Technologies
LastPass Issues Update on Data Breach, But Users Should Still Change Passwords
You still need to take action to protect your data even though LastPass said it hasn’t seen any threat-related activity since October.
LastPass, one of the world’s most popular password managers, suffered a major data breach in 2022 that compromised users’ personal data and put their online passwords and other sensitive information at risk.
On Dec. 22, LastPass CEO Karim Toubba acknowledged in a blog post that a security incident the company first disclosed in August eventually paved the way for an «unauthorized party» to steal customer account information and sensitive vault data. The breach is the latest in a lengthy and troubling string of security incidents involving LastPass, which date back to 2011.
It’s also the most alarming.
The unauthorized party was able to gain access to unencrypted customer account information like LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses, according to Toubba. That same unauthorized party was also able to steal customer vault data, which includes unencrypted data like website URLs as well as encrypted data like the usernames and passwords for all the sites that LastPass users have stored in their vaults.
In the meantime, LastPass has wrapped up an «exhaustive investigation» into the breach, according to a blog post published by Toubba on Wednesday, March 1, that updates customers on what actions the company has taken in the wake of the breach. Toubba vowed to make things right for customers and promised more effective communication going forward while adding that the company has «not seen any threat-actor activity since October 26, 2022.»
Even so, if you’re a LastPass subscriber, the severity of this breach should have you looking for a different password manager, because your passwords and personal data can still be at serious risk of being exposed. At the very least, you need to change all of the passwords you have stored with LastPass right away if you haven’t already.
What should LastPass subscribers do?
The company didn’t specify how many users were affected, and LastPass didn’t respond to CNET’s request for additional comment on the breach. But if you’re a LastPass subscriber, you need to operate under the assumption that your user and vault data are in the hands of an unauthorized party with ill intentions. Though the most sensitive data is encrypted, the problem is that the threat actor can run «brute force» attacks on those stolen local files. LastPass estimates it would take «millions of years» to guess your master password — if you’ve followed its best practices.
If you haven’t — or if you just want total peace of mind — you’ll need to spend some serious time and effort changing your individual passwords. And while you’re doing that, you’ll probably want to transition away from LastPass, too.
With that in mind, here’s what you need to do right away if you’re a LastPass subscriber:
1. Find a new password manager. Given LastPass’ history with security incidents and considering the severity of this latest breach, now’s a better time than ever to seek an alternative.
2. Change your most important site-level passwords immediately. This includes passwords for anything like online banking, financial records, internal company logins and medical information. Make sure these new passwords are strong and unique.
3. Change every single one of your other online passwords. It’s a good idea to change your passwords in order of importance here too. Start with changing the passwords to accounts like email and social media profiles, then you can start moving backward to other accounts that may not be as critical.
4. Enable two-factor authentication wherever possible. Once you’ve changed your passwords, make sure to enable 2FA on any online account that offers it. This will give you an added layer of protection by alerting you and requiring you to authorize each login attempt. That means even if someone ends up obtaining your new password, they shouldn’t be able to gain access to a given site without your secondary authenticating device (typically your phone).
5. Change your master password. Though this doesn’t change the threat level to the stolen vaults, it’s still prudent to help mitigate the threats of any potential future attack — that is, if you decide you want to stay with LastPass.
LastPass alternatives to consider
- Bitwarden: CNET’s top password manager is a highly secure and open-source LastPass alternative. Bitwarden’s free tier allows you to use the password manager across an unlimited number of devices across device types. Read our Bitwarden review.
- 1Password: Another excellent password manager that works seamlessly across platforms. 1Password doesn’t offer a free tier, but you can try it for free for 14 days.
- iCloud Keychain: Apple’s built-in password manager for iOS, iPadOS and MacOS devices is an excellent LastPass alternative available to Apple users at no additional cost. iCloud Keychain is secure and easy to set up and use across all of your Apple devices. It even offers a Windows client, too, with support for Chrome and Edge browsers.
How did it come to this?
In August 2022, LastPass published a blog post written by Toubba saying that the company «determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.»
At the time, Toubba said that the threat was contained after LastPass «engaged a leading cybersecurity and forensics firm» and implemented «enhanced security measures.» But that blog post would be updated several times over the following months as the scope of the breach gradually widened.
On Sept. 15, Toubba updated the blog post to notify customers that the company’s investigation into the incident had concluded.
«Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident,» Toubba said. «There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.»
Toubba assured customers at the time that their passwords and personal data were safe in LastPass’s care.
