Technologies

What LastPass Subscribers Need to Do After the Latest Breach

Following the latest breach, you might want to find a new password manager.

LastPass, one of the world’s most popular password managers, is yet again under the microscope after its latest security breach.

In late December, LastPass CEO Karim Toubba acknowledged that a security incident the company first disclosed in August had ultimately paved the way for an unauthorized party to steal customer account information and vault data. This is the latest in a lengthy string of security incidents involving LastPass that date back to 2011.

It’s also the most alarming.

An unauthorized party now has access to unencrypted subscriber account information like LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses, according to Toubba. That same unauthorized party also has a copy of customer vault data, which includes unencrypted data like website URLs and encrypted data like the usernames and passwords for all the sites customers have saved in their vaults. If you’re a LastPass subscriber, the severity of this breach should have you looking for a different password manager because your passwords and personal data are at risk of being exposed.

What should LastPass subscribers do?

The company didn’t specify how many users were affected by the breach, and LastPass didn’t respond to CNET’s request for additional comment on the breach. But if you’re a LastPass subscriber, you need to operate under the assumption that your user and vault data are in the hands of an unauthorized party with ill intentions. Though the most sensitive data is encrypted, the problem is that the threat actor can run «brute force» attacks on those stolen local files. LastPass estimates it would take «millions of years» to guess your master password — if you’ve followed its best practices.

If you haven’t — or if you just want total peace of mind — you’ll need to spend some serious time and effort changing your individual passwords. And while you’re doing that, you’ll probably want to transition away from LastPass, too.

With that in mind, here’s what you need to do right now if you’re a LastPass subscriber:

1. Find a new password manager. Given LastPass’ history with security incidents and considering the severity of this latest breach, now’s a better time than ever to seek an alternative.

2. Change your most important site-level passwords immediately. This includes passwords for anything like online banking, financial records, internal company logins and medical information. Make sure these new passwords are strong and unique.

3. Change every single one of your other online passwords. It’s a good idea to change your passwords in order of importance here too. Start with changing the passwords to accounts like email and social media profiles, then you can start moving backward to other accounts that may not be as critical.

4. Enable two-factor authentication wherever possible. Once you’ve changed your passwords, make sure to enable 2FA on any online account that offers it. This will give you an added layer of protection by alerting you and requiring you to authorize each login attempt. That means even if someone ends up obtaining your new password, they shouldn’t be able to gain access to a given site without your secondary authenticating device (typically your phone).

5. Change your master password. Though this doesn’t change the threat level to the stolen vaults, it’s still prudent to help mitigate the threats of any potential future attack — that is, if you decide you want to stay with LastPass.

LastPass alternatives to consider

Bitwarden: CNET’s top password manager is a highly secure and open-source LastPass alternative. Bitwarden’s free tier allows you to use the password manager across an unlimited number of devices across device types. Read our Bitwarden review.
1Password: Another excellent password manager that works seamlessly across platforms. 1Password doesn’t offer a free tier, but you can try it for free for 14 days.
iCloud Keychain: Apple’s built-in password manager for iOS, iPadOS and MacOS devices is an excellent LastPass alternative available to Apple users at no additional cost. iCloud Keychain is secure and easy to set up and use across all of your Apple devices. It even offers a Windows client, too, with support for Chrome and Edge browsers.

How did it come to this?

In August 2022, LastPass published a blog post written by Toubba saying that the company «determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.»

At the time, Toubba said that the threat was contained after LastPass «engaged a leading cybersecurity and forensics firm» and implemented «enhanced security measures.» But that blog post would be updated several times over the following months as the scope of the breach gradually widened.

On Sept. 15, Toubba updated the blog post to notify customers that the company’s investigation into the incident had concluded.

«Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident,» Toubba said. «There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.»

Toubba assured customers at the time that their passwords and personal data were safe in LastPass’s care.

However, it turned out that the unauthorized party was indeed ultimately able to access customer data. On Nov. 30, Toubba updated the blog post once again to alert customers that the company «determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.»

Then, on Dec. 22, Toubba issued a lengthy update to the blog post outlining the unnerving details regarding precisely what customer data the hackers were able to access in the breach. It was then that the full severity of the situation finally came to light and the public found out that LastPass customers’ personal data was in the hands of a threat actor and all of their passwords were at serious risk of being exposed.

