Anonymous said on February 9, 2023 at 10:42 pm
    Reply

    Keepass is all you need. Sync it with your own provider or NAS.

    1. Jason said on February 10, 2023 at 6:50 pm
      Reply

      For all of you praising Keepass and KeePassXC:

      https://www.ghacks.net/2023/02/10/keepass-2-53-1-password-manager-resolves-vulnerability-controversy/

      Just remember that no software or service is without its share of issues.

  3. SCmCsyF said on February 9, 2023 at 7:59 pm
    Reply

    If I was using BitWarden I’d either use the extension or the local client. The web vault would be a nice feature but I wouldn’t use it as the main way to access my passwords. Do people actually use it to login to sites?

    Yet another vote to KeePassXC!

  4. Anonymous said on February 9, 2023 at 5:56 pm
    Reply

    @Ashwin. Think about your wording before your write.

    If I was searching for an online password service I might be targeted but I already use Bitwarden so how are the scammers targeting me?

    1. Jason said on February 10, 2023 at 6:46 pm
      Reply

      The scammers are setting up fake login pages for existing Bitwarden users. Phishing is much more effective for services you already use because you’re more likely to have your guard down.

      The fake login pages are prompting Bitwarden users for their master password so they have access to all of your passwords.

      There would be no point in setting up a fake login page for a service you’re not using. The information they gather has no value in that case.

  5. KeepassXC said on February 9, 2023 at 4:22 pm
    Reply

    KeepassXC is the best!

  6. beergas said on February 9, 2023 at 2:26 pm
    Reply

    Recent History100% Uptime
    Web Vault AccessFeb 8, 2023 4:03 PM–Feb 9, 2023 2:59 AM ESTCloud Services / Web Vault
    Degraded ServiceFeb 8, 2023 7:39 PM–8:46 PM ESTCloud Services / Web Vault

  7. beergas said on February 9, 2023 at 2:14 pm
    Reply

    Web Vault Access
    Resolved
    About 5 hours ago
    The root cause has been identified and we are working with our upstream provider to implement a permanent fix.
    Can’t login vault from homepage. Just pops up a box wanting my password, as if I’m new and need/want to create
    an account. Tested a known site that I set to use Bitwarden. Failed wouldn’t take my fingerprint & unlocked vault with 4#s and clicked result failed the pushed saved data to site. Pain in rump. This is ET time 8:15am

  8. Yash said on February 9, 2023 at 10:17 am
    Reply

    Here I come Keepass!

    1. Yuliya said on February 9, 2023 at 1:56 pm
      Reply

      Relationship with botnet X ended.
      Botnet Y is now my new friend!

      1. Anonymous said on February 9, 2023 at 2:07 pm
        Reply

        Keepass is a local, offline password manager. How is it a part of a botnet?

      2. Yuliya said on February 9, 2023 at 3:15 pm
        Reply

        Clearly I need more coffee. Or bigger fonts. I have misred that for Lastpass, sorry.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.