Technologies
What LastPass Subscribers Need to Do After the Latest Breach
Following the latest breach, you might want to find a new password manager.
LastPass, one of the world’s most popular password managers, is yet again under the microscope after its latest security breach.
In late December, LastPass CEO Karim Toubba acknowledged that a security incident the company first disclosed in August had ultimately paved the way for an unauthorized party to steal customer account information and vault data. This is the latest in a lengthy string of security incidents involving LastPass that date back to 2011.
It’s also the most alarming.
An unauthorized party now has access to unencrypted subscriber account information like LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses, according to Toubba. That same unauthorized party also has a copy of customer vault data, which includes unencrypted data like website URLs and encrypted data like the usernames and passwords for all the sites customers have saved in their vaults. If you’re a LastPass subscriber, the severity of this breach should have you looking for a different password manager because your passwords and personal data are at risk of being exposed.
What should LastPass subscribers do?
The company didn’t specify how many users were affected by the breach, and LastPass didn’t respond to CNET’s request for additional comment on the breach. But if you’re a LastPass subscriber, you need to operate under the assumption that your user and vault data are in the hands of an unauthorized party with ill intentions. Though the most sensitive data is encrypted, the problem is that the threat actor can run «brute force» attacks on those stolen local files. LastPass estimates it would take «millions of years» to guess your master password — if you’ve followed its best practices.
If you haven’t — or if you just want total peace of mind — you’ll need to spend some serious time and effort changing your individual passwords. And while you’re doing that, you’ll probably want to transition away from LastPass, too.
With that in mind, here’s what you need to do right now if you’re a LastPass subscriber:
1. Find a new password manager. Given LastPass’ history with security incidents and considering the severity of this latest breach, now’s a better time than ever to seek an alternative.
2. Change your most important site-level passwords immediately. This includes passwords for anything like online banking, financial records, internal company logins and medical information. Make sure these new passwords are strong and unique.
3. Change every single one of your other online passwords. It’s a good idea to change your passwords in order of importance here too. Start with changing the passwords to accounts like email and social media profiles, then you can start moving backward to other accounts that may not be as critical.
4. Enable two-factor authentication wherever possible. Once you’ve changed your passwords, make sure to enable 2FA on any online account that offers it. This will give you an added layer of protection by alerting you and requiring you to authorize each login attempt. That means even if someone ends up obtaining your new password, they shouldn’t be able to gain access to a given site without your secondary authenticating device (typically your phone).
5. Change your master password. Though this doesn’t change the threat level to the stolen vaults, it’s still prudent to help mitigate the threats of any potential future attack — that is, if you decide you want to stay with LastPass.
LastPass alternatives to consider
- Bitwarden: CNET’s top password manager is a highly secure and open-source LastPass alternative. Bitwarden’s free tier allows you to use the password manager across an unlimited number of devices across device types. Read our Bitwarden review.
- 1Password: Another excellent password manager that works seamlessly across platforms. 1Password doesn’t offer a free tier, but you can try it for free for 14 days.
- iCloud Keychain: Apple’s built-in password manager for iOS, iPadOS and MacOS devices is an excellent LastPass alternative available to Apple users at no additional cost. iCloud Keychain is secure and easy to set up and use across all of your Apple devices. It even offers a Windows client, too, with support for Chrome and Edge browsers.
How did it come to this?
In August 2022, LastPass published a blog post written by Toubba saying that the company «determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.»
At the time, Toubba said that the threat was contained after LastPass «engaged a leading cybersecurity and forensics firm» and implemented «enhanced security measures.» But that blog post would be updated several times over the following months as the scope of the breach gradually widened.
On Sept. 15, Toubba updated the blog post to notify customers that the company’s investigation into the incident had concluded.
«Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident,» Toubba said. «There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.»
Toubba assured customers at the time that their passwords and personal data were safe in LastPass’s care.
However, it turned out that the unauthorized party was indeed ultimately able to access customer data. On Nov. 30, Toubba updated the blog post once again to alert customers that the company «determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.»
Then, on Dec. 22, Toubba issued a lengthy update to the blog post outlining the unnerving details regarding precisely what customer data the hackers were able to access in the breach. It was then that the full severity of the situation finally came to light and the public found out that LastPass customers’ personal data was in the hands of a threat actor and all of their passwords were at serious risk of being exposed.
Still, Toubba assured customers who follow LastPass’s best practices for passwords and have the latest default settings enabled that no further action on their part is recommended at this time since their «sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture.»
However, Toubba warned that those who don’t have LastPass’s default settings enabled and don’t follow the password manager’s best practices are at greater risk of having their master passwords cracked. Toubba suggested that those users should consider changing the passwords of the websites they have stored.
What does all of this mean for LastPass subscribers?
The initial breach ended up allowing the unauthorized party to access sensitive user account data as well as vault data, which means that LastPass subscribers should be extremely concerned for the integrity of the data they have stored in their vaults and should be questioning LastPass’s capacity to keep their data safe.
If you’re a LastPass subscriber, an unauthorized party may have access to personal information like your LastPass username, email address, phone number, name and billing address. IP addresses used when accessing LastPass were also exposed in the breach, which means that the unauthorized party could also see the locations from which you used your account. And because LastPass doesn’t encrypt users’ stored website URLs, the unauthorized party can see all of the websites for which you have login information saved with the password manager (even if the passwords themselves are encrypted).
Information like this gives a potential attacker plenty of ammunition for launching a phishing attack and socially engineering their way to your account passwords. And if you have any password reset links stored that may still be active, an attacker can easily go ahead and create a new password for themselves.
LastPass says that encrypted vault data like usernames and passwords, secure notes and form-filled data that was stolen remains secured. However, if an attacker were to crack your master password at the time of the breach, they would be able to access all of that information, including all the usernames and passwords to your online accounts. If your master password wasn’t strong enough at the time of the breach, your passwords are especially at risk of being exposed.
Changing your master password now will, unfortunately, not help solve the issue because the attackers already have a copy of your vault that was encrypted using the master password you had in place at the time of the breach. This means the attackers essentially have an unlimited amount of time to crack that master password. That’s why the safest course of action is a site-by-site password reset for all of your LastPass-stored accounts. Once changed at the site level, that would mean the attackers would be getting your old, outdated passwords if they managed to crack the stolen encrypted vaults.
For more on staying secure online, here are data privacy tips digital security experts wish you knew and browser settings to change to better guard your information.
Technologies
Marathon: Release Date, Open Preview Weekend and More
Bungie’s extraction shooter has a new release date, and it’s coming soon.
Marathon is the next game from Bungie, the acclaimed studio behind the Halo and Destiny franchises. The developer’s new game was originally set to come out last September, but the lukewarm reception it received from players who tried out the game’s alpha test led Bungie to delay the release to give it some fine-tuning.
It appears Bungie is ready to try again, as it confirmed that Marathon will be released this March. The company revealed the new release date on Jan. 19, when the pre-order trailer for the game was uploaded to YouTube.
Don’t miss any of our unbiased tech content and lab-based reviews. Add CNET as a preferred Google source.
When does Marathon come out?
Marathon will be released on March 5 for PC, PS5 and Xbox Series X|S consoles and will cost $40.
Will there be a Marathon playtest?
Yes. The official Marathon X account posted on Jan. 19 that there will be an open preview weekend before the game’s launch.
What is Marathon?
Marathon is an action first-person shooter series developed by Bungie, first released in 1994 for the Apple Macintosh. It and the following two games of the original Marathon trilogy are science fiction mysteries set in the 28th century, when humans travel across space in starships. One of them, the UESC Marathon, is attacked by aliens until only a lone security guard, the player, is left to fight them off. Players discover that the ship’s artificial intelligence, called Durandal, has gone sentient and evil, and even called aliens to attack the ship. The following games have players uncovering the mysteries behind Durandal and other ancient AIs that have been manipulating alien races.
The series was Bungie’s first hit, and it was innovative in its time for revealing story segments through computer terminals, where you could read messages from the different AI running the ship, as well as crew diaries.
In this new version of Marathon, players will visit Tau Ceti IV, the planet that humans from the UESC Marathon settled. The year is 2893, and something has caused many of the colonists to disappear. Survivors have formed different groups to savage what they can from the colony. The people doing the savaging are known as «Runners,» who are humans trained in combat and who use cybernetic modifications to survive on the planet. Players will create their own Runner to get loot and learn what happened to the colony as they fight off aliens as well as other Runners.
What is an extraction shooter?
An exaction shooter is a type of online multiplayer game where the focus isn’t just about killing enemies or other players. Instead, the objective revolves around scavenging loot and completing missions.
To make things exciting, players can only extract loot at designated locations in the game world. And to complicate things even further, the start of the extraction process will include some signal that alerts both enemies and players within the vicinity. This means you’ll have to defend yourself for a short period of time from what could be waves of computer-controlled enemies or human players who may or may not try to steal your loot.
Some of the most popular extraction shooters out right now are Arc Raiders, Escape from Tarkov and Helldivers 2.
How is Marathon related to Halo?
Marathon was Bungie’s first hit series, but it was Halo that made the developer a household name. While the two game franchises do not have any firm narrative connections, there have always been subtle references to the Marathon games in Halo. Bungie has said that Halo is more of a spiritual successor to Marathon, but there are fan theories connecting Marathon, Halo and even Bungie’s other major franchise, Destiny.
Technologies
Today Only: Toss These Rugged JBL Earbuds in Your Gym Bag for Just $50
These buds are waterproof, noise-canceling and $40 off with this one-day deal at Best Buy.
If you use music to stay motivated during your workouts, you’ll need a pair of earbuds that are as tough as you. These JBL Endurance Race 2 buds are specifically designed for the gym. Right now, you can grab a pair at a great price. For today only, Best Buy has shaved $40 off the purple color variant, so you can pick up a pair for just $50. Just be sure to get your order in before 9:59 p.m. PT (12:59 a.m. ET) tonight.
It’s worth noting that these earbuds are being sold by a third-party that we have not vetted ourselves. If you’d rather buy directly from a retailer, Amazon has several colors available for just $10 more.
These rugged JBL earbuds boast an IP68 waterproof and dustproof rating, so you don’t have to worry about sweat, dirt or even rain. Plus, they have flexible wings that help keep them securely in place during even your most rigorous workouts. They support active noise cancellation for when you need to stay focused, as well as transparency so you can also hear your surroundings. Plus, they have six preset sport modes that adjust the noise cancellation level and EQ to match your workout.
HEADPHONE DEALS OF THE WEEK
-
$248 (save $152)
-
$170 (save $181)
-
$398 (save $62)
-
$200 (save $250)
Why this deal matters
These JBL earbuds can handle even your toughest workouts, and right now you can grab a pair for over 40% off the usual price. They’re waterproof, support active noise cancellation and have flexible wing tips to keep them from falling out. This deal at Best Buy ends today, so now’s the time to act.
Technologies
Charge Your Phone on the Go With This $38 Baseus Qi2 Magnetic Charger Deal
This magnetic portable charger is there when you need it, and this price is going to be hard to beat.
Amazon has the Baseus Qi2 battery pack available for just $38, but it won’t stay that low for long. We’ve been tracking the prices and this is the cheapest we’ve seen outside of a special sales event. That deal was only a few dollars cheaper, so we don’t expect this price to be beaten anytime soon.
Even if you buy the best new phone each year, with a brand-new battery, it’ll need to be charged eventually. You can bet your bottom dollar that it’ll need a top-up when you aren’t near a charger, too, which is why this Baseus Picogo magnetic power bank deal isn’t to be ignored.
Note that this special price only applies to the space grey finish, so you’ll pay a little more if you choose one of the others.
This magnetic charger can be used with both iPhones and Android phones that support it, and even has a handy built-in stand that can be used to prop your phone up when watching media.
Fans of quality materials will enjoy the silver finish of this charger, while the Qi2 certification means that it is rated for up to 15 watts of wireless charging power. Want to charge something that doesn’t support magnetic charging? This charger has its own 20-watt USB-C port, which can be used to power just about anything, too.
Why this deal matters
It’s important to be prepared when leaving your home, and a charger like this can help. Phone batteries are better than ever, but they still have a nasty habit of dying right when you need your device the most. You need never worry about that again if you carry this handy magnetic charger.
-
Technologies3 года agoTech Companies Need to Be Held Accountable for Security, Experts Say
-
Technologies3 года agoBest Handheld Game Console in 2023
-
Technologies3 года agoTighten Up Your VR Game With the Best Head Straps for Quest 2
-
Technologies4 года agoBlack Friday 2021: The best deals on TVs, headphones, kitchenware, and more
-
Technologies4 года agoGoogle to require vaccinations as Silicon Valley rethinks return-to-office policies
-
Technologies5 лет agoVerum, Wickr and Threema: next generation secured messengers
-
Technologies4 года agoOlivia Harlan Dekker for Verum Messenger
-
Technologies4 года agoiPhone 13 event: How to watch Apple’s big announcement tomorrow