Technologies

What LastPass Subscribers Need to Do After the Latest Breach

Following the latest breach, you might want to find a new password manager.

LastPass, one of the world’s most popular password managers, is yet again under the microscope after its latest security breach.

In late December, LastPass CEO Karim Toubba acknowledged that a security incident the company first disclosed in August had ultimately paved the way for an unauthorized party to steal customer account information and vault data. This is the latest in a lengthy string of security incidents involving LastPass that date back to 2011.

It’s also the most alarming.

An unauthorized party now has access to unencrypted subscriber account information like LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses, according to Toubba. That same unauthorized party also has a copy of customer vault data, which includes unencrypted data like website URLs and encrypted data like the usernames and passwords for all the sites customers have saved in their vaults. If you’re a LastPass subscriber, the severity of this breach should have you looking for a different password manager because your passwords and personal data are at risk of being exposed.

What should LastPass subscribers do?

The company didn’t specify how many users were affected by the breach, and LastPass didn’t respond to CNET’s request for additional comment on the breach. But if you’re a LastPass subscriber, you need to operate under the assumption that your user and vault data are in the hands of an unauthorized party with ill intentions. Though the most sensitive data is encrypted, the problem is that the threat actor can run «brute force» attacks on those stolen local files. LastPass estimates it would take «millions of years» to guess your master password — if you’ve followed its best practices.

If you haven’t — or if you just want total peace of mind — you’ll need to spend some serious time and effort changing your individual passwords. And while you’re doing that, you’ll probably want to transition away from LastPass, too.

With that in mind, here’s what you need to do right now if you’re a LastPass subscriber:

1. Find a new password manager. Given LastPass’ history with security incidents and considering the severity of this latest breach, now’s a better time than ever to seek an alternative.

2. Change your most important site-level passwords immediately. This includes passwords for anything like online banking, financial records, internal company logins and medical information. Make sure these new passwords are strong and unique.

3. Change every single one of your other online passwords. It’s a good idea to change your passwords in order of importance here too. Start with changing the passwords to accounts like email and social media profiles, then you can start moving backward to other accounts that may not be as critical.

4. Enable two-factor authentication wherever possible. Once you’ve changed your passwords, make sure to enable 2FA on any online account that offers it. This will give you an added layer of protection by alerting you and requiring you to authorize each login attempt. That means even if someone ends up obtaining your new password, they shouldn’t be able to gain access to a given site without your secondary authenticating device (typically your phone).

5. Change your master password. Though this doesn’t change the threat level to the stolen vaults, it’s still prudent to help mitigate the threats of any potential future attack — that is, if you decide you want to stay with LastPass.

LastPass alternatives to consider

Bitwarden: CNET’s top password manager is a highly secure and open-source LastPass alternative. Bitwarden’s free tier allows you to use the password manager across an unlimited number of devices across device types. Read our Bitwarden review.
1Password: Another excellent password manager that works seamlessly across platforms. 1Password doesn’t offer a free tier, but you can try it for free for 14 days.
iCloud Keychain: Apple’s built-in password manager for iOS, iPadOS and MacOS devices is an excellent LastPass alternative available to Apple users at no additional cost. iCloud Keychain is secure and easy to set up and use across all of your Apple devices. It even offers a Windows client, too, with support for Chrome and Edge browsers.

How did it come to this?

In August 2022, LastPass published a blog post written by Toubba saying that the company «determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.»

At the time, Toubba said that the threat was contained after LastPass «engaged a leading cybersecurity and forensics firm» and implemented «enhanced security measures.» But that blog post would be updated several times over the following months as the scope of the breach gradually widened.

On Sept. 15, Toubba updated the blog post to notify customers that the company’s investigation into the incident had concluded.

«Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident,» Toubba said. «There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.»

Toubba assured customers at the time that their passwords and personal data were safe in LastPass’s care.

However, it turned out that the unauthorized party was indeed ultimately able to access customer data. On Nov. 30, Toubba updated the blog post once again to alert customers that the company «determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.»

Then, on Dec. 22, Toubba issued a lengthy update to the blog post outlining the unnerving details regarding precisely what customer data the hackers were able to access in the breach. It was then that the full severity of the situation finally came to light and the public found out that LastPass customers’ personal data was in the hands of a threat actor and all of their passwords were at serious risk of being exposed.

