data loss. user disappeared. #652

New Issue

Closed

opened 2025-10-09 16:43:51 +03:00 by OVERLORD · 10 comments

OVERLORD commented 2025-10-09 16:43:51 +03:00

Owner

Copy Link

Originally created by @bbrendon on GitHub.

I'm reporting this because, well, it seems a bit important. There were 10 users, now 9. /admin lists old disabled users, but not the user that has vanished.

Version : 1.29.2

From what the user said:

Gotcha, I tried updating a password in Bitwarden since I changed a password, got an error "invalid refresh token" and I thought maybe my bitwarden wasn't synced so I manually synced it again and the timestamp changed to today which meant that it was synced up. Tried to update password again got the same "invalid refresh token". I said ok, let me try relogging back into Bitwarden, attempted a login and it kept failing. Asked it for a password hint and got no email back, usually its supposed to email u back even if you dont have one. And then I let you know that I can't get in.

I realized now I can't find an audit log. I'm going to see if something like that exists.

I'm using sqlite.

Things I've done:

• checked the normal GUI
• checked /admin.
• Looked through docker compose logs. I can't find anything interesting.
• Restarted vaultwarden. User still missing.
• Made a backup of the current broken state. - 2023-11-09_111401
• Saved output of dc logs for future reference.
• Created github issue.

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.29.2
• Web-vault version: v2023.7.1
• OS/Arch: linux/x86_64
• Running within Docker: true (Base: Debian)
• Environment settings overridden: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.41.2
• Clients used: 5 active users. 10 total
• Reverse proxy and version: nginx + LE
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, ADMIN_TOKEN, SMTP_HOST, SMTP_PORT, SMTP_FROM

{
  "_duo_akey": "***",
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://****************",
  "domain_origin": "*****://****************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": "api- .duosecurity.com",
  "duo_ikey": " ",
  "duo_skey": "***",
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "xxxx",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 100000,
  "push_enabled": false,
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": true,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": false,
  "smtp_from": "*************************",
  "smtp_from_name": "xx",
  "smtp_host": "*********",
  "smtp_password": null,
  "smtp_port": 25,
  "smtp_security": "off",
  "smtp_ssl": false,
  "smtp_timeout": 15,
  "smtp_username": null,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": true,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Originally created by @bbrendon on GitHub. I'm reporting this because, well, it seems a bit important. There were 10 users, now 9. /admin lists old disabled users, but not the user that has vanished. Version : 1.29.2 From what the user said: > Gotcha, I tried updating a password in Bitwarden since I changed a password, got an error "invalid refresh token" and I thought maybe my bitwarden wasn't synced so I manually synced it again and the timestamp changed to today which meant that it was synced up. Tried to update password again got the same "invalid refresh token". I said ok, let me try relogging back into Bitwarden, attempted a login and it kept failing. Asked it for a password hint and got no email back, usually its supposed to email u back even if you dont have one. And then I let you know that I can't get in. I realized now I can't find an audit log. I'm going to see if something like that exists. I'm using sqlite. Things I've done: - checked the normal GUI - checked /admin. - Looked through `docker compose logs`. I can't find anything interesting. - Restarted vaultwarden. User still missing. - Made a backup of the current broken state. - 2023-11-09_111401 - Saved output of `dc logs` for future reference. - Created github issue. ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.29.2 * Web-vault version: v2023.7.1 * OS/Arch: linux/x86_64 * Running within Docker: true (Base: Debian) * Environment settings overridden: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Database type: SQLite * Database version: 3.41.2 * Clients used: 5 active users. 10 total * Reverse proxy and version: nginx + LE * Other relevant information: ### Config (Generated via diagnostics page) <details><summary>Show Running Config</summary> **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, ADMIN_TOKEN, SMTP_HOST, SMTP_PORT, SMTP_FROM ```json { "_duo_akey": "***", "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_smtp_img_src": "cid:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://****************", "domain_origin": "*****://****************", "domain_path": "", "domain_set": true, "duo_host": "api- .duosecurity.com", "duo_ikey": " ", "duo_skey": "***", "email_attempts_limit": 3, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "extended_logging": true, "helo_name": null, "hibp_api_key": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "invitation_expiration_hours": 120, "invitation_org_name": "xxxx", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "Info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 100000, "push_enabled": false, "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": true, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": false, "smtp_from": "*************************", "smtp_from_name": "xx", "smtp_host": "*********", "smtp_password": null, "smtp_port": 25, "smtp_security": "off", "smtp_ssl": false, "smtp_timeout": 15, "smtp_username": null, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "websocket_address": "0.0.0.0", "websocket_enabled": true, "websocket_port": 3012, "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details>

OVERLORD closed this issue 2025-10-09 16:43:52 +03:00

OVERLORD commented 2025-10-09 16:43:55 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

@sammyke007 then the platform you use to run containers is not very robust. Or you need to verify on how to update the containers using that platform. But that is not normal. Also, you didn't lost it, there was just a different volume created. The OP mentions a single user has disappeared, which is also strange, but not comparable.

