Technologies

LastPass Issues Update on Data Breach, But Users Should Still Change Passwords

You still need to take action to protect your data even though LastPass said it hasn’t seen any threat-related activity since October.

LastPass, one of the world’s most popular password managers, suffered a major data breach in 2022 that compromised users’ personal data and put their online passwords and other sensitive information at risk.

On Dec. 22, LastPass CEO Karim Toubba acknowledged in a blog post that a security incident the company first disclosed in August eventually paved the way for an «unauthorized party» to steal customer account information and sensitive vault data. The breach is the latest in a lengthy and troubling string of security incidents involving LastPass, which date back to 2011.

It’s also the most alarming.

The unauthorized party was able to gain access to unencrypted customer account information like LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses, according to Toubba. That same unauthorized party was also able to steal customer vault data, which includes unencrypted data like website URLs as well as encrypted data like the usernames and passwords for all the sites that LastPass users have stored in their vaults.

In the meantime, LastPass has wrapped up an «exhaustive investigation» into the breach, according to a blog post published by Toubba on Wednesday, March 1, that updates customers on what actions the company has taken in the wake of the breach. Toubba vowed to make things right for customers and promised more effective communication going forward while adding that the company has «not seen any threat-actor activity since October 26, 2022.»

Even so, if you’re a LastPass subscriber, the severity of this breach should have you looking for a different password manager, because your passwords and personal data can still be at serious risk of being exposed. At the very least, you need to change all of the passwords you have stored with LastPass right away if you haven’t already.

What should LastPass subscribers do?

The company didn’t specify how many users were affected, and LastPass didn’t respond to CNET’s request for additional comment on the breach. But if you’re a LastPass subscriber, you need to operate under the assumption that your user and vault data are in the hands of an unauthorized party with ill intentions. Though the most sensitive data is encrypted, the problem is that the threat actor can run «brute force» attacks on those stolen local files. LastPass estimates it would take «millions of years» to guess your master password — if you’ve followed its best practices.

If you haven’t — or if you just want total peace of mind — you’ll need to spend some serious time and effort changing your individual passwords. And while you’re doing that, you’ll probably want to transition away from LastPass, too.

With that in mind, here’s what you need to do right away if you’re a LastPass subscriber:

1. Find a new password manager. Given LastPass’ history with security incidents and considering the severity of this latest breach, now’s a better time than ever to seek an alternative.

2. Change your most important site-level passwords immediately. This includes passwords for anything like online banking, financial records, internal company logins and medical information. Make sure these new passwords are strong and unique.

3. Change every single one of your other online passwords. It’s a good idea to change your passwords in order of importance here too. Start with changing the passwords to accounts like email and social media profiles, then you can start moving backward to other accounts that may not be as critical.

4. Enable two-factor authentication wherever possible. Once you’ve changed your passwords, make sure to enable 2FA on any online account that offers it. This will give you an added layer of protection by alerting you and requiring you to authorize each login attempt. That means even if someone ends up obtaining your new password, they shouldn’t be able to gain access to a given site without your secondary authenticating device (typically your phone).

5. Change your master password. Though this doesn’t change the threat level to the stolen vaults, it’s still prudent to help mitigate the threats of any potential future attack — that is, if you decide you want to stay with LastPass.

LastPass alternatives to consider

Bitwarden: CNET’s top password manager is a highly secure and open-source LastPass alternative. Bitwarden’s free tier allows you to use the password manager across an unlimited number of devices across device types. Read our Bitwarden review.
1Password: Another excellent password manager that works seamlessly across platforms. 1Password doesn’t offer a free tier, but you can try it for free for 14 days.
iCloud Keychain: Apple’s built-in password manager for iOS, iPadOS and MacOS devices is an excellent LastPass alternative available to Apple users at no additional cost. iCloud Keychain is secure and easy to set up and use across all of your Apple devices. It even offers a Windows client, too, with support for Chrome and Edge browsers.

How did it come to this?

In August 2022, LastPass published a blog post written by Toubba saying that the company «determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.»

At the time, Toubba said that the threat was contained after LastPass «engaged a leading cybersecurity and forensics firm» and implemented «enhanced security measures.» But that blog post would be updated several times over the following months as the scope of the breach gradually widened.

On Sept. 15, Toubba updated the blog post to notify customers that the company’s investigation into the incident had concluded.

«Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident,» Toubba said. «There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.»

Toubba assured customers at the time that their passwords and personal data were safe in LastPass’s care.

However, it turned out that the unauthorized party was indeed ultimately able to access customer data. On Nov. 30, Toubba updated the blog post once again to alert customers that the company «determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.»

Then, on Dec. 22, Toubba issued a lengthy update to the blog post outlining the unnerving details regarding precisely what customer data the hackers were able to access in the breach. It was then that the full severity of the situation finally came to light and the public found out that LastPass customers’ personal data was in the hands of a threat actor and all of their passwords were at serious risk of being exposed.

Still, Toubba assured customers who follow LastPass’s best practices for passwords and have the latest default settings enabled that no further action on their part is recommended at this time since their «sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture.»

