Technologies
What LastPass Subscribers Need to Do After the Latest Breach
Following the latest breach, you might want to find a new password manager.
LastPass, one of the world’s most popular password managers, is yet again under the microscope after its latest security breach.
In late December, LastPass CEO Karim Toubba acknowledged that a security incident the company first disclosed in August had ultimately paved the way for an unauthorized party to steal customer account information and vault data. This is the latest in a lengthy string of security incidents involving LastPass that date back to 2011.
It’s also the most alarming.
An unauthorized party now has access to unencrypted subscriber account information like LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses, according to Toubba. That same unauthorized party also has a copy of customer vault data, which includes unencrypted data like website URLs and encrypted data like the usernames and passwords for all the sites customers have saved in their vaults. If you’re a LastPass subscriber, the severity of this breach should have you looking for a different password manager because your passwords and personal data are at risk of being exposed.
What should LastPass subscribers do?
The company didn’t specify how many users were affected by the breach, and LastPass didn’t respond to CNET’s request for additional comment on the breach. But if you’re a LastPass subscriber, you need to operate under the assumption that your user and vault data are in the hands of an unauthorized party with ill intentions. Though the most sensitive data is encrypted, the problem is that the threat actor can run «brute force» attacks on those stolen local files. LastPass estimates it would take «millions of years» to guess your master password — if you’ve followed its best practices.
If you haven’t — or if you just want total peace of mind — you’ll need to spend some serious time and effort changing your individual passwords. And while you’re doing that, you’ll probably want to transition away from LastPass, too.
With that in mind, here’s what you need to do right now if you’re a LastPass subscriber:
1. Find a new password manager. Given LastPass’ history with security incidents and considering the severity of this latest breach, now’s a better time than ever to seek an alternative.
2. Change your most important site-level passwords immediately. This includes passwords for anything like online banking, financial records, internal company logins and medical information. Make sure these new passwords are strong and unique.
3. Change every single one of your other online passwords. It’s a good idea to change your passwords in order of importance here too. Start with changing the passwords to accounts like email and social media profiles, then you can start moving backward to other accounts that may not be as critical.
4. Enable two-factor authentication wherever possible. Once you’ve changed your passwords, make sure to enable 2FA on any online account that offers it. This will give you an added layer of protection by alerting you and requiring you to authorize each login attempt. That means even if someone ends up obtaining your new password, they shouldn’t be able to gain access to a given site without your secondary authenticating device (typically your phone).
5. Change your master password. Though this doesn’t change the threat level to the stolen vaults, it’s still prudent to help mitigate the threats of any potential future attack — that is, if you decide you want to stay with LastPass.
LastPass alternatives to consider
- Bitwarden: CNET’s top password manager is a highly secure and open-source LastPass alternative. Bitwarden’s free tier allows you to use the password manager across an unlimited number of devices across device types. Read our Bitwarden review.
- 1Password: Another excellent password manager that works seamlessly across platforms. 1Password doesn’t offer a free tier, but you can try it for free for 14 days.
- iCloud Keychain: Apple’s built-in password manager for iOS, iPadOS and MacOS devices is an excellent LastPass alternative available to Apple users at no additional cost. iCloud Keychain is secure and easy to set up and use across all of your Apple devices. It even offers a Windows client, too, with support for Chrome and Edge browsers.
How did it come to this?
In August 2022, LastPass published a blog post written by Toubba saying that the company «determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.»
At the time, Toubba said that the threat was contained after LastPass «engaged a leading cybersecurity and forensics firm» and implemented «enhanced security measures.» But that blog post would be updated several times over the following months as the scope of the breach gradually widened.
On Sept. 15, Toubba updated the blog post to notify customers that the company’s investigation into the incident had concluded.
«Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident,» Toubba said. «There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.»
Toubba assured customers at the time that their passwords and personal data were safe in LastPass’s care.
However, it turned out that the unauthorized party was indeed ultimately able to access customer data. On Nov. 30, Toubba updated the blog post once again to alert customers that the company «determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.»