@BlackDex commented on GitHub: @sammyke007 then the platform you use to run containers is not very robust. Or you need to verify on how to update the containers using that platform. But that is not normal. Also, you didn't lost it, there was just a different volume created. The OP mentions a single user has disappeared, which is also strange, but not comparable.

OVERLORD commented 2025-10-09 16:43:55 +03:00

Author

Owner

Copy Link

@bbrendon commented on GitHub:

I haven't had time to look at it. This week for sure I'm going to look at
it.

On Sun, Nov 12, 2023 at 12:17 PM Mathijs van Veluw @.***>
wrote:

@bbrendon https://github.com/bbrendon did you got any more insights
into what it could have been?
Something from the logs of Vaultwarden, or the reverse proxy logs maybe?

—
Reply to this email directly, view it on GitHub
https://github.com/dani-garcia/vaultwarden/issues/4060#issuecomment-1807227970,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ABQR2PLTBSP5KBIHDUMNES3YEEVFNAVCNFSM6AAAAAA7FCJBMOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMBXGIZDOOJXGA
.
You are receiving this because you were mentioned.Message ID:
@.***>

@bbrendon commented on GitHub: I haven't had time to look at it. This week for sure I'm going to look at it. On Sun, Nov 12, 2023 at 12:17 PM Mathijs van Veluw ***@***.***> wrote: > @bbrendon <https://github.com/bbrendon> did you got any more insights > into what it could have been? > Something from the logs of Vaultwarden, or the reverse proxy logs maybe? > > — > Reply to this email directly, view it on GitHub > <https://github.com/dani-garcia/vaultwarden/issues/4060#issuecomment-1807227970>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/ABQR2PLTBSP5KBIHDUMNES3YEEVFNAVCNFSM6AAAAAA7FCJBMOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMBXGIZDOOJXGA> > . > You are receiving this because you were mentioned.Message ID: > ***@***.***> >

OVERLORD commented 2025-10-09 16:43:55 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

Users can't disappear by them selfs. So either someone deleted the user, the user did it them self via https://bitwarden.com/help/account-recovery/ , or there is something wrong with the database, like a corrupt database or something. If it is a corruption, then there probably still is some evidence in the database of the users uuid or something else, if not, then it would have been a clean deletion and action done by someone.

Check the logs for delete, remove or purge, i think those are the main names for functions we used for these kind of actions.

@BlackDex commented on GitHub: Users can't disappear by them selfs. So either someone deleted the user, the user did it them self via https://bitwarden.com/help/account-recovery/ , or there is something wrong with the database, like a corrupt database or something. If it is a corruption, then there probably still is some evidence in the database of the users uuid or something else, if not, then it would have been a clean deletion and action done by someone. Check the logs for delete, remove or purge, i think those are the main names for functions we used for these kind of actions.

OVERLORD commented 2025-10-09 16:43:56 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

@bbrendon did you got any more insights into what it could have been?
Something from the logs of Vaultwarden, or the reverse proxy logs maybe?

@BlackDex commented on GitHub: @bbrendon did you got any more insights into what it could have been? Something from the logs of Vaultwarden, or the reverse proxy logs maybe?

OVERLORD commented 2025-10-09 16:43:56 +03:00

Author

Owner

Copy Link

@sammyke007 commented on GitHub:

Just FYI:
The last 2 updates I've did, I had lost all of my data.
Somehow after updating the container images, a new /v1/vw-data/ folder is created instead of /vw-data/ with a new database (thus losing your users).

My solution was copying over /vw-data/ to /v1/vw-data/

@sammyke007 commented on GitHub: Just FYI: The last 2 updates I've did, I had lost all of my data. Somehow after updating the container images, a new /v1/vw-data/ folder is created instead of /vw-data/ with a new database (thus losing your users). My solution was copying over /vw-data/ to /v1/vw-data/

OVERLORD commented 2025-10-09 16:43:58 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

I am a Bitwarden/Vaultwarden user in a company. I use the system more or less every weekday - and used it Friday last week (= 3 days ago). This morning all my data is gone. Both the elements shared with me by the company AND my own data. Does this sound like it has something to do with the update discussed in this thread? If yes, then what can I do /or tell the administraitor to do?