However, Toubba warned that those who don’t have LastPass’s default settings enabled and don’t follow the password manager’s best practices are at greater risk of having their master passwords cracked. Toubba suggested that those users should consider changing the passwords of the websites they have stored.

On March 1, Toubba published a new blog post offering customers a lengthy update on where the situation stands, what data was accessed and what steps LastPass has taken to shore up its security. In the blog post, LastPass also offered its own recommendations on what business customers as well as individual customers should do to protect their data.

The company has completed its investigation into the data breach and said that it hasn’t detected any unauthorized activity since October, according to the blog post. Also, in response to the breach, LastPass «prioritized and initiated significant investments in security, privacy and operational best practices» and «performed a comprehensive review of our security policies and incorporated changes to restrict access and privilege, where appropriate,» according to the blog post.

What does all of this mean for LastPass subscribers?

The initial breach ended up allowing the unauthorized party to access sensitive user account data as well as vault data, which means that LastPass subscribers should be extremely concerned for the integrity of the data they have stored in their vaults and should be questioning LastPass’s capacity to keep their data safe — even considering the latest security improvements outlined by the company in its latest blog post.

If you’re a LastPass subscriber, an unauthorized party may have access to personal information like your LastPass username, email address, phone number, name and billing address. IP addresses used when accessing LastPass were also exposed in the breach, which means that the unauthorized party could also see the locations from which you used your account. And because LastPass doesn’t encrypt users’ stored website URLs, the unauthorized party can see all of the websites for which you have login information saved with the password manager (even if the passwords themselves are encrypted).

Information like this gives a potential attacker plenty of ammunition for launching a phishing attack and socially engineering their way to your account passwords. And if you have any password reset links stored that may still be active, an attacker can easily go ahead and create a new password for themselves.

LastPass says that encrypted vault data like usernames and passwords, secure notes and form-filled data that was stolen remains secured. However, if an attacker were to crack your master password at the time of the breach, they would be able to access all of that information, including all the usernames and passwords to your online accounts. If your master password wasn’t strong enough at the time of the breach, your passwords are especially at risk of being exposed.

Changing your master password now will, unfortunately, not help solve the issue because the attackers already have a copy of your vault that was encrypted using the master password you had in place at the time of the breach. This means the attackers essentially have an unlimited amount of time to crack that master password. That’s why the safest course of action is a site-by-site password reset for all of your LastPass-stored accounts. Once changed at the site level, that would mean the attackers would be getting your old, outdated passwords if they managed to crack the stolen encrypted vaults.

For more on staying secure online, here are data privacy tips digital security experts wish you knew and browser settings to change to better guard your information.

Technologies

Nintendo’s Pokemon Legends: Z-A Is a Hit. Just Ask My Kid

Pokemon Legends: Z-A has sucked my family in, and I can’t get my Switch controller back from my son.

I’d love to tell you all about Pokemon Legends: Z-A, arriving this week, and what it’s been like to play on the Nintendo Switch 2. I can mostly do that — but for most of the past five days, it hasn’t really been me playing. What started as co-playing together quickly turned into my kid taking over completely as he got hooked. And honestly, I’d say that’s a good sign.

Nintendo makes a lot of Pokemon games, too many for me to keep track of. But Legends Z-A is the first that’s Switch 2-optimized, although you can play on original Switches, too. I can’t tell you what that’s like, though — my early review access limited me to playing Pokemon Legends: Z-A on the Switch 2 only at home. I was doubtful about how much a city-based game would truly feel like a must-have experience, but so far it’s already become one of my favorite Pokemon games ever.

I’ll let my son tell you. He’s gotten deep into the trading card game and has played most of the recent Pokemon titles over the past year, and he says this is his favorite so far. When I asked him why, he said it’s because the game completely rethinks how battles work. The quick, real-time system feels more immediate and far less sluggish than in past Pokemon games. Plus, he’s loving the story… and honestly, so am I.

A city full of surprises

My son loves the «peculiar» storyline, the fast-paced battles (which he now wants in every Pokemon game) and the constant sense of surprise while exploring Lumiose City.

All of Pokemon Legends: Z-A (at least from what I’ve seen in my 10-plus hours so far) takes place entirely within Lumiose City — a Paris-like metropolis where the CEO of a company called Quasartico Inc. is planning to rebuild everything into a new world where Pokemon and humans can better coexist. The setup reminded me of the Detective Pikachu movie during my demo a few weeks ago, and it turns out my instincts were right.

Pokemon roam in wild zones within the city, occasionally spilling into urban areas, while mysterious rogue «Mega Evolution» Pokemon have begun appearing and threatening the city’s calm. There’s clearly a deeper mystery at play, and while I’m still uncovering it, I won’t spoil anything here.

The game seems to mostly involve a journey to level up in rank from Z to A by battling various Pokemon trainers, but that’s not the whole story. There’s a group of friends you hang out with at a local hotel, along with research missions you have to carry out. Side quests are everywhere. The city, though it can feel a bit sparse at times, stretches all the way up to its rooftops, where all sorts of hidden spots are waiting to be discovered. It feels like a living maze, and one I’m still navigating.