Then, on Dec. 22, Toubba issued a lengthy update to the blog post outlining the unnerving details regarding precisely what customer data the hackers were able to access in the breach. It was then that the full severity of the situation finally came to light and the public found out that LastPass customers’ personal data was in the hands of a threat actor and all of their passwords were at serious risk of being exposed.
Still, Toubba assured customers who follow LastPass’s best practices for passwords and have the latest default settings enabled that no further action on their part is recommended at this time since their «sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture.»
However, Toubba warned that those who don’t have LastPass’s default settings enabled and don’t follow the password manager’s best practices are at greater risk of having their master passwords cracked. Toubba suggested that those users should consider changing the passwords of the websites they have stored.
What does all of this mean for LastPass subscribers?
The initial breach ended up allowing the unauthorized party to access sensitive user account data as well as vault data, which means that LastPass subscribers should be extremely concerned for the integrity of the data they have stored in their vaults and should be questioning LastPass’s capacity to keep their data safe.
If you’re a LastPass subscriber, an unauthorized party may have access to personal information like your LastPass username, email address, phone number, name and billing address. IP addresses used when accessing LastPass were also exposed in the breach, which means that the unauthorized party could also see the locations from which you used your account. And because LastPass doesn’t encrypt users’ stored website URLs, the unauthorized party can see all of the websites for which you have login information saved with the password manager (even if the passwords themselves are encrypted).
Information like this gives a potential attacker plenty of ammunition for launching a phishing attack and socially engineering their way to your account passwords. And if you have any password reset links stored that may still be active, an attacker can easily go ahead and create a new password for themselves.
LastPass says that encrypted vault data like usernames and passwords, secure notes and form-filled data that was stolen remains secured. However, if an attacker were to crack your master password at the time of the breach, they would be able to access all of that information, including all the usernames and passwords to your online accounts. If your master password wasn’t strong enough at the time of the breach, your passwords are especially at risk of being exposed.
Changing your master password now will, unfortunately, not help solve the issue because the attackers already have a copy of your vault that was encrypted using the master password you had in place at the time of the breach. This means the attackers essentially have an unlimited amount of time to crack that master password. That’s why the safest course of action is a site-by-site password reset for all of your LastPass-stored accounts. Once changed at the site level, that would mean the attackers would be getting your old, outdated passwords if they managed to crack the stolen encrypted vaults.
For more on staying secure online, here are data privacy tips digital security experts wish you knew and browser settings to change to better guard your information.
Technologies
Tariffs or Not, I’m Still Glad I Bought an iPhone 16 Pro Before Summer
Technologies
Today’s NYT Mini Crossword Answers for Saturday, May 17
Here are the answers for The New York Times Mini Crossword for May 17.
Looking for the most recent Mini Crossword answer? Click here for today’s Mini Crossword hints, as well as our daily answers and hints for The New York Times Wordle, Strands, Connections and Connections: Sports Edition puzzles.
Today’s NYT Mini Crossword has a goofy shape, but it’s pretty easy to solve. 6-Down mystified me, but the other answers helped me fill it in. Need some help with today’s Mini Crossword? Read on. And if you could use some hints and guidance for daily solving, check out our Mini Crossword tips.
The Mini Crossword is just one of many games in the Times’ games collection. If you’re looking for today’s Wordle, Connections, Connections: Sports Edition and Strands answers, you can visit CNET’s NYT puzzle hints page.
Read more: Tips and Tricks for Solving The New York Times Mini Crossword
Let’s get at those Mini Crossword clues and answers.
Mini across clues and answers
1A clue: «Link in ___» (promotional catchphrase on social media)
Answer: BIO
4A clue: They’re ground in a coffee grinder
Answer: BEANS
6A clue: Bike riders’ headwear
Answer: HELMETS
8A clue: Variety of tomato whose name is also a meat
Answer: BEEFSTEAK
10A clue: Shoe spec that describes this puzzle?