Still, Toubba assured customers who follow LastPass’s best practices for passwords and have the latest default settings enabled that no further action on their part is recommended at this time since their «sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture.»

However, Toubba warned that those who don’t have LastPass’s default settings enabled and don’t follow the password manager’s best practices are at greater risk of having their master passwords cracked. Toubba suggested that those users should consider changing the passwords of the websites they have stored.

What does all of this mean for LastPass subscribers?

The initial breach ended up allowing the unauthorized party to access sensitive user account data as well as vault data, which means that LastPass subscribers should be extremely concerned for the integrity of the data they have stored in their vaults and should be questioning LastPass’s capacity to keep their data safe.

If you’re a LastPass subscriber, an unauthorized party may have access to personal information like your LastPass username, email address, phone number, name and billing address. IP addresses used when accessing LastPass were also exposed in the breach, which means that the unauthorized party could also see the locations from which you used your account. And because LastPass doesn’t encrypt users’ stored website URLs, the unauthorized party can see all of the websites for which you have login information saved with the password manager (even if the passwords themselves are encrypted).

Information like this gives a potential attacker plenty of ammunition for launching a phishing attack and socially engineering their way to your account passwords. And if you have any password reset links stored that may still be active, an attacker can easily go ahead and create a new password for themselves.

LastPass says that encrypted vault data like usernames and passwords, secure notes and form-filled data that was stolen remains secured. However, if an attacker were to crack your master password at the time of the breach, they would be able to access all of that information, including all the usernames and passwords to your online accounts. If your master password wasn’t strong enough at the time of the breach, your passwords are especially at risk of being exposed.

Changing your master password now will, unfortunately, not help solve the issue because the attackers already have a copy of your vault that was encrypted using the master password you had in place at the time of the breach. This means the attackers essentially have an unlimited amount of time to crack that master password. That’s why the safest course of action is a site-by-site password reset for all of your LastPass-stored accounts. Once changed at the site level, that would mean the attackers would be getting your old, outdated passwords if they managed to crack the stolen encrypted vaults.

For more on staying secure online, here are data privacy tips digital security experts wish you knew and browser settings to change to better guard your information.

Technologies

Today’s Wordle Hints, Answer and Help for Feb. 1, #1688

Here are hints and the answer for today’s Wordle for Sunday, Feb. 1, No. 1,688.

Looking for the most recent Wordle answer? Click here for today’s Wordle hints, as well as our daily answers and hints for The New York Times Mini Crossword, Connections, Connections: Sports Edition and Strands puzzles.

Today’s Wordle puzzle is a tough one, with some unusual letters. If you need a new starter word, check out our list of which letters show up the most in English words. If you need hints and the answer, read on.

Today’s Wordle hints

Before we show you today’s Wordle answer, we’ll give you some hints. If you don’t want a spoiler, look away now.

Wordle hint No. 1: Repeats

Today’s Wordle answer has no repeated letters.

Wordle hint No. 2: Vowels

Today’s Wordle answer has one vowel and one sometimes vowel.

Wordle hint No. 3: First letter

Today’s Wordle answer begins with S.

Wordle hint No. 4: Last letter

Today’s Wordle answer ends with Y.

Wordle hint No. 5: Meaning

Today’s Wordle answer means full of prickles.

TODAY’S WORDLE ANSWER

Today’s Wordle answer is SPINY.

Yesterday’s Wordle answer

Yesterday’s Wordle answer, Jan. 31, No. 1,687, was ALLOT.

Recent Wordle answers

Jan. 27, No. 1,683: DUSKY

Jan. 28, No. 1,684: CRUEL

Jan. 29, No. 1,685: FLAKY

Jan. 30, No. 1,686: JUMBO

Don’t miss any of our unbiased tech content and lab-based reviews. Add CNET as a preferred Google source.

Technologies

Today’s NYT Strands Hints, Answers and Help for Feb. 1 #700

Here are hints and answers for the NYT Strands puzzle for Sunday, Feb. 1, No. 700.

Looking for the most recent Strands answer? Click here for our daily Strands hints, as well as our daily answers and hints for The New York Times Mini Crossword, Wordle, Connections and Connections: Sports Edition puzzles.

