Technologies

LastPass Issues Update on Data Breach, But Users Should Still Change Passwords

You still need to take action to protect your data even though LastPass said it hasn’t seen any threat-related activity since October.

LastPass, one of the world’s most popular password managers, suffered a major data breach in 2022 that compromised users’ personal data and put their online passwords and other sensitive information at risk.

On Dec. 22, LastPass CEO Karim Toubba acknowledged in a blog post that a security incident the company first disclosed in August eventually paved the way for an «unauthorized party» to steal customer account information and sensitive vault data. The breach is the latest in a lengthy and troubling string of security incidents involving LastPass, which date back to 2011.

It’s also the most alarming.

The unauthorized party was able to gain access to unencrypted customer account information like LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses, according to Toubba. That same unauthorized party was also able to steal customer vault data, which includes unencrypted data like website URLs as well as encrypted data like the usernames and passwords for all the sites that LastPass users have stored in their vaults.

In the meantime, LastPass has wrapped up an «exhaustive investigation» into the breach, according to a blog post published by Toubba on Wednesday, March 1, that updates customers on what actions the company has taken in the wake of the breach. Toubba vowed to make things right for customers and promised more effective communication going forward while adding that the company has «not seen any threat-actor activity since October 26, 2022.»

Even so, if you’re a LastPass subscriber, the severity of this breach should have you looking for a different password manager, because your passwords and personal data can still be at serious risk of being exposed. At the very least, you need to change all of the passwords you have stored with LastPass right away if you haven’t already.

What should LastPass subscribers do?

The company didn’t specify how many users were affected, and LastPass didn’t respond to CNET’s request for additional comment on the breach. But if you’re a LastPass subscriber, you need to operate under the assumption that your user and vault data are in the hands of an unauthorized party with ill intentions. Though the most sensitive data is encrypted, the problem is that the threat actor can run «brute force» attacks on those stolen local files. LastPass estimates it would take «millions of years» to guess your master password — if you’ve followed its best practices.

If you haven’t — or if you just want total peace of mind — you’ll need to spend some serious time and effort changing your individual passwords. And while you’re doing that, you’ll probably want to transition away from LastPass, too.

With that in mind, here’s what you need to do right away if you’re a LastPass subscriber:

1. Find a new password manager. Given LastPass’ history with security incidents and considering the severity of this latest breach, now’s a better time than ever to seek an alternative.

2. Change your most important site-level passwords immediately. This includes passwords for anything like online banking, financial records, internal company logins and medical information. Make sure these new passwords are strong and unique.

3. Change every single one of your other online passwords. It’s a good idea to change your passwords in order of importance here too. Start with changing the passwords to accounts like email and social media profiles, then you can start moving backward to other accounts that may not be as critical.

4. Enable two-factor authentication wherever possible. Once you’ve changed your passwords, make sure to enable 2FA on any online account that offers it. This will give you an added layer of protection by alerting you and requiring you to authorize each login attempt. That means even if someone ends up obtaining your new password, they shouldn’t be able to gain access to a given site without your secondary authenticating device (typically your phone).

5. Change your master password. Though this doesn’t change the threat level to the stolen vaults, it’s still prudent to help mitigate the threats of any potential future attack — that is, if you decide you want to stay with LastPass.

LastPass alternatives to consider

Bitwarden: CNET’s top password manager is a highly secure and open-source LastPass alternative. Bitwarden’s free tier allows you to use the password manager across an unlimited number of devices across device types. Read our Bitwarden review.
1Password: Another excellent password manager that works seamlessly across platforms. 1Password doesn’t offer a free tier, but you can try it for free for 14 days.
iCloud Keychain: Apple’s built-in password manager for iOS, iPadOS and MacOS devices is an excellent LastPass alternative available to Apple users at no additional cost. iCloud Keychain is secure and easy to set up and use across all of your Apple devices. It even offers a Windows client, too, with support for Chrome and Edge browsers.

How did it come to this?

In August 2022, LastPass published a blog post written by Toubba saying that the company «determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.»

At the time, Toubba said that the threat was contained after LastPass «engaged a leading cybersecurity and forensics firm» and implemented «enhanced security measures.» But that blog post would be updated several times over the following months as the scope of the breach gradually widened.