Answer: EXTRAWIDE
11A clue: «Cha-ching, nothin’ to it!»
Answer: EASYMONEY
Mini down clues and answers
1D clue: Church spot where bats hang out
Answer: BELFRY
2D clue: The first three words of «Green Eggs and Ham,» straight from the narrator
Answer: IAMSAM
3D clue: Boxing punch combo
Answer: ONETWO
4D clue: Purple slices in a salad
Answer: BEETS
5D clue: Oktoberfest glass
Answer: STEIN
6D clue: Prefix with decimal, in coding
Answer: HEXA
7D clue: One-named hit singer with 1985’s «Smooth Operator»
Answer: SADE
8D clue: Spelling ___
Answer: BEE
9D clue: Paper with the answers
Answer: KEY
How to play more Mini Crosswords
The New York Times Games section offers a large number of online games, but only some of them are free for all to play. You can play the current day’s Mini Crossword for free, but you’ll need a subscription to the Times Games section to play older puzzles from the archives.
Technologies
I’m Putting Apple AirTags in Every Suitcase I Own, and They’re on Sale Now at Amazon
I track everything from keys to cars using Apple AirTags. And now that you can get a four-pack for almost $20 off at both Amazon and Best Buy, it’s a good time to stock up.
I knew something was wrong as I stood at the baggage carousel after a return flight from France and my trusty rolling suitcase was nowhere to be seen, even as my fellow passengers collected their bags one by one. My suitcase never did drop onto the carousel that day.
However, I knew there was no reason to panic. Before handing over my suitcase at check-in at the Charles de Gaulle Airport, I had tucked a sophisticated little tracking device into it. So, with just a few taps on my iPhone, I could see that my bag had apparently never left Paris. (Merde!)
Over the years, I’ve come to rely on Apple’s AirTags to keep track of just about all my easy-to-lose valuables. They’re not only good for suitcases; I also use them to track keys, bikes and even my car. I tell everyone who will listen that you can never have too many of these handy devices. That’s why I think it’s worth taking full advantage of sales at both Amazon and Best Buy that slash the price of a four-pack of AirTags down to $80.
Here’s how the Apple AirTag that was in my suitcase on that fateful trip works. It uses an ingenious method of tracking itself, detecting its location from nearby iPhones and using them to anonymously piggyback the coordinates to a secure server where I could look it up on my iPhone. Until just a few years ago, this would have seemed like a scene straight out of a spy movie.
Hey, did you know? CNET Deals texts are free, easy and save you money.
Instead of wondering if my belongings were stuck on an abandoned luggage cart or strewn across the tarmac, I could see in almost real time that my suitcase was still chilling at Charles de Gaulle airport in Paris. I was able to calmly tell the airline my bag didn’t make the flight, and it made arrangements to have it delivered to me a few days later.
HEADPHONE DEALS OF THE WEEK
-
$170 (save $181)
-
$349 (save $100)
-
$298 (save $50)
Apple AirTags are all about peace of mind
By itself, an AirTag isn’t much. A 1.26-inch smooth round puck that looks like a glossy white breath mint, it sinks to the bottom of a bag or dangles from a key chain (with a compatible key ring, sold separately). It’s meant to disappear.
Activating the AirTag was a simple process of pairing with my iPhone. And then, because it obviously doesn’t really do anything out of the box, I forgot about it.
But the next time I couldn’t find my keys? Sorcery. My iPhone didn’t just tell me they were somewhere nearby — it walked me directly to them, thanks to the AirTag’s built-in Ultra Wideband chip. Suddenly, all that time I’d spent retracing my steps and overturning couch cushions in the past felt like ancient history.
Now I have AirTags in or attached to every significant item I’d want to keep track of: My everyday laptop bag, my camera backpack, the suitcase I use most when traveling, my key chain, my car and a smaller sling bag I take on walks. I can pull up the Find My app on any of my Apple devices (or sign in to iCloud on any web browser) and see where my items are and the last time the AirTags registered their locations.
