vaultwarden - I was hacked

[brao77]

I've been using this password manager for many years, and recently vaultwarden as a Docker container on a Synology NAS. Yesterday, something unpleasant happened. Yesterday, an unknown attacker took control of all my key services, crypto wallets, Gmail, ... within 30 minutes I acted, took vaultwarden offline.

Currently, the most likely attack vector is the breach of my vaultwarden vault and obtaining all my sensitive data. Otherwise, I can't imagine how the attacker could have accessed all my accounts and caused damage so quickly.

I would need some advice on what I can do to determine if my vault was entirely compromised. I had 2FA via a third-party application."

[stefan0xC]

Do you have a client that's authorized to login and saves your password and 2FA token?

Don't enter any information on an external site, they are likely phishing for personal information...

[BlackDex]

Yes, i deleted an other item already. And i reported this one just now.

[BlackDex]

If you were hacked via your Vault, then there should be a login attempt in your logs from an unknown IP either in your Vaultwarden logs or your reverse proxy logs.

But, if you have 2FA enabled, someone must have been able to extract that info from you too.

[tessus]

It would be great to be able to activate an audit log on the server. I remember something similar was added for orgs.

To start maybe a parameter like audit=login (a list like the feature flags to make it future proof) in which case, every login is logged in a table with timestamp, user, IP and also added to a text file.

One could even use something like gotify to send notifications when a login happens.

Going through the logs to get that info is of course also possible, I am just suggesting to have a more streamlined log for stuff like that. Just a thought.

[stefan0xC]

every login is logged in a table with timestamp, user, IP

That's already done if you enable ORG_EVENTS_ENABLED

vaultwarden/src/api/identity.rs

Lines 69 to 90 in c0be36a

	Ok(_) => {
	log_user_event(
	EventType::UserLoggedIn as i32,
	&user_id,
	client_header.device_type,
	&client_header.ip.ip,
	&mut conn,
	)
	.await;
	}
	Err(e) => {
	if let Some(ev) = e.get_event() {
	log_user_event(
	ev.event as i32,
	&user_id,
	client_header.device_type,
	&client_header.ip.ip,
	&mut conn,
	)
	.await
	}
	}

[tessus]

Even, if I don't use orgs, but just a personal vault? I am asking because the variable has specifically ORG in its name.

[stefan0xC]

Yeah. I think it won't be displayed anywhere if you are not part of an organization but the events would still be logged.

vaultwarden/src/api/core/events.rs

Lines 244 to 250 in c0be36a

	// Upstream saves the event also without any org_id.
	let mut event = Event::new(event_type, event_date);
	event.user_uuid = Some(user_id.clone());
	event.act_user_uuid = Some(user_id.clone());
	event.device_type = Some(device_type);
	event.ip_address = Some(ip.to_string());
	events.push(event);

[tessus]

btw, I checked the help message aagin:

## Controls whether event logging is enabled for organizations
## This setting applies to organizations.

So maybe it might make sense to make something available that has nothing to do with orgs. It's just an idea. But something like when I logged in, unlocked the vault (hmm, this might not be possible to log, but would be awesome if it was), synced, added/updated/deleted items, ... could be very useful.

Hmm, maybe using OpenTelemetry for that would be even better. In case logging is not yet stable, trace points and spans would be awesome as well.

[ilbarone87]

Quick question, I run several vaults under my vaultwarden instance (wife, sons, relatives) in case one of the vaults gets compromised how much the other vaults are in danger?

[BlackDex]

If you have stored those credentials in your vault then i would say high.

[stefan0xC]

Ideally none, unless it's your own or you share any passwords with everyone else. Then those should be considered compromised as well. (If someone is also owner of an Organization with Account Recovery policy or has Emergency Access contacts this would further complicate the situation.)

[ilbarone87]

Thanks. I have stored the passwords of the other vaults in my personal one. So unless the passwords for the other vaults are stored in a compromised one there is then no risk of lateral movement. Correct?

[kpfleming]

Vaultwarden is not able to decrypt the contents of any vault, it requires a client to provide the password to generate a key to decrypt the contents. Gaining access to the contents of one vault does not provide any access to other vaults unless, as you indicate, the compromised vault contains the passwords for the other vaults.