Still, Toubba assured customers who follow LastPass’s best practices for passwords and have the latest default settings enabled that no further action on their part is recommended at this time since their «sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture.»

However, Toubba warned that those who don’t have LastPass’s default settings enabled and don’t follow the password manager’s best practices are at greater risk of having their master passwords cracked. Toubba suggested that those users should consider changing the passwords of the websites they have stored.

What does all of this mean for LastPass subscribers?

The initial breach ended up allowing the unauthorized party to access sensitive user account data as well as vault data, which means that LastPass subscribers should be extremely concerned for the integrity of the data they have stored in their vaults and should be questioning LastPass’s capacity to keep their data safe.

If you’re a LastPass subscriber, an unauthorized party may have access to personal information like your LastPass username, email address, phone number, name and billing address. IP addresses used when accessing LastPass were also exposed in the breach, which means that the unauthorized party could also see the locations from which you used your account. And because LastPass doesn’t encrypt users’ stored website URLs, the unauthorized party can see all of the websites for which you have login information saved with the password manager (even if the passwords themselves are encrypted).

Information like this gives a potential attacker plenty of ammunition for launching a phishing attack and socially engineering their way to your account passwords. And if you have any password reset links stored that may still be active, an attacker can easily go ahead and create a new password for themselves.

LastPass says that encrypted vault data like usernames and passwords, secure notes and form-filled data that was stolen remains secured. However, if an attacker were to crack your master password at the time of the breach, they would be able to access all of that information, including all the usernames and passwords to your online accounts. If your master password wasn’t strong enough at the time of the breach, your passwords are especially at risk of being exposed.

Changing your master password now will, unfortunately, not help solve the issue because the attackers already have a copy of your vault that was encrypted using the master password you had in place at the time of the breach. This means the attackers essentially have an unlimited amount of time to crack that master password. That’s why the safest course of action is a site-by-site password reset for all of your LastPass-stored accounts. Once changed at the site level, that would mean the attackers would be getting your old, outdated passwords if they managed to crack the stolen encrypted vaults.

For more on staying secure online, here are data privacy tips digital security experts wish you knew and browser settings to change to better guard your information.

Technologies

You Can Watch an Exclusive Avatar: Fire and Ash Scene on TikTok Right Now

Disney and TikTok partner on an immersive content hub for James Cameron’s latest movie about the alien Na’vi.

If you’re not quite ready to head to the theater to watch Avatar: Fire and Ash, an exclusive scene preview might sell you on the visual spectacle. As part of a new collaboration with the social media giant, Disney is posting snippets of its new movie to its TikTok account.

This scene isn’t part of any trailer and won’t be posted to other social media accounts, making TikTok the only place you can view it — unless you buy a movie ticket. A first look at the new movie’s scenes isn’t the only Avatar-related bonus on the social media platform right now, either. TikTok has partnered with the house of mouse to bring an entire «immersive content hub» to the app.

A special section of TikTok includes quizzes and educational videos that explore the alien world of Pandora shown off in the movies. On TikTok, you can take a personality quiz to find out what Na’vi clan you most closely align with and unlock a special profile picture border to use on your account.

Science and fiction blend together with a series of videos from real doctors who explain the basis for some of Avatar’s world-building. If you want to learn about exoplanets or how realistic the anatomy of the movie’s alien animals is, these videos will feed your brain while still providing entertainment value.

Perhaps the most enticing part of Disney’s latest social media collaboration is the opportunity for fans to win prizes and trips. TikTok creators who make edits with the #TikTokAvatarContest hashtag are entered into a competition to win Avatar merchandise. The biggest winners will be able to take a trip to visual effects studio Wētā Workshop in New Zealand or visit Avatar director James Cameron’s Lightstorm Entertainment Studio in Los Angeles.

Avatar: Fire and Ash is the third installment in director Cameron’s cinematic passion project. While the first Avatar movie was released in 2009, Cameron didn’t release another entry in the franchise until 2022. In total, there is a five-movie arc planned for the indigo alien Na’vi on the moon of Pandora.

The Avatar movies are known for pushing the boundaries of CGI visual effects in cinema. They are also historically big winners at the box office: the original Avatar is the highest-grossing film of all time, earning $2.9 billion across its theatrical releases. Its sequel, Avatar: The Way of Water, is the third-highest-grossing film of all time, trailing Avengers: Endgame. You can stream those movies on Disney Plus.