No it doesn't. Data is not deleted or removed during any upgrade.
Data can be deleted by an admin, or via a recovery action executed by a user it self, or purged or anything, but not just one single user out of two or more.

It could be a database is corrupted in some way, which could make the data inaccessible for example.

The admin should check the logs for any delete or purge or remove action in the logs. And also check the integrity of the database.

And, the backups of course.

@BlackDex commented on GitHub: > I am a Bitwarden/Vaultwarden user in a company. I use the system more or less every weekday - and used it Friday last week (= 3 days ago). This morning all my data is gone. Both the elements shared with me by the company AND my own data. Does this sound like it has something to do with the update discussed in this thread? If yes, then what can I do /or tell the administraitor to do? No it doesn't. Data is not deleted or removed during any upgrade. Data can be deleted by an admin, or via a recovery action executed by a user it self, or purged or anything, but not just one single user out of two or more. It could be a database is corrupted in some way, which could make the data inaccessible for example. The admin should check the logs for any delete or purge or remove action in the logs. And also check the integrity of the database. And, the backups of course.

OVERLORD commented 2025-10-09 16:43:58 +03:00

Author

Owner

Copy Link

@BlackDex commented on GitHub:

Regarding the database.

In the database where the user vanished:

• The user is not in the user table
• The users UUID (c0630375-187d-49b0-a6b2-06ce01afedc9) (obtained from a very old backup) doesn't exist in the ciphers table

So I'm guessing it's not DB corruption.

If that is the case, then the user is deleted by someone, not by an upgrade, not by a database corruption or something.
Also since other user(s) still work and just a single user is deleted.

@BlackDex commented on GitHub: > Regarding the database. > > In the database where the user vanished: > > * The user is not in the user table > * The users UUID (`c0630375-187d-49b0-a6b2-06ce01afedc9`) (obtained from a very old backup) doesn't exist in the ciphers table > > So I'm guessing it's not DB corruption. If that is the case, then the user is deleted by someone, not by an upgrade, not by a database corruption or something. Also since other user(s) still work and just a single user is deleted.

OVERLORD commented 2025-10-09 16:43:59 +03:00

Author

Owner

Copy Link

@bbrendon commented on GitHub:

Regarding the database.

In the database where the user vanished:

• The user is not in the user table
• The users UUID (c0630375-187d-49b0-a6b2-06ce01afedc9) (obtained from a very old backup) doesn't exist in the ciphers table

So I'm guessing it's not DB corruption.

@bbrendon commented on GitHub: Regarding the database. In the database where the user vanished: - The user is not in the user table - The users UUID (`c0630375-187d-49b0-a6b2-06ce01afedc9`) (obtained from a very old backup) doesn't exist in the ciphers table So I'm guessing it's not DB corruption.

OVERLORD commented 2025-10-09 16:44:00 +03:00

Author

Owner

Copy Link

@Kjemme commented on GitHub:

I am a Bitwarden/Vaultwarden user in a company. I use the system more or less every weekday - and used it Friday last week (= 3 days ago). This morning all my data is gone. Both the elements shared with me by the company AND my own data. Does this sound like it has something to do with the update discussed in this thread? If yes, then what can I do /or tell the administraitor to do?

@Kjemme commented on GitHub: I am a Bitwarden/Vaultwarden user in a company. I use the system more or less every weekday - and used it Friday last week (= 3 days ago). This morning all my data is gone. Both the elements shared with me by the company AND my own data. Does this sound like it has something to do with the update discussed in this thread? If yes, then what can I do /or tell the administraitor to do?

OVERLORD commented 2025-10-09 16:44:01 +03:00

Author

Owner

Copy Link

@bbrendon commented on GitHub:

We don't have account recovery enabled.