However, it turned out that the unauthorized party was indeed ultimately able to access customer data. On Nov. 30, Toubba updated the blog post once again to alert customers that the company «determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.»
Then, on Dec. 22, Toubba issued a lengthy update to the blog post outlining the unnerving details regarding precisely what customer data the hackers were able to access in the breach. It was then that the full severity of the situation finally came to light and the public found out that LastPass customers’ personal data was in the hands of a threat actor and all of their passwords were at serious risk of being exposed.
Still, Toubba assured customers who follow LastPass’s best practices for passwords and have the latest default settings enabled that no further action on their part is recommended at this time since their «sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture.»
However, Toubba warned that those who don’t have LastPass’s default settings enabled and don’t follow the password manager’s best practices are at greater risk of having their master passwords cracked. Toubba suggested that those users should consider changing the passwords of the websites they have stored.
On March 1, Toubba published a new blog post offering customers a lengthy update on where the situation stands, what data was accessed and what steps LastPass has taken to shore up its security. In the blog post, LastPass also offered its own recommendations on what business customers as well as individual customers should do to protect their data.
The company has completed its investigation into the data breach and said that it hasn’t detected any unauthorized activity since October, according to the blog post. Also, in response to the breach, LastPass «prioritized and initiated significant investments in security, privacy and operational best practices» and «performed a comprehensive review of our security policies and incorporated changes to restrict access and privilege, where appropriate,» according to the blog post.
What does all of this mean for LastPass subscribers?
The initial breach ended up allowing the unauthorized party to access sensitive user account data as well as vault data, which means that LastPass subscribers should be extremely concerned for the integrity of the data they have stored in their vaults and should be questioning LastPass’s capacity to keep their data safe — even considering the latest security improvements outlined by the company in its latest blog post.
If you’re a LastPass subscriber, an unauthorized party may have access to personal information like your LastPass username, email address, phone number, name and billing address. IP addresses used when accessing LastPass were also exposed in the breach, which means that the unauthorized party could also see the locations from which you used your account. And because LastPass doesn’t encrypt users’ stored website URLs, the unauthorized party can see all of the websites for which you have login information saved with the password manager (even if the passwords themselves are encrypted).
Information like this gives a potential attacker plenty of ammunition for launching a phishing attack and socially engineering their way to your account passwords. And if you have any password reset links stored that may still be active, an attacker can easily go ahead and create a new password for themselves.
LastPass says that encrypted vault data like usernames and passwords, secure notes and form-filled data that was stolen remains secured. However, if an attacker were to crack your master password at the time of the breach, they would be able to access all of that information, including all the usernames and passwords to your online accounts. If your master password wasn’t strong enough at the time of the breach, your passwords are especially at risk of being exposed.
Changing your master password now will, unfortunately, not help solve the issue because the attackers already have a copy of your vault that was encrypted using the master password you had in place at the time of the breach. This means the attackers essentially have an unlimited amount of time to crack that master password. That’s why the safest course of action is a site-by-site password reset for all of your LastPass-stored accounts. Once changed at the site level, that would mean the attackers would be getting your old, outdated passwords if they managed to crack the stolen encrypted vaults.
For more on staying secure online, here are data privacy tips digital security experts wish you knew and browser settings to change to better guard your information.
Technologies
Why International Travelers Should Consider a Burner Phone Going Into the US
What’s a burner? Here’s how they work and how to get one.
If you’re an international traveler visiting the US, or you’re traveling out of the US and back in, it might be time to consider getting a «burner phone,» a device that doesn’t include all your personal correspondence.
That’s due to increasing reports that agents of US Customs and Border Patrol are scanning mobile devices and, according to some accounts, turning people away or confiscating phones based on free-speech opinions they discover. In one case, a French scientist entering the US for a conference was reportedly detained and denied entry after messages critical of the Trump administration were found on his phone. It’s unclear how widespread these phone searches are or if people are being stopped for other reasons.
Even if you’re not traveling, a burner phone can be quite handy, such as cutting down on unsolicited calls or even to avoid distractions. Busy comedian Conan O’Brien recently praised his burner as a way to not get bogged down in instant messages and notifications.
Although carriers have offered prepaid phones since the ’90s, the term burner phones or «burners» essentially became popular in the 2000s due to its use in the celebrated HBO series The Wire, in which characters used burner phones to avoid getting caught by the police. Although often portrayed as such, burners are not only meant to be used by criminals. With privacy concerns rising, you might consider using a burner phone yourself.
So, what exactly is a burner phone, and how does it work? Below, we explain everything you need to know about burners and how to get one.
