[firstlink]

I would not recommend ever changing credentials while under attack, unless they are known to be weak (but the time to change them is before the attack, in that case). The process of changing them opens up several vectors of attack. Additionally, if the attacker already obtained the encrypted payload, it would only be harmful to give them the same data encrypted under a new key.

[CommitSyn]

What additional vectors?

If they already had the data, would they be using the web account login page?

[firstlink]

E.g. PITM attack on password reset endpoints.

And yes, if I had a bitwarden vault I wanted to crack I'd absolutely be using the web account login page. The latter is more likely to yield to have some vulnerability than the at-rest encryption, which when exploited would yield the password; or it could scare the target into falling into my PITM attack, or otherwise act irrationally.

[CommitSyn]

PITM?

What type of vulnerability could the web interface have that the offline password file wouldn't? Unless they have a backdoor. The speed difference would also be tens or millions of times faster.