Technologies

What LastPass Subscribers Need to Do After the Latest Breach

It’s time for LastPass subscribers to find a different password manager after the latest data breach.

LastPass, a popular password manager, has suffered a major data breach, compromising customers’ personal information and putting their online passwords at risk.

In late December, LastPass CEO Karim Toubba acknowledged in a blog post that a security incident the company disclosed in August had eventually led to an unauthorized party stealing customer account information and sensitive vault data. The breach is the latest in a lengthy and troubling string of security incidents involving LastPass that date back to 2011.

It’s also the most alarming.

An unauthorized party was able to gain access to unencrypted subscriber account information like LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses, according to Toubba. That same unauthorized party was also able to steal a copy of customer vault data, which includes unencrypted data like website URLs and encrypted data like the usernames and passwords for all the sites customers have stored in their vaults.

If you’re a LastPass subscriber, the severity of this breach should have you looking for a different password manager, because your passwords and personal data are at serious risk of being exposed.

What should LastPass subscribers do?

The company didn’t specify how many users were affected by the breach, and LastPass didn’t respond to CNET’s request for additional comment on the breach. But if you’re a LastPass subscriber, you need to operate under the assumption that your user and vault data are in the hands of an unauthorized party with ill intentions. Though the most sensitive data is encrypted, the problem is that the threat actor can run «brute force» attacks on those stolen local files. LastPass estimates it would take «millions of years» to guess your master password — if you’ve followed its best practices.

If you haven’t — or if you just want total peace of mind — you’ll need to spend some serious time and effort changing your individual passwords. And while you’re doing that, you’ll probably want to transition away from LastPass, too.

With that in mind, here’s what you need to do right now if you’re a LastPass subscriber:

1. Find a new password manager. Given LastPass’ history with security incidents and considering the severity of this latest breach, now’s a better time than ever to seek an alternative.

2. Change your most important site-level passwords immediately. This includes passwords for anything like online banking, financial records, internal company logins and medical information. Make sure these new passwords are strong and unique.

3. Change every single one of your other online passwords. It’s a good idea to change your passwords in order of importance here too. Start with changing the passwords to accounts like email and social media profiles, then you can start moving backward to other accounts that may not be as critical.

4. Enable two-factor authentication wherever possible. Once you’ve changed your passwords, make sure to enable 2FA on any online account that offers it. This will give you an added layer of protection by alerting you and requiring you to authorize each login attempt. That means even if someone ends up obtaining your new password, they shouldn’t be able to gain access to a given site without your secondary authenticating device (typically your phone).

5. Change your master password. Though this doesn’t change the threat level to the stolen vaults, it’s still prudent to help mitigate the threats of any potential future attack — that is, if you decide you want to stay with LastPass.

LastPass alternatives to consider

Bitwarden: CNET’s top password manager is a highly secure and open-source LastPass alternative. Bitwarden’s free tier allows you to use the password manager across an unlimited number of devices across device types. Read our Bitwarden review.
1Password: Another excellent password manager that works seamlessly across platforms. 1Password doesn’t offer a free tier, but you can try it for free for 14 days.
iCloud Keychain: Apple’s built-in password manager for iOS, iPadOS and MacOS devices is an excellent LastPass alternative available to Apple users at no additional cost. iCloud Keychain is secure and easy to set up and use across all of your Apple devices. It even offers a Windows client, too, with support for Chrome and Edge browsers.

How did it come to this?

In August 2022, LastPass published a blog post written by Toubba saying that the company «determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.»

At the time, Toubba said that the threat was contained after LastPass «engaged a leading cybersecurity and forensics firm» and implemented «enhanced security measures.» But that blog post would be updated several times over the following months as the scope of the breach gradually widened.

On Sept. 15, Toubba updated the blog post to notify customers that the company’s investigation into the incident had concluded.

«Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident,» Toubba said. «There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.»

Toubba assured customers at the time that their passwords and personal data were safe in LastPass’s care.

However, it turned out that the unauthorized party was indeed ultimately able to access customer data. On Nov. 30, Toubba updated the blog post once again to alert customers that the company «determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.»

Then, on Dec. 22, Toubba issued a lengthy update to the blog post outlining the unnerving details regarding precisely what customer data the hackers were able to access in the breach. It was then that the full severity of the situation finally came to light and the public found out that LastPass customers’ personal data was in the hands of a threat actor and all of their passwords were at serious risk of being exposed.

Still, Toubba assured customers who follow LastPass’s best practices for passwords and have the latest default settings enabled that no further action on their part is recommended at this time since their «sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture.»

However, Toubba warned that those who don’t have LastPass’s default settings enabled and don’t follow the password manager’s best practices are at greater risk of having their master passwords cracked. Toubba suggested that those users should consider changing the passwords of the websites they have stored.

What does all of this mean for LastPass subscribers?