Today’s NYT Strands puzzle is a bit of a challenge. Some of the answers are difficult to unscramble, and a couple are kind of long, so if you need hints and answers, read on.

I go into depth about the rules for Strands in this story.

If you’re looking for today’s Wordle, Connections and Mini Crossword answers, you can visit CNET’s NYT puzzle hints page.

Read more: NYT Connections Turns 1: These Are the 5 Toughest Puzzles So Far

Hint for today’s Strands puzzle

Today’s Strands theme is: It’s a gift.

If that doesn’t help you, here’s a clue: For me, really?

Clue words to unlock in-game hints

Your goal is to find hidden words that fit the puzzle’s theme. If you’re stuck, find any words you can. Every time you find three words of four letters or more, Strands will reveal one of the theme words. These are the words I used to get those hints but any words of four or more letters that you find will work:

BONE, GONE, BONNET, NOTE, PRIDE, RING, TING, SENT, RENT, WARD, DRAW, SEEN, SEER, TORE, RANT, TRYING, DONATE, SIRE

Answers for today’s Strands puzzle

These are the answers that tie into the theme. The goal of the puzzle is to find them all, including the spangram, a theme word that reaches from one side of the puzzle to the other. When you have all of them (I originally thought there were always eight but learned that the number can vary), every letter on the board will be used. Here are the nonspangram answers:

AWARD, BONUS, GRANT, PRESENT, DONATION, OFFERING

Today’s Strands spangram

Today’s Strands spangram is GENEROSITY. To find it, start with the G that’s three letters to the right on the top row, and wind down.

Don’t miss any of our unbiased tech content and lab-based reviews. Add CNET as a preferred Google source.

Technologies

I Tested the New AirTag and Found That Apple More Than Doubled Its Range

Review: Apple’s «AirTag 2» gets better at its job. The familiar white and chrome disc is a little louder, higher-pitched and easier to find.

While nearly everyone I know has been freezing and shoveling snow, I spent the past few days under San Francisco’s sunny skies, hiding and finding Apple’s new AirTag. I’m happy to report that it succeeded at its main job: I was able to locate it every time. The second-generation Bluetooth tracker looks and acts identical to the original AirTag, which debuted in 2021, but internal upgrades make it even easier to find.

Over the past five years, the AirTag has become a popular way to track your luggage, keys, car, bike, pets (though you really shouldn’t clip one to Mr. Cupcakes) and nearly anything else you can attach the tiny white and silver disc to. The AirTag also sparked a conversation about privacy, specifically around Apple’s built-in safeguards that prevent it from being used to track someone unwillingly. Apple later expanded those features to protect both iPhone and Android phone owners.

Do we really need a new AirTag? No. But its new features are nice.

This isn’t your typical yearly tech upgrade, like a new phone with a faster processor. The first AirTag is already great. Yeah, it has shortcomings, like not having a hole for a key ring, which forces you to buy a holder to attach it to things. But its best feature is Apple’s Find My network, an encrypted, invisible service connecting over 1 billion devices, including iPhones, Macs and trackers. The AirTag is your key to the Find My kingdom.

In my time testing the second-gen AirTag, I discovered that the latest iteration is also great. It has shortcomings like that missing key ring hole, but the Find My network is still the star. Apple improved the tracker’s ability to be found. The chime is higher-pitched and louder.

When trying to locate it in the Find My app, Precision Finding picked up the new AirTag over twice as far away as it did the old AirTag. The AirTag 2, as we’ve nicknamed it, also supports Precision Finding on my Apple Watch, though setting it up isn’t straightforward.

The second-gen AirTag is on sale now: $29 for one and $99 for a four-pack. And just like the OG version, if you order online directly from Apple, you can get it engraved.

AirTag 1 vs. AirTag 2

When I first unboxed the second-gen AirTag, I was surprised to see that it had the same bulbous Mento design as the original. This allows the new AirTag to be used with the gazillion accessories people already have. But there are differences. The white shell’s resin is now made of 85% recycled plastic. I’m curious to see whether the white casing scuffs as easily as the original.