On Sept. 15, Toubba updated the blog post to notify customers that the company’s investigation into the incident had concluded.

«Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident,» Toubba said. «There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.»

Toubba assured customers at the time that their passwords and personal data were safe in LastPass’s care.

However, it turned out that the unauthorized party was indeed ultimately able to access customer data. On Nov. 30, Toubba updated the blog post once again to alert customers that the company «determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.»

Then, on Dec. 22, Toubba issued a lengthy update to the blog post outlining the unnerving details regarding precisely what customer data the hackers were able to access in the breach. It was then that the full severity of the situation finally came to light and the public found out that LastPass customers’ personal data was in the hands of a threat actor and all of their passwords were at serious risk of being exposed.

Still, Toubba assured customers who follow LastPass’s best practices for passwords and have the latest default settings enabled that no further action on their part is recommended at this time since their «sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture.»

However, Toubba warned that those who don’t have LastPass’s default settings enabled and don’t follow the password manager’s best practices are at greater risk of having their master passwords cracked. Toubba suggested that those users should consider changing the passwords of the websites they have stored.

On March 1, Toubba published a new blog post offering customers a lengthy update on where the situation stands, what data was accessed and what steps LastPass has taken to shore up its security. In the blog post, LastPass also offered its own recommendations on what business customers as well as individual customers should do to protect their data.

The company has completed its investigation into the data breach and said that it hasn’t detected any unauthorized activity since October, according to the blog post. Also, in response to the breach, LastPass «prioritized and initiated significant investments in security, privacy and operational best practices» and «performed a comprehensive review of our security policies and incorporated changes to restrict access and privilege, where appropriate,» according to the blog post.

What does all of this mean for LastPass subscribers?

The initial breach ended up allowing the unauthorized party to access sensitive user account data as well as vault data, which means that LastPass subscribers should be extremely concerned for the integrity of the data they have stored in their vaults and should be questioning LastPass’s capacity to keep their data safe — even considering the latest security improvements outlined by the company in its latest blog post.

If you’re a LastPass subscriber, an unauthorized party may have access to personal information like your LastPass username, email address, phone number, name and billing address. IP addresses used when accessing LastPass were also exposed in the breach, which means that the unauthorized party could also see the locations from which you used your account. And because LastPass doesn’t encrypt users’ stored website URLs, the unauthorized party can see all of the websites for which you have login information saved with the password manager (even if the passwords themselves are encrypted).

Information like this gives a potential attacker plenty of ammunition for launching a phishing attack and socially engineering their way to your account passwords. And if you have any password reset links stored that may still be active, an attacker can easily go ahead and create a new password for themselves.

LastPass says that encrypted vault data like usernames and passwords, secure notes and form-filled data that was stolen remains secured. However, if an attacker were to crack your master password at the time of the breach, they would be able to access all of that information, including all the usernames and passwords to your online accounts. If your master password wasn’t strong enough at the time of the breach, your passwords are especially at risk of being exposed.

Changing your master password now will, unfortunately, not help solve the issue because the attackers already have a copy of your vault that was encrypted using the master password you had in place at the time of the breach. This means the attackers essentially have an unlimited amount of time to crack that master password. That’s why the safest course of action is a site-by-site password reset for all of your LastPass-stored accounts. Once changed at the site level, that would mean the attackers would be getting your old, outdated passwords if they managed to crack the stolen encrypted vaults.

For more on staying secure online, here are data privacy tips digital security experts wish you knew and browser settings to change to better guard your information.

Technologies

Razer’s Wolverine V3 Pro 8K Controller Won’t Replace My Mouse and Keyboard, but Here’s Where It Shines

I applaud the absurdly high polling rate, six extra remappable buttons and TMR sticks, but let me tell you why I’m sticking with my keyboard and mouse for most games I play.

The Razer Wolverine V3 Pro 8K PC controller was not built for me, but admittedly, this has more to do with me as a gamer than the controller itself. I grew up playing the PlayStation 3 and PS4 consoles, cutting my teeth on slim, compact DualSense controllers. Over the past five years, I’ve gamed exclusively on my PC and have grown accustomed to the increased precision of a mouse and keyboard.

The Razer Wolverine V3 Pro 8K PC controller is the antithesis of a DualSense controller. It’s a chunky piece of hardware that might feel natural if you were raised on an Xbox and its bulky controllers, but it took me multiple gaming sessions to get acclimated to the sheer size of the Wolverine V3 and how it fit into my hands, especially since I don’t use a claw grip.