What is a burner phone?
Simply put, a burner phone is a cheap prepaid phone with no commitments. It comes with a set number of prepaid call minutes, text messages, or data and is designed to be disposed of after use.
Burners are contract-free, and you can grab them off the counter. They’re called burner phones because you can «burn» them, i.e., trash them after use, and the phone cannot be traced back to you, which makes them appealing to criminals. Burner phones are typically used when you need a phone quickly, without intentions of long-term usage.
Burners are different from getting a regular, contract-bound cellphone plans that require a lot of your information to be on file.
Why should you use a burner phone?
Burner phones are an easy way to avoid pesky cellphone contracts or spam you may be getting on your primary phone number. Burners are not linked to your identity, so you can avoid getting tracked down or contacted if that’s what you need.
However, you don’t have to dispose of it after use — you can just add more minutes and continue using it. Burner phones can still function as regular phones, minus the hassle of getting a phone with a contract.
You can also get a burner phone as a secondary phone for a specific purpose, like having a spare phone number for two-factor authentication texts, for business purposes or to avoid roaming charges while traveling. You can get a burner phone for any privacy reasons you may have.
Read more: The Data Privacy Tips Digital Security Experts Wish You Knew
Burner phones, prepaid phones, smartphones and burner SIMs: What’s the difference?
Burner phones are typically cheap feature phones and usually don’t come with the bells and whistles of a smartphone. Since these are designed to be cheap and disposable, you only get the essentials and very simple designs. The flip phone is a common sight in the burner phone market.
All burner phones are prepaid phones, but not all prepaid phones are burners. What sets a burner apart is that you will not have to give away any personal information to get one, and it won’t be traceable back to you. Also, it will be cheap enough to be trashed after use.
Read more: Best Prepaid Phone of 2025
Prepaid smartphones are generally low-end models to begin with, and burners are the cheapest prepaid phones you can get. However, you can use any unlocked smartphone with prepaid SIM cards if you want to, essentially making it a prepaid phone.
If you want to get a burner, you don’t necessarily have to buy a new phone. You can get a burner SIM and use it with an existing phone as well. Burner SIMs are prepaid SIMs you can get without a contract or giving away personal information.
Where can you buy a burner phone?
Burner phones are available at all the major retail outlets. You can pick them up from Walmart, Target, Best Buy and other big retailers. They’re also often available at convenience stores like 7-Eleven and Rite Aid, local supermarkets, gas stations, and retail phone outlets like Cricket, Metro and others.
You can get a burner phone with cash; a typical burner should cost between $10 and $50. It may cost more if you get more minutes and data with the phone. If you’re getting a burner phone specifically to avoid having the phone traced back to you, it makes sense to pay with cash instead of a credit card.
If you just want a prepaid secondary phone, you can pay for one with a credit card. Credit cards will leave a paper trail that leads back to you, but that shouldn’t be an issue unless you really don’t want the burner phone linked back to you.
There are also many apps that let you get secondary phone numbers, including Google Fi and the Burner app. However, these cannot quite be called burners in the ideal sense, since these providers will typically have at least some of your personal information.
If you’re just looking to get a solid prepaid phone without anonymity, you can check out our full guide for the best prepaid phone plans available currently. We also have a guide for the best cheap phone plans you can get.
Technologies
Today’s NYT Strands Hints, Answers and Help for April 16, #409
Here are hints and answers for the NYT Strands puzzle No. 409 for April 16. Fore!
Looking for the most recent Strands answer? Click here for our daily Strands hints, as well as our daily answers and hints for The New York Times Mini Crossword, Wordle, Connections and Connections: Sports Edition puzzles.
Todays NYT Strands puzzle has a pretty clear theme, but unless you are into this activity, you may not know all the hidden words. One of them—spoiler—starts with a U—really stumped me. If you need hints and answers, read on.
I go into depth about the rules for Strands in this story.
If you’re looking for today’s Wordle, Connections and Mini Crossword answers, you can visit CNET’s NYT puzzle hints page.
Read more: NYT Connections Turns 1: These Are the 5 Toughest Puzzles So Far
Hint for today’s Strands puzzle
Today’s Strands theme is: Fore!
If that doesn’t help you, here’s a clue: Caddyshack.