The initial breach ended up allowing the unauthorized party to access sensitive user account data as well as vault data, which means that LastPass subscribers should be extremely concerned for the integrity of the data they have stored in their vaults and should be questioning LastPass’s capacity to keep their data safe.

If you’re a LastPass subscriber, an unauthorized party may have access to personal information like your LastPass username, email address, phone number, name and billing address. IP addresses used when accessing LastPass were also exposed in the breach, which means that the unauthorized party could also see the locations from which you used your account. And because LastPass doesn’t encrypt users’ stored website URLs, the unauthorized party can see all of the websites for which you have login information saved with the password manager (even if the passwords themselves are encrypted).

Information like this gives a potential attacker plenty of ammunition for launching a phishing attack and socially engineering their way to your account passwords. And if you have any password reset links stored that may still be active, an attacker can easily go ahead and create a new password for themselves.

LastPass says that encrypted vault data like usernames and passwords, secure notes and form-filled data that was stolen remains secured. However, if an attacker were to crack your master password at the time of the breach, they would be able to access all of that information, including all the usernames and passwords to your online accounts. If your master password wasn’t strong enough at the time of the breach, your passwords are especially at risk of being exposed.

Changing your master password now will, unfortunately, not help solve the issue because the attackers already have a copy of your vault that was encrypted using the master password you had in place at the time of the breach. This means the attackers essentially have an unlimited amount of time to crack that master password. That’s why the safest course of action is a site-by-site password reset for all of your LastPass-stored accounts. Once changed at the site level, that would mean the attackers would be getting your old, outdated passwords if they managed to crack the stolen encrypted vaults.

For more on staying secure online, here are data privacy tips digital security experts wish you knew and browser settings to change to better guard your information.

Technologies

Need Gift Ideas? Google’s Holiday 100 Shopping List Includes Switch 2, Home Movie Projectors

You can shell out hundreds for a new gaming console or spend less on classic games and backpack charms.

The spooky season has just ended, and Google is already turning its attention to holiday shopping. The search giant just released its annual list of 100 top holiday gift ideas based on the hottest trends of 2025.

The Google Holiday 100 list is an annual shopping guide compiled from searches for various products conducted between May and September. Using that data, Google creates a catalog of the year’s top trending gift ideas across various industries, including tech, toys, fashion and wellness. You can view the entire Google Holiday 100 list here.

Don’t miss any of our unbiased tech content and lab-based reviews. Add CNET as a preferred Google source.

Nintendo Switch 2

This year’s breakaway technology hit was the Switch 2, Nintendo’s latest family-friendly video games console. Unsurprisingly, it appears on 2025’s Holiday 100 list. The console was released in June and has sold more than 10 million units thus far, with Nintendo hiking up sales expectations even among uncertain economic conditions and tariff pricing.

Google Pixel Watch 4

The Google Pixel Watch 4 is a standout wearable that made the Holiday 100 list. Its inclusion isn’t just Google stuffing its own product into a list. If you’re buying a gift for fitness-focused folks, CNET’s Vanessa Hand Orellana wrote that the latest iteration of Google’s smartwatch «hits a sweet spot between universally appealing design, seamless compatibility with the Android ecosystem, potentially life-saving safety features and robust health and fitness tracking.»

Red-light face masks

Your algorithm may have served you up a boatload of red light therapy content from health and beauty influencers this year. Search volume for red light masks has spiked in the past few months, so the LED masks have been included in the Holiday 100 buying guide this year. Just make sure to purchase one of the best FDA-approved masks.

Movie projectors to backpack charms

If you’re looking for gifts across other categories, Google has some top 2025 searches for big and small. Home theaters are apparently in this year, as searches for movie projectors spiked by a whopping 945%. Searches for backpack charms also hit an all-time high this year, so those are a safe bet for stocking stuffing for any young kids.

Checkers (the actual board game)

Even though many gifts given out at Christmas this year will surely be high-tech gadgets and accessories, the board game of checkers is also on the list. There’s always room for the classics.

As you prepare for the Herculean task of yearly holiday shopping, Google’s Holiday 100 is a good place to start. But if you’re looking to beat the crowd on the best tech deals around, CNET is already collecting pre-Black Friday deals.

Technologies

Look Up Tonight to Spot November’s Supermoon, the Brightest Moon of 2025

Has the moon been looking brighter and bigger to you for the past few days? Here’s why this month’s supermoon is even more super.

It’s already a great month for skygazers, with a trio of meteor showers and the return of the northern hemisphere winter constellations. On Tuesday night, it also features the second of four supermoons in a row. This month’s supermoon will happen on Nov. 4-5, and November’s beaver moon is special because it’ll be the brightest full moon of 2025.

In addition to being a supermoon, November’s full moon is known as the beaver moon. There is some debate as to why it was named this way. Some believe that this was the best time of year in the old days to set beaver traps to get pelts for winter clothing. Others believe that it coincides with the busiest part of the year for beavers, who are now stocking their lodges with supplies for the upcoming winter.