Size aside, this is a PC controller with every bell and whistle you can think of — and its price of $200 reflects that. The 8,000Hz polling rate ensures buttery smooth inputs with no lag, and tunnel magnetoresistance joysticks make every in-game movement feel fluid and calculated. Six extra remappable buttons help you up your game — they’re super handy for hero shooters like Marvel Rivals and hectic games like Battlefield 6. This is a premium product for gamers who are hoarding some serious hardware.

Its price is in line with other premium controllers. One of CNET’s best Xbox controllers is the Wolverine V3 Pro for Xbox, which also costs $200. Similar controllers like the Scuf Instinct Pro and Vitrix Pro BFG are in the same ballpark, pricewise, but the Wolverine V3 Pro 8K PC has a winning combination of competitive variables that make it feel exceptionally easy to use.

This controller is chock full of top-of-the-line technology and feels satisfying to use, but it needs to clear a high bar to feel truly worthwhile as a dedicated PC controller.

Chunky controller, satisfying feedback

When CNET’s Josh Goldman reviewed the Wolverine V3 Pro Xbox wireless controller, he called it «just about perfect.» If it isn’t broken, don’t fix it: Razer replicated many of its successes with the Wolverine V3 Pro PC controller.

The Wolverine V3 Pro 8K PC is the same size as the Wolverine V3 Pro Xbox controller, which is to say it’s a bit chunkier than a standard Xbox wireless controller, but it’s surprisingly much lighter than its Xbox cousin. It weighs just 220 grams, which is appreciably lighter than the Xbox version that weighs 304 grams. And while the Wolverine V3 Pro 8K PC is nowhere near as slim as a DualSense controller, it’s still much lighter than its Sony competitor — a stock DualSense controller weighs 280 grams.

Every button on this controller has a crisp, clean clickiness that scratches the same mental itch that a good mechanical keyboard might. Whether you’re gripping the trigger, pressing a button or squeezing one of the four remappable back paddles, you’ll hear incredibly satisfying auditory feedback that leaves no doubt that the controller is receiving your inputs. At one point, while I sat through a particularly long matchmaking queue, I found myself squeezing the triggers to entertain myself — the snappy pops were enough to keep me off TikTok.

The biggest difference between the V3 Pro Xbox and V3 Pro PC controllers is the variable polling rate — that dictates how often your controller is communicating with the computer. It’s like a refresh rate for your crosshair positioning.

The Wolverine V3 Pro Xbox just can’t compete here: That controller has a wired 1,000Hz polling rate for PC gameplay. The V3 Pro PC controller can be toggled for multiple polling rates, with an 8,000Hz maximum setting. This means the PC controller can report your input data eight times faster than the Xbox controller.

Every movement, turn and button press feels incredibly fluid. It’s safe to say that there’s no input lag with the Wolverine V3 PC controller, but I don’t think it matters too much for moment-to-moment first-person shooter gameplay. If you’re driving a car (or a tank) and you need to stop on a hairpin, you might appreciate Razer’s HyperPolling technology. If you’re not playing a tactical shooter like Counter-Strike or Rainbow Six: Siege, that 8,000Hz polling rate is overkill — if you’re a casual gamer crushing Call of Duty public lobbies with your pals, you’re probably not going to notice it in any of your firefights.

Better than a mouse and keyboard? That’s a little more complicated

I tested out the Wolverine V3 Pro 8K PC controller on Marvel Rivals, ARC Raiders and Battlefield 6 (my current first-person shooter obsession). It’s an extremely solid choice for at least two of these games, and I likely won’t be using my DualSense controller anytime soon.

I had a great time firing magic bolts in Marvel Rivals and rolling tanks through the streets of Cairo in Battlefield 6, but this is a controller that was supposedly designed for high-level shooter gameplay. I’m saddened to report that, when it comes to dominating a first-person shooter match or competing to survive in an extraction shooter, I’d much rather stick to a mouse and keyboard.