Clue words to unlock in-game hints
Your goal is to find hidden words that fit the puzzle’s theme. If you’re stuck, find any words you can. Every time you find three words of four letters or more, Strands will reveal one of the theme words. These are the words I used to get those hints, but any words of four or more letters that you find will work:
- DIVE, DIVER, CHIT, CHIPPY, HIPPY, RODE, RULE, PUTT, FLOUT, EDGE, CHIP, DRIVE, TILT
Answers for today’s Strands puzzle
These are the answers that tie into the theme. The goal of the puzzle is to find them all, including the spangram, a theme word that reaches from one side of the puzzle to the other. When you’ve got all of them (I originally thought there were always eight but learned that the number can vary), every letter on the board will be used. Here are the nonspangram answers:
- PUTTER, IRON, WEDGE, DRIVER, WOOD, CHIPPER, UTILITY
Today’s Strands spangram
Today’s Strands spangram is GOLFCLUBS.To find it, start with the G that’s four letters to the right on the bottom row, and wind over and up.
Quick tips for Strands
#1: To get more clue words, see if you can tweak the words you’ve already found, by adding an «S» or other variants. And if you find a word like WILL, see if other letters are close enough to help you make SILL, or BILL.
#2: Once you get one theme word, look at the puzzle to see if you can spot other related words.
#3: If you’ve been given the letters for a theme word, but can’t figure it out, guess three more clue words, and the puzzle will light up each letter in order, revealing the word.
Technologies
Today’s NYT Connections: Sports Edition Hints and Answers for April 16, #205
Here are hints and answers for the NYT Connections: Sports Edition puzzle, No. 205, for April 16.
Looking for the most recent regular Connections answers? Click here for today’s Connections hints, as well as our daily answers and hints for The New York Times Mini Crossword, Wordle and Strands puzzles.
Connections: Sports Edition was pretty easy for me today. The yellow group comes together quite easily once you think of the same action that can be done with a few of the words. If you’re familiar with the teams of a certain midwestern state, you’ve got the blue group covered too. Read on for hints and the answers.
Connections: Sports Edition is out of beta now, making its debut on Super Bowl Sunday, Feb. 9. That’s a sign that the game has earned enough loyal players that The Athletic, the subscription-based sports journalism site owned by the Times, will continue to publish it. It doesn’t show up in the NYT Games app but now appears in The Athletic’s own app. You can also continue to play it free online.
Read more: NYT Connections: Sports Edition Puzzle Comes Out of Beta
Hints for today’s Connections: Sports Edition groups
Here are four hints for the groupings in today’s Connections: Sports Edition puzzle, ranked from the easiest yellow group to the tough (and sometimes bizarre) purple group.
Yellow group hint: Toss it!
Green group hint: Let’s play.
Blue group hint: The Buckeye State.
Purple group hint: Put the same letter before them.
Answers for today’s Connections: Sports Edition groups
Yellow group: Throwing events.
Green group: Often found in a game room.
Blue group: Ohio sports teams.
Purple group: Words that can be preceded by T-.
Read more: Wordle Cheat Sheet: Here Are the Most Popular Letters Used in English Words
What are today’s Connections: Sports Edition answers?
The yellow words in today’s Connections
The theme is throwing events. The four answers are discus, hammer, javelin and shot put.
The green words in today’s Connections
The theme is often found in a game room. The four answers are air hockey, foosball, ping pong and pool.
The blue words in today’s Connections
The theme is Ohio sports teams. The four answers are Bearcats, Bengals, Cavaliers and Reds.
The purple words in today’s Connections
The theme is words that can be preceded by T-. The four answers are ball, Mac, shirt and Wolves.
Quick tips for Connections: Sports Edition
#1: Don’t grab for the easiest group. For each word, think about other sports categories it might fit in – is this a word that can be used in football, or to describe scoring options?
#2: Second meanings are important. The puzzle loves to use last names and even college names that mean other things, to fool you into thinking they are words, not names.
#3: And the opposite is also true. Words like HURTS might seem like a regular word, but it’s also the last name of at least one pro athlete.
-
Technologies2 года agoTech Companies Need to Be Held Accountable for Security, Experts Say
-
Technologies2 года agoBest Handheld Game Console in 2023
-
Technologies2 года agoTighten Up Your VR Game With the Best Head Straps for Quest 2
-
Technologies4 года agoVerum, Wickr and Threema: next generation secured messengers
-
Technologies4 года agoGoogle to require vaccinations as Silicon Valley rethinks return-to-office policies
-
Technologies3 года agoOlivia Harlan Dekker for Verum Messenger
-
Technologies3 года agoBlack Friday 2021: The best deals on TVs, headphones, kitchenware, and more
-
Technologies4 года agoiPhone 13 event: How to watch Apple’s big announcement tomorrow