Jump to content

Bitwarden

From Consumer Rights Wiki
Revision as of 08:09, 28 June 2026 by Galomi04 (talk | contribs) (added "|url-status=live")
Bitwarden
Basic information
Founded 2019-10-28
Legal Structure Private
Industry Software
Also known as Bitwarden, Inc.
Official website https://bitwarden.com

Bitwarden is an American software company, incorporated in Delaware and with headquarters in Santa Barbara, California.[1][2] Its main product is the eponymous password manager.

Consumer-impact summary

In 2026, Bitwarden's long time CEO, as well as the CFO were replaced. No official announcements of this were made by the company. Shortly after, the phrase "Always free", which had been on the company's products site for years, disappeared, sparking concern among some users. A Reddit user, reported to be a Bitwarden employee, stated, in a comment that this had been a simple oversight. This comment was not well received among other users, many of whom expressed disbelief and distrust. Some of them also stated that they'd start looking for alternative password managers. In addition, the company's acronym, GRIT, which had been used to describe "company culture for years" had been quietly changed. (See: Quiet changes (2026).)

From 2018 to 2023, the company had been aware of a security vulnerability in their autofill feature and had even documented it and assigned it a name, but chose to tolerate it, because they wished to accommodate legitimate sites that used the feature (it was reported that the risk had been "very low"). In 2023, the company resolved the matter. (See: Autofill vulnerability (2018-2023).)

In April 2026, Bitwarden's CLI NPM package, was found to have included a "credential-stealing payload." Users of this CLI package were the only affected users. (See: Malicious @bitwarden/cli (NPM) package (2026).)

Incidents

Autofill vulnerability (2018-2023)

The autofill feature in Bitwarden's browser extension contained "risky-behavior" that could "allow malicious iframes embedded in trusted websites to steal people's credentials and send them to an attacker."[3] ("According to the Mozilla HTML documentation the <iframe> HTML element represents a nested browsing context, embedding another HTML page into the current one.")[4]

Reportedly, Bitwarden had been aware of this since 2018 (documented as (BWN-01-001)[4]), but tolerated it to "accommodate legitimate sites that use iframes." It is worth noting that the feature had been disabled by default, there had still been sites on which this could be exploited. With autofill enabled, Bitwarden's web extension filled in credentials automatically when a page gets loaded, without the user having to intervene in the process.[3]

'While the embedded iframe does not have access to any content in the parent page, it can wait for input to the login form and forward the entered credentials to a remote server without further user interaction,' explains Flashpoint.[3]

Reportedly, the "number of risky cases was very low." While investigating this, it was also discovered that autofill filled in credentials "on subdomains of the base domain matching a login. This means an attacker hosting a phishing page under a subdomain that matches a stored login for a given base domain will capture the credentials upon the victim visiting the page if autofill is enabled."[3] In 2023, it was reported that Bitwarden

decided to address user concerns by eliminating the iframe attack vector while keeping the autofill functionality intact.

[3]

Malicious @bitwarden/cli (NPM) package (2026)

In April 2026, it was revealed that Bitwarden's CLI package, distributed via npm, included a "credential-stealing payload." Reportedly, only the only affected users were the CLI package's users, not all Bitwarden users in general.[5] The package also reportedly contained the string "Shai-Hulud: The Third Coming", "Shai-Hulud" referring to a computer worm.[6] It was also reported that:

OX Security has observed real user information leaked by the malware. The infection is likely to spread further across NPM and GitHub as more machines are compromised over time.


The malware’s origin is potentially Russian — it does not execute if the Russian language is configured on the host machine.[7]

Quiet changes (2026)

Always free

The longtime CEO, Michael Crandell is in an "advisory role" since February. In addition, Bitwarden's CFO was replaced in April. There weren't any official announcements for either of these changes. Bitwarden's free plan on their product page included the phrases "Free Forever" and "Always free."[8] These phrases are present even on the Wayback machine's oldest archive (2022-06-25) of Bitwarden's product site.[9]

  • (I) Bitwarden product page Wayback machine on 2026-04-14
    (I) Bitwarden product page Wayback machine on 2026-04-14
  • (II) Bitwarden product page Wayback machine on 2026-04-18
    (II) Bitwarden product page Wayback machine on 2026-04-18
  • (III) Bitwarden product page Wayback machine on 2026-05-15
    (III) Bitwarden product page Wayback machine on 2026-05-15
  • (IV) Bitwarden product page Wayback machine on 2026-05-19
    (IV) Bitwarden product page Wayback machine on 2026-05-19