It remains to be seen whether Avatar: Fire and Ash will financially live up to its predecessors. The film currently has mixed reviews from critics on Rotten Tomatoes.

Technologies

Brain-Inspired Algorithms Could Dramatically Cut AI Energy Use

A new study dives into a major redesign for AI architecture.

One major issue facing artificial intelligence is the interaction between a computer’s memory and its processing capabilities. When an algorithm is in operation, data flows rapidly between these two components. However, AI models rely on a vast amount of data, which creates a bottleneck.

A new study, published on Monday in the journal Frontiers in Science by Purdue University and the Georgia Institute of Technology, suggests a novel approach to building computer architecture for AI models using brain-inspired algorithms. The researchers say that creating algorithms in this manner could reduce the energy costs associated with AI models.

«Language processing models have grown 5,000-fold in size over the last four years,» Kaushik Roy, a Purdue University computer engineering professor and the study’s lead author, said in a statement. «This alarmingly rapid expansion makes it crucial that AI is as efficient as possible. That means fundamentally rethinking how computers are designed.»

Don’t miss any of our unbiased tech content and lab-based reviews. Add CNET as a preferred Google source. Don’t miss any of our unbiased tech content and lab-based reviews. Add CNET as a preferred Google source.

Most computers today are modeled on an idea from 1945 called the von Neumann architecture, which separates processing and memory. This is where the slowdown occurs. As more people around the world utilize data-hungry AI models, the distinction between a computer’s processing and memory capacity could become a more significant issue.

Researchers at IBM called out this problem in a post earlier this year. The issue computer engineers are running up against is called the ‘memory wall.’

Breaking the memory wall

The memory wall refers to the disparity between memory and processing capabilities. Essentially, computer memory is struggling to keep up with processing speeds. This isn’t a new issue. A pair of researchers from the University of Virginia coined the term back in the 1990s.

But now that AI is prevalent, the memory wall issue is sucking up time and energy in the underlying computers that make AI models work. The paper’s researchers argue that we could try a new computer architecture that integrates memory and processing.

Inspired by how our brains function, the AI algorithms referred to in the paper are known as spiking neural networks. A common criticism of these algorithms in the past is that they can be slow and inaccurate. However, some computer scientists argue that these algorithms have shown significant improvement over the last few years.

The researchers suggest that AI models should utilize a concept related to SNNs, known as compute-in-memory. This concept is still relatively new in the field of AI.

«CIM offers a promising solution to the memory wall problem by integrating computing capabilities directly into the memory system,» the authors write in the paper’s abstract.

Medical devices, transportation, and drones are a few areas where researchers believe improvements could be made if computer processing and memory were integrated into a single system.

«AI is one of the most transformative technologies of the 21st century. However, to move it out of data centers and into the real world, we need to dramatically reduce its energy use,» Tanvi Sharma, co-author and researcher at Purdue University, said in a statement.

«With less data transfer and more efficient processing, AI can fit into small, affordable devices with batteries that last longer,» Sharma said.

Technologies

Today’s NYT Connections: Sports Edition Hints and Answers for Dec. 17, #450

Here are hints and the answers for the NYT Connections: Sports Edition puzzle for Dec. 17, No. 450.

Looking for the most recent regular Connections answers? Click here for today’s Connections hints, as well as our daily answers and hints for The New York Times Mini Crossword, Wordle and Strands puzzles.

Today’s Connections: Sports Edition is pretty challenging. How well do you know French soccer? If you’re struggling with today’s puzzle but still want to solve it, read on for hints and the answers.

Connections: Sports Edition is published by The Athletic, the subscription-based sports journalism site owned by The Times. It doesn’t appear in the NYT Games app, but it does in The Athletic’s own app. Or you can play it for free online.

Read more: NYT Connections: Sports Edition Puzzle Comes Out of Beta

Hints for today’s Connections: Sports Edition groups

Here are four hints for the groupings in today’s Connections: Sports Edition puzzle, ranked from the easiest yellow group to the tough (and sometimes bizarre) purple group.

Yellow group hint: Put it on your noggin.

Green group hint: Goes before a division of the year.

Blue group hint: French football.

Purple group hint: Think Louisville Slugger.