# cat logs-vanished |grep -Ei '(delete|remove|purg)'
...
vaultwarden-bitwarden-1  | [2023-10-10 17:58:54.112][response][INFO] (delete_cipher_put) PUT /api/ciphers/<uuid>/delete => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 20:00:11.829][request][INFO] POST /api/accounts/delete-recover
vaultwarden-bitwarden-1  | [2023-10-18 20:00:11.848][response][INFO] (post_delete_recover) POST /api/accounts/delete-recover => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 20:00:33.063][request][INFO] POST /api/accounts/delete-recover-token
vaultwarden-bitwarden-1  | [2023-10-18 20:00:33.106][response][INFO] (post_delete_recover_token) POST /api/accounts/delete-recover-token => 200 OK
vaultwarden-bitwarden-1  | [2023-10-25 23:44:08.835][request][INFO] PUT /api/ciphers/d0569d6a-2a64-432c-94ce-607b24420bc3/delete
vaultwarden-bitwarden-1  | [2023-10-25 23:44:08.839][response][INFO] (delete_cipher_put) PUT /api/ciphers/<uuid>/delete => 200 OK

...

I then opened the logfile to see the full contents of around 2023-10-18 20:00:11.829

Found the below. I believe 107.142.15.16 is the IP of user as well.

vaultwarden-bitwarden-1  | [2023-10-18 19:59:16.938][request][INFO] GET /api/config
vaultwarden-bitwarden-1  | [2023-10-18 19:59:16.938][response][INFO] (config) GET /api/config => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 19:59:16.958][request][INFO] GET /api/config
vaultwarden-bitwarden-1  | [2023-10-18 19:59:16.958][response][INFO] (config) GET /api/config => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 19:59:47.887][request][INFO] POST /identity/accounts/register
vaultwarden-bitwarden-1  | [2023-10-18 19:59:47.890][vaultwarden::api::core::accounts][ERROR] Registration not allowed or user already exists
vaultwarden-bitwarden-1  | [2023-10-18 19:59:47.892][response][INFO] (identity_register) POST /identity/accounts/register => 400 Bad Request
vaultwarden-bitwarden-1  | [2023-10-18 19:59:54.258][request][INFO] GET /api/devices/knowndevice
vaultwarden-bitwarden-1  | [2023-10-18 19:59:54.259][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 19:59:56.679][request][INFO] POST /api/accounts/password-hint
vaultwarden-bitwarden-1  | [2023-10-18 19:59:56.719][response][INFO] (password_hint) POST /api/accounts/password-hint => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 20:00:07.622][request][INFO] GET /api/config
vaultwarden-bitwarden-1  | [2023-10-18 20:00:07.623][response][INFO] (config) GET /api/config => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 20:00:07.647][request][INFO] GET /api/config
vaultwarden-bitwarden-1  | [2023-10-18 20:00:07.647][response][INFO] (config) GET /api/config => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 20:00:11.829][request][INFO] POST /api/accounts/delete-recover
vaultwarden-bitwarden-1  | [2023-10-18 20:00:11.848][response][INFO] (post_delete_recover) POST /api/accounts/delete-recover => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 20:00:31.066][request][INFO] GET /api/config
vaultwarden-bitwarden-1  | [2023-10-18 20:00:31.067][response][INFO] (config) GET /api/config => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 20:00:31.074][request][INFO] GET /api/config
vaultwarden-bitwarden-1  | [2023-10-18 20:00:31.074][response][INFO] (config) GET /api/config => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 20:00:33.063][request][INFO] POST /api/accounts/delete-recover-token
vaultwarden-bitwarden-1  | [2023-10-18 20:00:33.106][response][INFO] (post_delete_recover_token) POST /api/accounts/delete-recover-token => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 20:00:50.840][request][INFO] POST /identity/accounts/register
vaultwarden-bitwarden-1  | [2023-10-18 20:00:50.842][vaultwarden::api::core::accounts][ERROR] Registration not allowed or user already exists
vaultwarden-bitwarden-1  | [2023-10-18 20:00:50.842][response][INFO] (identity_register) POST /identity/accounts/register => 400 Bad Request
vaultwarden-bitwarden-1  | [2023-10-18 20:01:01.318][request][INFO] GET /api/devices/knowndevice
vaultwarden-bitwarden-1  | [2023-10-18 20:01:01.320][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 20:01:06.487][request][INFO] POST /identity/accounts/prelogin
vaultwarden-bitwarden-1  | [2023-10-18 20:01:06.488][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 20:01:06.695][request][INFO] POST /identity/connect/token
vaultwarden-bitwarden-1  | [2023-10-18 20:01:06.695][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 107.142.15.16. Username: <user_that_vanished>@domain.com.
vaultwarden-bitwarden-1  | [2023-10-18 20:01:06.695][response][INFO] (login) POST /identity/connect/token => 400 Bad Request
vaultwarden-bitwarden-1  | [2023-10-18 20:01:29.818][vaultwarden::api::notifications][INFO] Accepting WS connection from 10.2.1.21:54730
vaultwarden-bitwarden-1  | [2023-10-18 20:01:39.160][request][INFO] POST /identity/connect/token
vaultwarden-bitwarden-1  | [2023-10-18 20:01:39.166][response][INFO] (login) POST /identity/connect/token => 200 OK
vaultwarden-bitwarden-1  | [2023-10-18 20:01:39.430][vaultwarden::api::notifications][INFO] Accepting WS connection from 10.2.1.21:45592
vaultwarden-bitwarden-1  | [2023-10-18 20:03:10.387][vaultwarden::api::notifications][INFO] Accepting WS connection from 10.2.1.21:45782
vaultwarden-bitwarden-1  | [2023-10-18 20:03:39.566][request][INFO] POST /identity/connect/token
vaultwarden-bitwarden-1  | [2023-10-18 20:03:39.572][response][INFO] (login) POST /identity/connect/token => 200 OK