"Always free" reportedly disappeared from the site in April.[8] The archives from April, (I) and (II), reveal that the phrase disappeared sometime between 2026-04-14 (left on image I) and 2026-04-18 (bottom on image II). The archives from May, (III) and (IV) ,reveal that it came back sometime between 2026-05-15 (bottom left on image III) and 2026-05-19 (bottom left on image IV).[10][11][12][13] A Reddit user by the name of "Ryan_BW", reportedly a Bitwarden employee,[8] made a post addressing the issue on 2026-05-15, stating that:

I would like to share that "always free" has been brought back to the pricing page. There was no specific intention to remove that language from the website while pages were being updated. Simply an oversight on the marketing team (myself included).

The comment was met with several negative replies from other Redditors.[14]

GRIT

Bitwarden has used the GRIT acronym to describe its company culture for years, standing for Gratitude, Responsibility, Inclusion, and Transparency.

On the Wayback machine's archive from 2026-03-14, they were still unchanged on Bitwarden's blog.[15]

At some point after that, they were quietly changed. GRIT now stands for Gratitude, Responsibility, Innovation, and Trust.

[8] The original blog post was also updated, so that it now includes the new version of the acronym.[8][16]

Products

  • Bitwarden password manager
  • Passwordless.dev
  • Bitwarden Secrets Manager

See also

References

  1. "Division of Corporations". icis.corp.delaware.gov. File Number: 7654941{{cite web}}: CS1 maint: url-status (link)
  2. "Business Search". bizfileonline.sos.ca.gov. BITWARDEN INC. (4612828){{cite web}}: CS1 maint: url-status (link)
  3. 3.0 3.1 3.2 3.3 3.4 Toulas, Bill (2023-03-08). "Bitwarden flaw can let hackers steal passwords using iframes". bleepingcomputer.com. Archived from the original on 2026-05-15. Retrieved 2026-06-28.
  4. 4.0 4.1 Flashpoint Intel Team (2023-03-07). "Bitwarden: The Curious (Use-)Case of Password Pilfering". flashpoint.io. Archived from the original on 2026-05-16. Retrieved 2026-06-28.
  5. Winder, Davey (2026-04-24). "Bitwarden Confirms Compromise—Here Are The Facts". forbes.com. Archived from the original on 2026-06-27.
  6. Moore, Justin (2025-11-25). ""Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack". unit42.paloaltonetworks.com. Archived from the original on 2026-06-27.
  7. Siman Tov Bustan; Zadok (2026-04-23). "Shai-Hulud: The Third Coming — Bitwarden CLI Backdoored in Latest Supply Chain Campaign". ox.security. Archived from the original on 2026-06-27.
  8. 8.0 8.1 8.2 8.3 8.4 Rudra, Souray (2026-05-19). "Things Are Quietly Changing at Bitwarden, and People Are Worried". itsfoss.com. Archived from the original on 2026-06-27.
  9. "The Bitwarden Password Manager". bitwarden.com. Archived from the original on 2022-06-25.
  10. "Best Free & Premium Password Manager". bitwarden.com. Archived from the original on 2026-04-14.
  11. "Best Free & Premium Password Manager". bitwarden.com. Archived from the original on 2026-04-18.
  12. "Best Free & Premium Password Manager". bitwarden.com. Archived from the original on 2026-05-15.
  13. "Best Free & Premium Password Manager". bitwarden.com. Archived from the original on 2026-05-19.
  14. Ryan_BW (2026-05-15). "Ryan_BW comments on FastCompany: intriguing corporate gossip about Bitwarden". reddit.com. Archived from the original on 2026-06-27.
  15. Crandell, Michael. "Defining and sustaining value for Bitwarden users". bitwarden.com. Archived from the original on 2026-03-14.
  16. Crandell, Michael (2022-06-08). "Defining and sustaining value for Bitwarden users". bitwarden.com. Archived from the original on 2026-06-27.
Retrieved from "https://consumerrights.wiki/index.php?title=Bitwarden&oldid=59226"