[PM-32136] Bitwarden is hallucinating some TOTP verification codes

[zotabee]

Steps To Reproduce

Basically, the Bitwarden (full password manager) android app is showing me some TOTP codes for some entries who don't have TOTP key/code at all. (Field completely empty - never used - never filled)

It's definitively a new / recent bug on the Android app. Not sure if it's reproducible.

It's only happening on my most recently created entries, from these past couple days. I noticed because I have a discrepancy of how many TOTP I have between my different password managers.

My usual process is creating entries manually in the web version of Bitwarden. Auto-filling with the addon or Android app when needed to login.

1. Go to web version of Bitwarden, add some entries (username, password, website but do NOT fill the "Authenticator key" field - leave it empty)
2. Save it
3. Check the Android version
4. Go on TOTP -> Verification codes
5. I see some entries showing a TOTP code even though they don't have TOTP key! If I edit the entry there is no TOTP code even on the android version.

I confirm that on like my 4-5 most recent entries from the past few days, I have this bug. It's services/websites without TOTP keys.

Interestingly these entries are all showing the same fake TOTP code. No idea where is this getting from.

There is no problem on the web version or the Firefox addon, only happening on the android app. A sync doesn't help.

Expected Result

Don't show TOTP/Verification code if the TOTP field is empty, like it always did in the past.

Actual Result

I'm seeing fake TOTP that doesn't exist for entries that don't have a TOTP at all, never had.

Screenshots or Videos

Additional Context

It seems that only my last newly created logins/entries are impacted, from the last two weeks maybe. From end of January ~31th to Feb 8 are impacted. All created from the web version.

Build Version

© Bitwarden Inc. 2015-2026

Version: 2026.1.1 (21176)
📱 samsung SM-S931B 🤖 16@36 📦 prod
🧱 commit: 0ee3e2e
💻 build source: bitwarden/android/actions/runs/21527118876/attempts/1
🦀 SDK: 2.0.0-4676-0544ddec
🌩 Server: 2026.1.1 @ US

What server are you connecting to?

EU (well it seems it's US from the android app but I'm EU based)

Self-host Server Version

No response

Environment Details

• Android app

Issue Tracking Info

• I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[bitwarden-bot]

Thank you for your report! We've added this to our internal board for review.
ID: PM-32136

[pamperer562580892423]

Another user here.

Screenshots or Videos
Can't screenshot the app

In the app, go to Settings --> Other --> "Allow screen capture" and you can...

It would also be useful, if you copied & pasted everything from BW app --> Settings --> About --> Version in here (best: add it to your OP).

[Krychaz]

Hi there,

Are you able to replicate it if you create a new, dummy entry? As mentioned by @pamperer562580892423 it would be very useful to get a screen recording.

[zotabee]

@pamperer562580892423 Done, thanks.

@Krychaz Done. I tested a new dummy entry like I usually do, didn't reproduce. I'm going to try again. No, I can't reproduce with new entries so far. But my "ghost" TOTP entries are still there, with the same common fake code. It's life for 4-5 entries, all recently created in the last couple weeks max. On about 110 total TOTP entries.

[zotabee]

All good on the web version and via the addon, no TOTP, as expected, chess dot com doesn't even have nor never supported TOTP.

[pamperer562580892423]

Ha, seems you could make good use of the screen capture function now. 😉

Maybe a bit silly, but just to be sure:

• you only have one chess.com / Cloudflare - zone... / ... login item in your vault, correct?
• and, therefore, for some of the screenshots you entered "View login", and from there (in the same login item), you entered "Edit login", correct?

Probably it doesn't mean anything, but I recognized that your Chess.com login item has time stamps that are one hour apart (Android app <--> web vault), so your devices are in different time zones?

Ah, and just FYI:

What server are you connecting to?
EU (well it seems it's US from the android app but I'm EU based)

Okay, you're EU based, but when the Android app shows "US", that should mean the BW account you're currently logged in with was created on the BW US cloud server (vault.bitwarden.com) - and not on the BW EU cloud server (vault.bitwarden.eu).

[zotabee]

Ha, seems you could make good use of the screen capture function now. 😉

👍

Maybe a bit silly, but just to be sure:

* you only have one chess.com / Cloudflare - zone... / ... login item in your vault, correct?

* and, therefore, for some of the screenshots you entered "View login", and from there (in the same login item), you entered "Edit login", correct?

Yep, 100% affirmative, only entry of each, no duplicate. And yes, I enter "Edit" from the "View" screen to show there is no key set in those entries.

Amongst these bugged entries, they all show the same TOTP code. They take it from somewhere, somehow.

Probably it doesn't mean anything, but I recognized that your Chess.com login item has time stamps that are one hour apart (Android app <--> web vault), so your devices are in different time zones?

Yep, you are right, It's because I use a privacy focused browser that set me in a different timezone, UTC. That's why there is a difference between the browser and the app. Never had been an issue since I use BW though.

Ah, and just FYI:

What server are you connecting to?
EU (well it seems it's US from the android app but I'm EU based)

Okay, you're EU based, but when the Android app shows "US", that should mean the BW account you're currently logged in with was created on the BW US cloud server (vault.bitwarden.com) - and not on the BW EU cloud server (vault.bitwarden.eu).

Interesting, maybe because I use bitwarden.com.