I Almost Got Hit Last Week

Last week I was helping a friend — she runs an independent consulting practice — figure out why her client email account suddenly locked her out. We st ared at her screen for half an hour . Eventually we traced it back to a " password manager mini -tool" she 'd installed three months earlier , recommended by someone in a startup group chat . It looked exactly like the real thing. Turned out it was a count erfeit: everything you saved in it got quietly forw arded to whoever built it. Her email account, her client document permissions, her payment platform — all of it was in there. She spent that entire afternoon doing nothing but res etting passwords.

I'm not in a position to say "that would never happen to me" — I've installed sket chy productivity tools before and just got lucky nothing went wrong.

What Actually Happened, in Plain Terms

Short version: someone built a fake version of the password manager Bitwarden with a name nearly identical to the real one , then published it to a platform developers commonly use for downloads . Anyone who used the fake version had every saved password sil ently sent to the attacker.

You might think "I'm not a developer , I'd never download from that platform" — and you're probably right, most non -technical founders wouldn 't hit this specific trap. But the pattern behind it is worth everyone 's attention: fake software imp ersonating legitimate tools is showing up in more and more places, including We Chat group recommendations, Xia ohongshu posts , and even the top ad slots in Google search results.

I know a freel ance brand strateg ist in Shanghai named Xi aowen . Last year she found a " Notion Chinese edition " download link through Baidu and installed a fake client. Client proposals she 'd stored inside ended up being used by a competitor in another city. She had no idea what had happened — she just noticed her quotes kept getting under cut. It took months before she connected the dots.

What You Can Do Today — the Cost Is Low

Money : starts at ¥0 (Bitwarden's free tier is enough ; paid is about ¥10/ month)
Time: roughly 20 minutes for first- time setup
Technical barrier: if you can use a phone app , you're fine
First step: go to bitwarden. com, click "Get Started Free" in the top right

My own setup is pretty simple:

  • All account passwords live only in my Bitwarden account — nothing saved in the browser
  • Before installing any tool, I go to the official website for the download link — I don't click links shared in group chats
  • For anything important ( payments , email , client systems ) I 've turned on two-factor authentication — that 's the thing where you also enter a code tex ted to your phone when you log in. Even if your password le aks, the att acker still can't get in

None of this is high - tech. I only got serious about it after watching what happened to my friend.

Where You Are Now — What I 'd Do at Each Stage

If you're just starting out and don 't have much client data yet : sk ipping this for now is fine , but there 's one free habit worth building immediately — only download tools from official websites , never from links in group chats. Zero cost, zero time.

If you already have one or two clients and hold their contact info or file permissions: I'd spend 20 minutes setting up Bitwarden and consolid ating the passwords currently scattered across your browser, notes app , and We Chat saved messages . Not to look professional — just so that if something goes wrong, you can immediately see what needs to be changed .

If you're scaling up and starting to have a team or multiple platform accounts: at this point password management isn 't just about protecting yourself — it's also about " if a collabor ator leaves, can I quickly rotate the passwords they knew ? " Bitwarden has team sharing with per -person permission controls . That 's worth actually di gging into.

Not everyone needs to act on this today . But " only download from official websites" — that habit can start right now.