And the city’s always changing, too. Wild zones keep multiplying, and from day to night the city’s dynamics shift. Battles take place at night, with trainers gathering in new pop-up spots each time. It’s not as lively as I’d hoped — this isn’t Grand Theft Pokemon — but the cozy, vibrant world still makes me daydream about what a real-life Universal Pokemon theme park could someday look like.

The Pokemon shine

I keep reminding myself to take extra time to discover and level up my Pokemon. At least that’s what my son’s telling me to do. He loves how many Pokemon can become Mega Evolved in this game, and how much fun the battle moves are to pull off. I’m happy he’s happy. I thought I’d get lost in the RPG aspects of the game, but I think the real-time Pokemon battles put me in a looser state of mind, more able to explore and not feel locked down into systems and rulesets. Swapping Pokemon battle moves and reassigning them to buttons is easy, too.

The stronger focus on trainer battles — and the sheer variety of Pokemon capable of mega evolving — gives the game more of that classic, Pokemon-centered energy than Pokemon Legends: Arceus ever did. I found myself more excited to see how different Pokemon looked and behaved than to uncover new realms to explore. After all, for all of Lumiose City’s secrets, you’re spending a lot more time roaming one massive location than in any other Pokemon game I can remember. Thankfully, the visual upgrades on the Switch 2 make those Pokemon look fantastic in battle.

I do want to spend more time in Lumiose City, though, and can’t help but wonder if this is a glimpse of how all Pokemon games will keep evolving. It’s hard to say, since Legends games like Z-A and Arceus have been more experimental than the rest of the series. But, like Arceus, Z-A is now one of my favorite Pokemon games on Switch. And on Switch 2, it plays smoother and feels better than any Pokemon game ever has before.

Technologies

iPhone 17 Preorders Spike and Overall Phone Sales Aren’t Slowing Down Despite Tariffs

Global smartphone shipments saw a notable increase in the third quarter of 2025. Plus, preorders for Apple’s new iPhone 17 beat out the iPhone 16.

Despite tariffs and market uncertainty, global smartphone shipments increased 2.6% in the third quarter of 2025, compared to the same time last year, according to the International Data Corporation. Additionally, preorders for the iPhone 17, which launched last month, outpaced last year’s iPhone 16.

These increased sales include premium phones like the latest iPhones and Samsung foldables, suggesting yet again that pricier phones still sell in periods of economic strain. It’s a remarkable achievement, says IDC senior research director Nabila Popal, citing shrewd financing options as the reason people keep buying these high-end phones, which cost anywhere from $800 to nearly $2,000.

«[Phone makers] have mastered the art of innovation not only in hardware and software to entice upgrades but also in removing purchase friction. They have flawlessly combined cutting-edge devices with innovative financing models and aggressive trade-in programs that make the upgrading decision a ‘no-brainer’ for consumers,» Popal said in an IDC press release.

Apple sold 58.6 million iPhones this quarter, an increase of 2.9% over the same period in 2024, with more preorders for the iPhone 17 series than its predecessor. But Samsung wasn’t far behind, with its Galaxy Z Fold 7 and Galaxy Z Flip 7 selling better than all of the company’s prior foldables. The company still reigns atop the phone market with 61.4 million phones sold, representing 19% of the market in the third quarter of this year — an increase of 6.3% from the same period last year. Meanwhile, Apple lands slightly behind Samsung with 18.2% market share this quarter.

The other phone makers trailing Apple and Samsung are, in order: Xiaomi, with 13.5% of the market; Transsion, with 9%; and Vivo with 8.9%. The remaining companies in the phones industry, from Chinese stalwarts like Oppo and Honor to Motorola and Google, make up the remaining 31.4% of the market for the quarter. All told, 322.7 million phones were sold, up from 314.6 million in the third quarter of 2024, according to IDC.

IDC’s findings for the third quarter continue the small but steady growth of phone sales over the year, including a modest 1% increase in the preceding three months — which includes the April deadline when President Donald Trump unveiled sweeping tariffs. In the second quarter, IDC cited midrange devices like Samsung’s Galaxy A36 and other phones that started incorporating AI. But even persistent tariffs haven’t slowed down people’s appetites for pricier phones in the third quarter.

Technologies

Today’s NYT Mini Crossword Answers for Tuesday, Oct. 14

Here are the answers for The New York Times Mini Crossword for Oct. 14.

Looking for the most recent Mini Crossword answer? Click here for today’s Mini Crossword hints, as well as our daily answers and hints for The New York Times Wordle, Strands, Connections and Connections: Sports Edition puzzles.

Today’s Mini Crossword has an odd vertical shape, with an extra Across clue, and only four Down clues. The clues are not terribly difficult, but one or two could be tricky. Read on if you need the answers. And if you could use some hints and guidance for daily solving, check out our Mini Crossword tips.

If you’re looking for today’s Wordle, Connections, Connections: Sports Edition and Strands answers, you can visit CNET’s NYT puzzle hints page.

Read more: Tips and Tricks for Solving The New York Times Mini Crossword

Let’s get to those Mini Crossword clues and answers.