AirTags aren’t just for my everyday items. People I know in the movie business tell me that AirTags are tossed into nearly every bag and Pelican crate, not solely to ensure that the valuable equipment inside doesn’t walk away but to quickly differentiate equipment amid similar looking containers. Some of my friends also attach AirTags to their pets’ collars (though experts say there are better ways to track pets).
AirTags are also useful for things that you want to keep close by
Being able to detect my luggage a continent away provided a sense of relief, to be sure. But at the local level, my AirTags will also trigger an alert when I get too far away from them. For example, if I accidentally forget my camera bag in the car when I stop somewhere for lunch, a Find My notification appears telling me I’ve left it behind. It works the same for newer AirPods models as well.
Sharing is now a big part of AirTag tracking
My family has two cars, and I wanted to be able to track them both. But it used to be inconvenient to pair the AirTag in the car my wife drives to her iPhone (and the one in my car to my iPhone).
To guard against unwanted tracking, an AirTag will notify nearby iPhones of its existence, so whenever I drove my wife’s car without her in it, I got a notification that an AirTag was traveling with me. (If the owner is near the AirTag, the alert does not appear.)
However, ever since the release of iOS 17, AirTags are shareable, which solves this problem. I shared my AirTag with my wife, and she with me, so regardless of which car I’m driving, I can find it more easily in a crowded parking lot without getting constant, unnecessary alerts.
A new feature to AirTags that arrived with iOS 18.2 is the ability to temporarily share an AirTag’s location with someone I trust. In my luggage example above, if the suitcase was in the airport with me, but the airport’s staff hadn’t yet been able to locate it (not uncommon during peak travel times), I could share its location with an attendant who could quickly retrieve it from areas inaccessible to the public.
Apple AirTag specs
- Diameter: 1.26 inches (31.9 mm)
- Height: 0.31 inches (8 mm)
- Weight: 0.39 ounces (11 g)
- Splash, water and dust resistance: Rated IP67 (maximum depth of 1 meter up to 30 minutes)
- Connectivity: Bluetooth 5.0
- Battery: Replaceable CR2032 coin cell battery
The only minor annoyance about AirTags
An AirTag includes Bluetooth, the U1 Ultra Wideband chip and an NFC chip to share basic details when it’s in Lost Mode. That’s all powered by a CR2032 coin cell battery, which in my experience lasts roughly a year before I need to replace it.
I get notified when a battery is starting to get low, although there’s no gauge to see how much is left until it goes into the red. And it’s easy to change batteries. But my small fleet of AirTags means I need to swap multiple ones each year. I buy them in packs of 20 that I slowly work through.
AirTags also make great gifts
Apple AirTags consistently appear in our gift guides throughout the year because you can always find another use for one. They’re often reduced in price when sold in packs of four. And there’s an ever-growing ecosystem of ways to mount them, from sturdy vaults that adhere to a car to discrete fabric holders that will keep your favorite classic bomber jacket from flying away. Whenever I show someone how I use AirTags on a bag or keychain, I kind of wish I had a pocket of AirTags to hand out because once someone sees how it works, they’re sold.
Looking to save on more things that’ll make your life easier? Check out our roundup of all the best early Memorial Day deals going on now. We’ve also gathered all the best AirTag accessories of 2025 from across the web so you can get the most use out of them.
-
Technologies2 года agoTech Companies Need to Be Held Accountable for Security, Experts Say
-
Technologies2 года agoBest Handheld Game Console in 2023
-
Technologies2 года agoTighten Up Your VR Game With the Best Head Straps for Quest 2
-
Technologies4 года agoVerum, Wickr and Threema: next generation secured messengers
-
Technologies4 года agoGoogle to require vaccinations as Silicon Valley rethinks return-to-office policies
-
Technologies4 года agoOlivia Harlan Dekker for Verum Messenger
-
Technologies4 года agoBlack Friday 2021: The best deals on TVs, headphones, kitchenware, and more
-
Technologies4 года agoiPhone 13 event: How to watch Apple’s big announcement tomorrow