So I don't really understand, but it seems maybe the account was somehow deleted sometime last month but his vault was cached on his computer so it took awhile for him to notice? Maybe someone can piece it together based on the log above.

@bbrendon commented on GitHub: We don't have account recovery enabled. ``` # cat logs-vanished |grep -Ei '(delete|remove|purg)' ... vaultwarden-bitwarden-1 | [2023-10-10 17:58:54.112][response][INFO] (delete_cipher_put) PUT /api/ciphers/<uuid>/delete => 200 OK vaultwarden-bitwarden-1 | [2023-10-18 20:00:11.829][request][INFO] POST /api/accounts/delete-recover vaultwarden-bitwarden-1 | [2023-10-18 20:00:11.848][response][INFO] (post_delete_recover) POST /api/accounts/delete-recover => 200 OK vaultwarden-bitwarden-1 | [2023-10-18 20:00:33.063][request][INFO] POST /api/accounts/delete-recover-token vaultwarden-bitwarden-1 | [2023-10-18 20:00:33.106][response][INFO] (post_delete_recover_token) POST /api/accounts/delete-recover-token => 200 OK vaultwarden-bitwarden-1 | [2023-10-25 23:44:08.835][request][INFO] PUT /api/ciphers/d0569d6a-2a64-432c-94ce-607b24420bc3/delete vaultwarden-bitwarden-1 | [2023-10-25 23:44:08.839][response][INFO] (delete_cipher_put) PUT /api/ciphers/<uuid>/delete => 200 OK ... ``` I then opened the logfile to see the full contents of around `2023-10-18 20:00:11.829` Found the below. I believe 107.142.15.16 is the IP of user as well. ``` vaultwarden-bitwarden-1 | [2023-10-18 19:59:16.938][request][INFO] GET /api/config vaultwarden-bitwarden-1 | [2023-10-18 19:59:16.938][response][INFO] (config) GET /api/config => 200 OK vaultwarden-bitwarden-1 | [2023-10-18 19:59:16.958][request][INFO] GET /api/config vaultwarden-bitwarden-1 | [2023-10-18 19:59:16.958][response][INFO] (config) GET /api/config => 200 OK vaultwarden-bitwarden-1 | [2023-10-18 19:59:47.887][request][INFO] POST /identity/accounts/register vaultwarden-bitwarden-1 | [2023-10-18 19:59:47.890][vaultwarden::api::core::accounts][ERROR] Registration not allowed or user already exists vaultwarden-bitwarden-1 | [2023-10-18 19:59:47.892][response][INFO] (identity_register) POST /identity/accounts/register => 400 Bad Request vaultwarden-bitwarden-1 | [2023-10-18 19:59:54.258][request][INFO] GET /api/devices/knowndevice vaultwarden-bitwarden-1 | [2023-10-18 19:59:54.259][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK vaultwarden-bitwarden-1 | [2023-10-18 19:59:56.679][request][INFO] POST /api/accounts/password-hint vaultwarden-bitwarden-1 | [2023-10-18 19:59:56.719][response][INFO] (password_hint) POST /api/accounts/password-hint => 200 OK vaultwarden-bitwarden-1 | [2023-10-18 20:00:07.622][request][INFO] GET /api/config vaultwarden-bitwarden-1 | [2023-10-18 20:00:07.623][response][INFO] (config) GET /api/config => 200 OK vaultwarden-bitwarden-1 | [2023-10-18 20:00:07.647][request][INFO] GET /api/config vaultwarden-bitwarden-1 | [2023-10-18 20:00:07.647][response][INFO] (config) GET /api/config => 200 OK vaultwarden-bitwarden-1 | [2023-10-18 20:00:11.829][request][INFO] POST /api/accounts/delete-recover vaultwarden-bitwarden-1 | [2023-10-18 20:00:11.848][response][INFO] (post_delete_recover) POST /api/accounts/delete-recover => 200 OK vaultwarden-bitwarden-1 | [2023-10-18 20:00:31.066][request][INFO] GET /api/config vaultwarden-bitwarden-1 | [2023-10-18 20:00:31.067][response][INFO] (config) GET /api/config => 200 OK vaultwarden-bitwarden-1 | [2023-10-18 20:00:31.074][request][INFO] GET /api/config vaultwarden-bitwarden-1 | [2023-10-18 20:00:31.074][response][INFO] (config) GET /api/config => 200 OK vaultwarden-bitwarden-1 | [2023-10-18 20:00:33.063][request][INFO] POST /api/accounts/delete-recover-token vaultwarden-bitwarden-1 | [2023-10-18 20:00:33.106][response][INFO] (post_delete_recover_token) POST /api/accounts/delete-recover-token => 200 OK vaultwarden-bitwarden-1 | [2023-10-18 20:00:50.840][request][INFO] POST /identity/accounts/register vaultwarden-bitwarden-1 | [2023-10-18 20:00:50.842][vaultwarden::api::core::accounts][ERROR] Registration not allowed or user already exists vaultwarden-bitwarden-1 | [2023-10-18 20:00:50.842][response][INFO] (identity_register) POST /identity/accounts/register => 400 Bad Request vaultwarden-bitwarden-1 | [2023-10-18 20:01:01.318][request][INFO] GET /api/devices/knowndevice vaultwarden-bitwarden-1 | [2023-10-18 20:01:01.320][response][INFO] (get_known_device) GET /api/devices/knowndevice => 200 OK vaultwarden-bitwarden-1 | [2023-10-18 20:01:06.487][request][INFO] POST /identity/accounts/prelogin vaultwarden-bitwarden-1 | [2023-10-18 20:01:06.488][response][INFO] (prelogin) POST /identity/accounts/prelogin => 200 OK vaultwarden-bitwarden-1 | [2023-10-18 20:01:06.695][request][INFO] POST /identity/connect/token vaultwarden-bitwarden-1 | [2023-10-18 20:01:06.695][vaultwarden::api::identity][ERROR] Username or password is incorrect. Try again. IP: 107.142.15.16. Username: <user_that_vanished>@domain.com. vaultwarden-bitwarden-1 | [2023-10-18 20:01:06.695][response][INFO] (login) POST /identity/connect/token => 400 Bad Request vaultwarden-bitwarden-1 | [2023-10-18 20:01:29.818][vaultwarden::api::notifications][INFO] Accepting WS connection from 10.2.1.21:54730 vaultwarden-bitwarden-1 | [2023-10-18 20:01:39.160][request][INFO] POST /identity/connect/token vaultwarden-bitwarden-1 | [2023-10-18 20:01:39.166][response][INFO] (login) POST /identity/connect/token => 200 OK vaultwarden-bitwarden-1 | [2023-10-18 20:01:39.430][vaultwarden::api::notifications][INFO] Accepting WS connection from 10.2.1.21:45592 vaultwarden-bitwarden-1 | [2023-10-18 20:03:10.387][vaultwarden::api::notifications][INFO] Accepting WS connection from 10.2.1.21:45782 vaultwarden-bitwarden-1 | [2023-10-18 20:03:39.566][request][INFO] POST /identity/connect/token vaultwarden-bitwarden-1 | [2023-10-18 20:03:39.572][response][INFO] (login) POST /identity/connect/token => 200 OK ``` So I don't really understand, but it seems maybe the account was somehow deleted sometime last month but his vault was cached on his computer so it took awhile for him to notice? Maybe someone can piece it together based on the log above.

OVERLORD referenced this issue 2025-10-09 18:27:51 +03:00

[PR #652] [MERGED] Some modification when no HIBP API Key is set #3671

OVERLORD referenced this issue 2025-10-09 18:27:53 +03:00

[PR #652] Some modification when no HIBP API Key is set #3674

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

test_dylint

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels

better for forum

bug

bug

bug

documentation

duplicate

enhancement

future Vault

good first issue

help wanted

low priority

notes

pull-request

Mirrored from GitHub Pull Request

question

SSO

Third party

troubleshooting

troubleshooting

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/vaultwarden#652