Here’s what time it’ll look its biggest and brightest, and what else you need to know about the November supermoon.

Don’t miss any of our unbiased tech content and lab-based reviews. Add CNET as a preferred Google source.

The brightest supermoon: When’s the best time to see it?

The moon will reach peak illumination at 8:19 a.m. ET on Nov. 5, making the evening of Nov. 4 and the morning of Nov. 5 the best times to view the moon.

Since moon phases shift slowly, the moon will appear almost full for nearly a week. If you are unable to view the full moon on its best night due to weather or other reasons, you can still see a mostly full moon at any point from Nov. 3 to Nov. 8.

For all of those days, the moon will be measurably brighter in the night sky compared to any other full moon in 2025. The reason for this is because of the moon’s elliptical orbit. Since it’s not a perfect circle, the moon’s 27.3-day journey around the Earth brings it closer to us on some days, a phenomenon known as perigee. If there is a full moon during this time, it’s branded as a «perigean full moon,» which you may know better as a supermoon.

Not all supermoons are equal, and November’s will be a little more special than others. According to The Farmer’s Almanac, the beaver moon will be a scant 221,817 miles away from Earth, making it the closest full moon of the year. That means it’ll be the biggest and brightest of the year.

In practice, the differences are fairly minor and likely won’t be visible to the naked eye when compared side by side to other supermoons. A supermoon is only about 7% larger than a regular full moon. According to NASA, the biggest difference is when comparing a supermoon to a micromoon, where a supermoon will be about 14% larger and 30% brighter. So, if you notice that your backyard patio is lit up more than usual, it’s because of the supermoon.

Also due to the moon’s orbit, November will also bring a micro new moon, which means the moon will be as far away from the Earth as it can get — a phenomenon known as apogee. November’s new moon occurs on Nov. 20, but you won’t be able to see it.

Technologies

Stay Informed About Your Flights This Holiday Season With Your iPhone’s Tracker

Your iPhone is hiding a flight tracker. Here’s how it works.

Thanksgiving is only a few short weeks away and if you plan on flying during the holiday season, keeping up-to-date on changes to your flights is crucial. Airports can be hectic during any holiday, but with the government shutdown continuing, flights are liable to change or be cancelled more often.

Luckily, it’s never been easier to get up-to-date information about your flight. For starters, your airline probably has an app, and if not, you can check its website. If you’re in a hurry, you can Google the flight number. Or you can just use your iPhone’s built-in flight tracker that’s sneakily tucked away.

That’s right: Your iPhone has a flight tracker that you may have never known about. It’s there for when it’s needed. Below, we’ll show you have to access it in not one, but two places, so you never have to go hunting for your flight info elsewhere again.

Don’t miss any of our unbiased tech content and lab-based reviews. Add CNET as a preferred Google source on Chrome.

For more on the iPhone, check out everything Apple announced at WWDC 2025.

How to track your flight via iMessage

Before we start, there are a few prerequisites you must meet:

Make sure iMessage is enabled (it doesn’t work with SMS/MMS).
You’ll need your flight number somewhere in your text messages, whether you’ve sent that information to someone (even yourself) or it’s been sent to you.
The flight number must be sent in this format: [Airline] [Flight number], for example, American Airlines 9707.

Launch the native Messages app on your iPhone and open the text message thread that contains your flight information. You’ll know the flight tracker feature works when the text with the flight information appears underlined, which means it’s actionable and you can tap on it.

If your flight is still several months away or it’s already passed, you might see a message that says, «Flight information unavailable.» You might also see another flight that’s not yours because airlines recycle flight numbers.

You can check your flight status from Spotlight Search, too

If getting your flight information from Messages wasn’t easy enough, you can also grab the details right from your iPhone’s home screen by swiping down and adding your flight number into Spotlight Search. Even better, this works with Spotlight Search on your Mac computer, too.

How to access the hidden flight tracker

Although the airline name/flight number format highlighted above is the best way to go, there are other texting options that will lead you to the same result. So let’s say we stick with American Airlines 9707, other options that may bring up the flight tracker include:

AmericanAirlines9707 (no spaces)
AmericanAirlines 9707 (only one space)
AA9707 (airline name is abbreviated and no space)
AA 9707 (abbreviated and space)

I would suggest you keep the airline name spelled out completely and add a space between the two pieces of information — like in the previous section — because for some airlines, these alternative options may not work.

Real-time flight tracking

Once everything is set, tap on the flight information in your text messages. If the feature works correctly, you should see the following two options appear in a quick-action menu:

Preview Flight: View the flight’s details. Tap this to view more information about the flight.
Copy Flight Code: Copy the flight code to your clipboard (in case you want to send your flight details to someone else via text or email).

If you select Preview Flight, at the top of the window, you’ll see the best part of this feature: a real-time flight tracker map. A line will connect the two destinations, and a tiny airplane will move between them, indicating where the flight is at that exact moment.

Underneath the map, you’ll see important flight information: