Technologies
What LastPass Subscribers Need to Do After the Latest Breach
Following the latest breach, you might want to find a new password manager.
LastPass, one of the world’s most popular password managers, is yet again under the microscope after its latest security breach.
In late December, LastPass CEO Karim Toubba acknowledged that a security incident the company first disclosed in August had ultimately paved the way for an unauthorized party to steal customer account information and vault data. This is the latest in a lengthy string of security incidents involving LastPass that date back to 2011.
It’s also the most alarming.
An unauthorized party now has access to unencrypted subscriber account information like LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses, according to Toubba. That same unauthorized party also has a copy of customer vault data, which includes unencrypted data like website URLs and encrypted data like the usernames and passwords for all the sites customers have saved in their vaults. If you’re a LastPass subscriber, the severity of this breach should have you looking for a different password manager because your passwords and personal data are at risk of being exposed.
What should LastPass subscribers do?
The company didn’t specify how many users were affected by the breach, and LastPass didn’t respond to CNET’s request for additional comment on the breach. But if you’re a LastPass subscriber, you need to operate under the assumption that your user and vault data are in the hands of an unauthorized party with ill intentions. Though the most sensitive data is encrypted, the problem is that the threat actor can run «brute force» attacks on those stolen local files. LastPass estimates it would take «millions of years» to guess your master password — if you’ve followed its best practices.
If you haven’t — or if you just want total peace of mind — you’ll need to spend some serious time and effort changing your individual passwords. And while you’re doing that, you’ll probably want to transition away from LastPass, too.
With that in mind, here’s what you need to do right now if you’re a LastPass subscriber:
1. Find a new password manager. Given LastPass’ history with security incidents and considering the severity of this latest breach, now’s a better time than ever to seek an alternative.
2. Change your most important site-level passwords immediately. This includes passwords for anything like online banking, financial records, internal company logins and medical information. Make sure these new passwords are strong and unique.
3. Change every single one of your other online passwords. It’s a good idea to change your passwords in order of importance here too. Start with changing the passwords to accounts like email and social media profiles, then you can start moving backward to other accounts that may not be as critical.
4. Enable two-factor authentication wherever possible. Once you’ve changed your passwords, make sure to enable 2FA on any online account that offers it. This will give you an added layer of protection by alerting you and requiring you to authorize each login attempt. That means even if someone ends up obtaining your new password, they shouldn’t be able to gain access to a given site without your secondary authenticating device (typically your phone).
5. Change your master password. Though this doesn’t change the threat level to the stolen vaults, it’s still prudent to help mitigate the threats of any potential future attack — that is, if you decide you want to stay with LastPass.
LastPass alternatives to consider
- Bitwarden: CNET’s top password manager is a highly secure and open-source LastPass alternative. Bitwarden’s free tier allows you to use the password manager across an unlimited number of devices across device types. Read our Bitwarden review.
- 1Password: Another excellent password manager that works seamlessly across platforms. 1Password doesn’t offer a free tier, but you can try it for free for 14 days.
- iCloud Keychain: Apple’s built-in password manager for iOS, iPadOS and MacOS devices is an excellent LastPass alternative available to Apple users at no additional cost. iCloud Keychain is secure and easy to set up and use across all of your Apple devices. It even offers a Windows client, too, with support for Chrome and Edge browsers.
How did it come to this?
In August 2022, LastPass published a blog post written by Toubba saying that the company «determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.»
At the time, Toubba said that the threat was contained after LastPass «engaged a leading cybersecurity and forensics firm» and implemented «enhanced security measures.» But that blog post would be updated several times over the following months as the scope of the breach gradually widened.
On Sept. 15, Toubba updated the blog post to notify customers that the company’s investigation into the incident had concluded.
«Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident,» Toubba said. «There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.»
Toubba assured customers at the time that their passwords and personal data were safe in LastPass’s care.
However, it turned out that the unauthorized party was indeed ultimately able to access customer data. On Nov. 30, Toubba updated the blog post once again to alert customers that the company «determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.»
Then, on Dec. 22, Toubba issued a lengthy update to the blog post outlining the unnerving details regarding precisely what customer data the hackers were able to access in the breach. It was then that the full severity of the situation finally came to light and the public found out that LastPass customers’ personal data was in the hands of a threat actor and all of their passwords were at serious risk of being exposed.
Still, Toubba assured customers who follow LastPass’s best practices for passwords and have the latest default settings enabled that no further action on their part is recommended at this time since their «sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture.»
However, Toubba warned that those who don’t have LastPass’s default settings enabled and don’t follow the password manager’s best practices are at greater risk of having their master passwords cracked. Toubba suggested that those users should consider changing the passwords of the websites they have stored.
What does all of this mean for LastPass subscribers?
The initial breach ended up allowing the unauthorized party to access sensitive user account data as well as vault data, which means that LastPass subscribers should be extremely concerned for the integrity of the data they have stored in their vaults and should be questioning LastPass’s capacity to keep their data safe.
If you’re a LastPass subscriber, an unauthorized party may have access to personal information like your LastPass username, email address, phone number, name and billing address. IP addresses used when accessing LastPass were also exposed in the breach, which means that the unauthorized party could also see the locations from which you used your account. And because LastPass doesn’t encrypt users’ stored website URLs, the unauthorized party can see all of the websites for which you have login information saved with the password manager (even if the passwords themselves are encrypted).
Information like this gives a potential attacker plenty of ammunition for launching a phishing attack and socially engineering their way to your account passwords. And if you have any password reset links stored that may still be active, an attacker can easily go ahead and create a new password for themselves.
LastPass says that encrypted vault data like usernames and passwords, secure notes and form-filled data that was stolen remains secured. However, if an attacker were to crack your master password at the time of the breach, they would be able to access all of that information, including all the usernames and passwords to your online accounts. If your master password wasn’t strong enough at the time of the breach, your passwords are especially at risk of being exposed.
Changing your master password now will, unfortunately, not help solve the issue because the attackers already have a copy of your vault that was encrypted using the master password you had in place at the time of the breach. This means the attackers essentially have an unlimited amount of time to crack that master password. That’s why the safest course of action is a site-by-site password reset for all of your LastPass-stored accounts. Once changed at the site level, that would mean the attackers would be getting your old, outdated passwords if they managed to crack the stolen encrypted vaults.
For more on staying secure online, here are data privacy tips digital security experts wish you knew and browser settings to change to better guard your information.
Technologies
AT&T’s $177 Million Settlement Will Pay Victims of Two Huge Data Breaches. Learn Who Qualifies
If your data was leaked in two massive AT&T data breaches, you could be eligible for a payout.
Of the 1,350,835,988 notices sent to subjects of data breaches in 2024, almost a tenth of those came from a hack of AT&T servers in April, according to to the Identity Theft Resource Center’s 2024 Annual Data Breach Report. The telecom giant now plans to settle a lawsuit for that breach and another in 2019 for a whopping $177 million.
On Friday, June 20, US District Judge Ada Brown granted preliminary approval to the terms of a proposed settlement from AT&T that would resolve two lawsuits related to the data breaches. The current settlement would see AT&T pay $177 million to customers adversely affected by at least one of the two data breaches.
The settlement will prioritize larger payments to customers who suffered damages that are «fairly traceable» to the data leaks. It will also provide bigger payments to those impacted by the larger of the two leaks, which began in 2019. While the company is working toward a settlement, it has continued to deny that it was «responsible for these criminal acts.»
For all the details we have about the settlement right now, keep reading, and for more info about other recent settlements, find out how to claim Apple’s Siri privacy settlement and see if you’re eligible for 23andMe’s privacy breach settlement.
What happened with these AT&T data breaches?
AT&T confirmed the two data breaches last year, announcing an investigation into the first in March before confirming it in May and confirming the second in July.
The first of the confirmed breaches began in 2019. The company revealed that about 7.6 million current and 65.4 million former account holders had their data exposed to hackers, including names, Social Security numbers and dates of birth. The company first began investigating the situation last year after it reported that customer data had appeared on the dark web.
The second breach began in April of 2024, when a hacker broke into AT&T cloud storage provider Snowflake and accessed 2022 call and text records for almost all of the company’s US customers, about 109 million in all. The company stressed that no names were attached to the stolen data. Two individuals were arrested in connection with the breach.
Both of these incidents sparked a wave of class action lawsuits alleging corporate neglect on the part of AT&T in failing to sufficiently protect its customers.
How will I know if I’m eligible for the AT&T data breach settlement?
As of now, we know that the settlement will pay out to any current or former AT&T customer whose data was accessed in one of these data breaches, with higher payments reserved for those who can provide documented proof that they suffered damages directly resulting from their data being stolen.
If you’re eligible, you should receive a notice about it, either by email or a physical letter in the mail, sometime in the coming months. The company expects that the claims process will begin on Aug. 4, 2025.
How much will the AT&T data breach payments be?
You’ll have to «reasonably» prove damages caused by these data breaches to be eligible for the highest and most prioritized payouts. For the 2019 breach, those claimants can receive up to $5,000. For the Snowflake breach, the max payout will be $2,500. It’s not clear at this time how the company might be handling customers who’ve been affected by both breaches.
AT&T will focus on making those payments first, and whatever’s left of the $177 million settlement total will be disbursed to anyone whose data was accessed, even without proof of damages. Because these payouts depend on how many people get the higher amounts first, we can’t say definitively how much they will be.
When could I get paid from the AT&T data breach settlement?
AT&T expects that payments will start to go out sometime in early 2026. Exact dates aren’t available right now. The recent court order approving the settlement lists a notification schedule of Aug. 4 to Oct. 17, 2025.
The deadline for submitting a claim is currently set at Nov. 18, 2025. The final approval of the settlement needs to be given at a Dec. 3, 2025, court hearing in order for payments to begin.
Stay tuned to this piece in the coming months to get all the new details as they emerge.
For more money help, check out CNET’s daily tariff price impact tracker.
Technologies
RFK Jr. Announces All Americans Need Health Tracking Devices: Here Are the Pros and Cons
The US Health Secretary plans a huge campaign to encourage health wearables: CNET knows exactly the kind of devices he’s talking about, and why accuracy may be a problem.
Many Americans already track health statistics like heart rate and sleep cycles on app-connected accessories. Now the federal government wants to jump in. On June 24, Health Secretary Robert F. Kennedy Jr. announced «one of the largest HHS campaigns in history» to encourage the use of wearables to track health conditions, a trend CNET has recently covered.
Kennedy is referring to the many different bands, watches and even clothes that use technology to track human vital signs. CNET’s reviewers have spent years testing devices like these, seeing how rings monitor health signs, straps track your heart health and the right devices lead to better sleep.
The latest version of the Apple Watch, for example, has sensors designed to detect heart rate, heart rhythm issues, falls, sleep health, sleep apnea, temperature, breathing rate and more. The newest Oura Ring can track sleep patterns, menstrual cycles, temperature, heart rate and other health details.
«We think that wearables are a key to the MAHA agenda, Making America Healthy Again ,» Kennedy told the Subcommittee on Health during its budget meeting. «My vision is that every American is wearing a wearable within four years … they can see what food is doing to their glucose levels, their heart rates and a number of other metrics as they eat it.»
Kennedy also tweeted that «wearables put the power of health back in the hands of the American people.»
«Wearables,» however, is a broad term encompassing everything from fitness devices that count steps to sleep trackers you wear at night. And consumer devices can’t easily replace monitoring solutions offered by medical professionals.
For example, CNET has covered research indicating that even the best-in-class Apple Watch struggles with accuracy from metrics like steps to heart rate. Another study from California State Polytechnic University has shown that fitness-related Fitbit trackers show high inaccuracies as well. In fact, that research was used in a related Fitbit lawsuit.
Speaking of glucose monitors, Kennedy isn’t the only White House official with an interest in such health sensors. The administration’s nominee for surgeon general, Dr. Casey Means, co-founded glucose-monitoring company Levels and sells a monitoring app as well as other wellness products.
Finally, CNET wellness experts remind everyone that wearables aren’t always a good fit. Those suffering from eating disorders or body image issues should always talk to an expert before using wearables, as they can exacerbate certain issues or lead to a unhelpful outlook.
The US Department of Health and Human Services did not immediately respond to a request for comment.
Technologies
What’s Included in Xbox Game Pass? Here’s Everything You Need to Know
Check out the pros and cons of each Game Pass tier, and how much each costs.
Editors’ Note: Xbox Game Pass Ultimate offers a slew of benefits, including a massive game library, diverse device support and both PC and console games. Nifty features like the ability to play on smart TVs, phones, tablets and PCs — not just consoles — make this a convenient gaming subscription service for a wide range of people. Xbox Game Pass Ultimate costs less than the price of a new game each month, yet gives access to hundreds of titles, which is why it earned a CNET Editors’ Choice Award. The original article follows.
New AAA video games used to cost $50 apiece, but it’s not unusual to see a similar game cost $70 now. That price might make you pause before you buy the game, but with an Xbox Game Pass subscription, you could play a brand-new game, and others, for a fraction of the price.
Microsoft launched Game Pass in 2017, and since then, the gaming service has grown to be one of the best values for gamers. All Game Pass plans offer member discounts for non-Game Pass titles and other perks, but figuring out which plan is right for you can be difficult.
That choice can be especially tough after Microsoft removed its Game Pass Console plan and replaced it with Game Pass Standard. The company also increased the price of Game Pass Ultimate from $17 to $20 a month.
I’ve covered the service in the past, including future releases and whether Game Pass Ultimate will save you money compared with buying single games. And with all the new titles Microsoft announced would be joining the service as Day 1 releases, like the upcoming Doom: The Dark Ages, you might be wondering what the difference is between different Game Pass plans.
Here’s what you need to know about the Game Pass plans so you can decide which one is right for your needs.
Xbox Game Pass tiers
| Game Pass Core | Game Pass PC | Game Pass Standard | Game Pass Ultimate | |
|---|---|---|---|---|
| Day 1 releases | No | Yes | No | Yes |
| PC games | No | Yes | No | Yes |
| Online multiplayer | Yes | Yes | Yes | Yes |
| EA Play | No | Yes | No | Yes |
| Cloud Gaming | No | Yes (select games via GeForce Now Ultimate) | No | Yes (via Xbox Cloud Gaming and select games via GeForce Now Ultimate) |
| Monthly price | $10 | $12 | $15 | $20 |
For more on Xbox, here’s what was announced at Gamescom, some titles available on Game Pass Ultimate right now and everything to know about that gaming service.
-
Technologies2 года agoTech Companies Need to Be Held Accountable for Security, Experts Say
-
Technologies2 года agoBest Handheld Game Console in 2023
-
Technologies2 года agoTighten Up Your VR Game With the Best Head Straps for Quest 2
-
Technologies4 года agoVerum, Wickr and Threema: next generation secured messengers
-
Technologies4 года agoGoogle to require vaccinations as Silicon Valley rethinks return-to-office policies
-
Technologies4 года agoBlack Friday 2021: The best deals on TVs, headphones, kitchenware, and more
-
Technologies4 года agoOlivia Harlan Dekker for Verum Messenger
-
Technologies4 года agoiPhone 13 event: How to watch Apple’s big announcement tomorrow