In close-range battles, I didn’t feel like the Wolverine controller particularly helped me gain an advantage over my opponents. Mouse-and-keyboard players were often able to lock onto me quicker, even with a high look sensitivity and built-in aim assist. And I felt outmaneuvered and outgunned by mouse-and-keyboard players in the fastest-paced fights. But the controller’s precision TMR thumbsticks made it easy to quickly lock my crosshairs onto enemies and mow them down from afar with light machine guns or sniper rifles in long-range battles.

I also find it useful for games like Battlefield that have a lot of buttons to micromanage during moment-to-moment gameplay. If you want to swap your fire mode from automatic to single-fire, mount your weapon’s bipod against a flat surface or pull out an invaluable class gadget, you’ll be reaching across your keyboard to do so. The six remappable buttons on the Wolverine V3 Pro 8K PC are great for these situations; I loved that I could tap fire my hulking light machine gun by gripping one of the controller’s back paddles.

The controller really shone for vehicle combat, though. I found myself gravitating toward my mouse and keyboard for infantry gunplay, but anytime I’d jump into a tank, I’d reach across my desk and grab the Wolverine again. Having pressure-sensitive triggers helps with any in-game driving: A slight squeeze lets me cautiously move forward, scanning for enemy mines, while fully pulling the trigger down helps me speed out of dangerous situations. Rebinding automatic repair jobs and weapon switches to the back paddles also helped me focus more on in-game combat, which helped me keep my armored vehicles in the fight for longer. With my DualSense controller, I’d have to awkwardly fumble with the D-Pad to activate my vehicle abilities. The Wolverine controller is the definitive way for a Battlefield tank enthusiast to play.

Outside of standard first-person shooter gameplay, I also found the Wolverine V3 PC controller to be handy for hero shooters — with some caveats. When I play Marvel Rivals, I mainly play tanks that require an extensive amount of ability usage but very little aim. Characters like Doctor Strange thrive when you can quickly string inputs together, and rebinding the controls to the Wolverine’s back paddles is great for that.

On the other hand, speedy divers that need to jump in and out of the enemy team’s backline and aim-intensive snipers feel tougher to play with the Wolverine controls, and I’d swap back to my mouse and keyboard whenever I wanted to switch off tank characters and fulfill another role for my team.

One game I don’t recommend the Wolverine V3 Pro PC for is ARC Raiders. While the remappable buttons make it easy to reach for healing items and grenades, losing out on the precision aim of a mouse and keyboard just isn’t worth it in a game where one death can set your progress back by several real-life hours. The controller lets me hold my own against killer ARC robots, but once real players join the mix, I’d rather use my tried-and-true PC hardware setup.

That’s not to say that the Wolverine controller is terrible for a tactical third-person shooter: The back paddles are a great way to quickly access any healing items, grenades and other consumables you’re carrying, which could be the difference between life and death. But when I have teammates depending on me to help them escape with their hard-earned loot, I just don’t trust the Wolverine controller to help me aim better than I can with my trusty mouse and keyboard.

For playing first-person shooters like Call of Duty or Apex Legends at breakneck speeds, the Wolverine V3 Pro 8K PC likely won’t replace your mouse and keyboard. But if your ideal competitive game centers on slower gunplay and long-range firefights, this is the most precise controller I’ve ever laid hands on (and you’ll receive a healthy heaping of help from aim assist to boot).

For the games I like to play, the Wolverine V3 Pro PC controller hasn’t become my primary gaming peripheral. Instead, it’s become a great situational swapout that complements my mouse and keyboard. As much as I like keeping it on deck for a long gaming session, $200 is a high price for a part-time controller.

Technologies

The Most Exciting Video Game Rumors and Leaks Ahead of 2026

Technologies

Today’s NYT Mini Crossword Answers for Wednesday, Dec. 17

Here are the answers for The New York Times Mini Crossword for Dec. 17.

Looking for the most recent Mini Crossword answer? Click here for today’s Mini Crossword hints, as well as our daily answers and hints for The New York Times Wordle, Strands, Connections and Connections: Sports Edition puzzles.

Need some help with today’s Mini Crossword? Read on. And if you could use some hints and guidance for daily solving, check out our Mini Crossword tips.

If you’re looking for today’s Wordle, Connections, Connections: Sports Edition and Strands answers, you can visit CNET’s NYT puzzle hints page.

Read more: Tips and Tricks for Solving The New York Times Mini Crossword

Let’s get to those Mini Crossword clues and answers.