(That fine print etched on the back? That’s how you can identify a second-gen AirTag from an original: The new one has its text printed in ALL CAPS — except «AirTag,» because Apple presumably wants to keep the intercap.)

If you have the original AirTag, there’s no reason to get rid of it and buy the new version. I can see swapping out an existing AirTag with a second-gen one if you frequently use Precision Finding for important items like keys and everyday bags — and especially if you want to access that feature on your Apple Watch.

If you can choose between the second-gen AirTag and the first-gen model at a discount, I’d go with the discounted original for most items. The first AirTag model does nearly everything the new one can do.

The new AirTag can be found farther away

The new tracker has upgraded Bluetooth connectivity, making it more discoverable to nearby iPhones, which can piggyback its location information anonymously back to its owner. A second-generation Ultra Wideband chip gives the new AirTag a longer range for Precision Finding.

CNET’s Social Media Producer Faith Chihil and I made the trek to Salesforce Park, a green space atop a San Francisco bus station, to run an AirTag test. I gave Faith my old AirTag that I use for traveling, aptly named Patrick’s Luggage, and the new one, named New AirTag. I then walked a few hundred feet away and opened the Find My app on my iPhone 17 Pro Max. I looked for the New AirTag first. I hit the Find button and then got to walking. My iPhone started picking it up 110 feet away. The green «you’re going the right way» screen with an arrow appeared 85 feet away from the new AirTag.

I repeated the test with the Patrick’s Luggage AirTag, and my iPhone started picking it up 42 feet away, and the green screen appeared 37 feet away. In this simple test, the second-gen AirTag was findable at over twice the distance away as my first-gen Apple tracker.

I should note that there are a lot of factors that come into play when trying to find your AirTag. Our range testing was done around lunchtime, so there were a lot of people with iPhones walking by to pick up the tag’s initial location so that my phone could use the Find My network to zero in on it. Also, we were outdoors along a walking path, so we didn’t have walls, rugs or furniture to contend with for the Precision Finding.

The new AirTag supports Precision Finding on the Apple Watch

The second-gen Ultra Wideband chip on the new AirTag also supports Precision Finding for the first time on certain Apple Watch models running WatchOS 26.2.1 or later:

Apple Watch Series 9
Apple Watch Series 10
Apple Watch Series 11
Apple Watch Ultra 2
Apple Watch Ultra 3

But getting it set up isn’t straightforward.

To use Precision Finding on the iPhone, you go to the Items tab in the Find My app and select your AirTag. But when I went to the Find Items app on the watch, I could select the new AirTag, but there wasn’t a Precision Finding option.

A quick online search later, I found an Apple Support page that explained how the Apple Watch uses the Control Center to do it. I had to add a new Find Items button, called Find AirTag, to the Control Center and then tap it to put my watch into Precision Finding mode. Indoors, it found my AirTag from 65 feet away. It might go farther, but our office isn’t that big.

My Apple Watch doesn’t have cellular data, so when I was indoors on Wi-Fi, it worked fantastic. When I was outdoors, connected to my iPhone, it worked mostly fine, but at times it took longer to update my AirTag’s location.

The new AirTag is louder

If you’ve ever used the AirTag’s Play Sound feature through the iPhone’s Find My app, you know that Apple «I’m over here» chime. The new AirTag plays the same tune but is higher-pitched and louder, making it easier to find.

I tested the second-gen AirTag’s chime against the first one using an iPhone audio meter app (not the most scientific, but I wanted to visualize the difference). The original AirTag’s chime peaked at 67.3 dBA, while the new AirTag’s hit 77.5 dBA, more than twice as loud as the old model (remember, decibels are logarithmic).

The new AirTag final thoughts

When I set out to test the AirTag, I was concerned there wouldn’t be much to talk about. But after my time with it, I’ve discovered a lot to share. Namely, I’m a fan. I was already a fan of the first one, and that’s the key. Apple kept all the best aspects of the original AirTag while adding slight improvements. There was no dramatic redesign or price increase. It’s just the familiar white and chrome disc that is a little louder, higher-pitched and easier to find from quite a bit farther away.

I know some people hoped Apple would launch a credit card-style AirTag or one in different colors. It seems that Apple is more than happy to have other companies do that and participate in its Works with Apple Find My program. And I’m OK with that, too.