Technologies
What LastPass Subscribers Need to Do After the Latest Breach
It’s time for LastPass subscribers to find a different password manager after the latest data breach.
LastPass, a popular password manager, has suffered a major data breach, compromising customers’ personal information and putting their online passwords at risk.
In late December, LastPass CEO Karim Toubba acknowledged in a blog post that a security incident the company disclosed in August had eventually led to an unauthorized party stealing customer account information and sensitive vault data. The breach is the latest in a lengthy and troubling string of security incidents involving LastPass that date back to 2011.
It’s also the most alarming.
An unauthorized party was able to gain access to unencrypted subscriber account information like LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses, according to Toubba. That same unauthorized party was also able to steal a copy of customer vault data, which includes unencrypted data like website URLs and encrypted data like the usernames and passwords for all the sites customers have stored in their vaults.
If you’re a LastPass subscriber, the severity of this breach should have you looking for a different password manager, because your passwords and personal data are at serious risk of being exposed.
What should LastPass subscribers do?
The company didn’t specify how many users were affected by the breach, and LastPass didn’t respond to CNET’s request for additional comment on the breach. But if you’re a LastPass subscriber, you need to operate under the assumption that your user and vault data are in the hands of an unauthorized party with ill intentions. Though the most sensitive data is encrypted, the problem is that the threat actor can run «brute force» attacks on those stolen local files. LastPass estimates it would take «millions of years» to guess your master password — if you’ve followed its best practices.
If you haven’t — or if you just want total peace of mind — you’ll need to spend some serious time and effort changing your individual passwords. And while you’re doing that, you’ll probably want to transition away from LastPass, too.
With that in mind, here’s what you need to do right now if you’re a LastPass subscriber:
1. Find a new password manager. Given LastPass’ history with security incidents and considering the severity of this latest breach, now’s a better time than ever to seek an alternative.
2. Change your most important site-level passwords immediately. This includes passwords for anything like online banking, financial records, internal company logins and medical information. Make sure these new passwords are strong and unique.
3. Change every single one of your other online passwords. It’s a good idea to change your passwords in order of importance here too. Start with changing the passwords to accounts like email and social media profiles, then you can start moving backward to other accounts that may not be as critical.
4. Enable two-factor authentication wherever possible. Once you’ve changed your passwords, make sure to enable 2FA on any online account that offers it. This will give you an added layer of protection by alerting you and requiring you to authorize each login attempt. That means even if someone ends up obtaining your new password, they shouldn’t be able to gain access to a given site without your secondary authenticating device (typically your phone).
5. Change your master password. Though this doesn’t change the threat level to the stolen vaults, it’s still prudent to help mitigate the threats of any potential future attack — that is, if you decide you want to stay with LastPass.
LastPass alternatives to consider
- Bitwarden: CNET’s top password manager is a highly secure and open-source LastPass alternative. Bitwarden’s free tier allows you to use the password manager across an unlimited number of devices across device types. Read our Bitwarden review.
- 1Password: Another excellent password manager that works seamlessly across platforms. 1Password doesn’t offer a free tier, but you can try it for free for 14 days.
- iCloud Keychain: Apple’s built-in password manager for iOS, iPadOS and MacOS devices is an excellent LastPass alternative available to Apple users at no additional cost. iCloud Keychain is secure and easy to set up and use across all of your Apple devices. It even offers a Windows client, too, with support for Chrome and Edge browsers.
How did it come to this?
In August 2022, LastPass published a blog post written by Toubba saying that the company «determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.»
At the time, Toubba said that the threat was contained after LastPass «engaged a leading cybersecurity and forensics firm» and implemented «enhanced security measures.» But that blog post would be updated several times over the following months as the scope of the breach gradually widened.
On Sept. 15, Toubba updated the blog post to notify customers that the company’s investigation into the incident had concluded.
«Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident,» Toubba said. «There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.»
Toubba assured customers at the time that their passwords and personal data were safe in LastPass’s care.
However, it turned out that the unauthorized party was indeed ultimately able to access customer data. On Nov. 30, Toubba updated the blog post once again to alert customers that the company «determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.»
Then, on Dec. 22, Toubba issued a lengthy update to the blog post outlining the unnerving details regarding precisely what customer data the hackers were able to access in the breach. It was then that the full severity of the situation finally came to light and the public found out that LastPass customers’ personal data was in the hands of a threat actor and all of their passwords were at serious risk of being exposed.
Still, Toubba assured customers who follow LastPass’s best practices for passwords and have the latest default settings enabled that no further action on their part is recommended at this time since their «sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture.»
However, Toubba warned that those who don’t have LastPass’s default settings enabled and don’t follow the password manager’s best practices are at greater risk of having their master passwords cracked. Toubba suggested that those users should consider changing the passwords of the websites they have stored.
What does all of this mean for LastPass subscribers?
The initial breach ended up allowing the unauthorized party to access sensitive user account data as well as vault data, which means that LastPass subscribers should be extremely concerned for the integrity of the data they have stored in their vaults and should be questioning LastPass’s capacity to keep their data safe.
If you’re a LastPass subscriber, an unauthorized party may have access to personal information like your LastPass username, email address, phone number, name and billing address. IP addresses used when accessing LastPass were also exposed in the breach, which means that the unauthorized party could also see the locations from which you used your account. And because LastPass doesn’t encrypt users’ stored website URLs, the unauthorized party can see all of the websites for which you have login information saved with the password manager (even if the passwords themselves are encrypted).
Information like this gives a potential attacker plenty of ammunition for launching a phishing attack and socially engineering their way to your account passwords. And if you have any password reset links stored that may still be active, an attacker can easily go ahead and create a new password for themselves.
LastPass says that encrypted vault data like usernames and passwords, secure notes and form-filled data that was stolen remains secured. However, if an attacker were to crack your master password at the time of the breach, they would be able to access all of that information, including all the usernames and passwords to your online accounts. If your master password wasn’t strong enough at the time of the breach, your passwords are especially at risk of being exposed.
Changing your master password now will, unfortunately, not help solve the issue because the attackers already have a copy of your vault that was encrypted using the master password you had in place at the time of the breach. This means the attackers essentially have an unlimited amount of time to crack that master password. That’s why the safest course of action is a site-by-site password reset for all of your LastPass-stored accounts. Once changed at the site level, that would mean the attackers would be getting your old, outdated passwords if they managed to crack the stolen encrypted vaults.
For more on staying secure online, here are data privacy tips digital security experts wish you knew and browser settings to change to better guard your information.
Technologies
I Used to Tell People Wi-Fi 7 Routers Were a Waste of Money. CNET’s Lab Data Just Proved Me Wrong
Technologies
My Camera Test: Comparing the $499 Pixel 10A With the Galaxy S25 FE, Motorola Edge
The Pixel 10A’s cameras are similar to those on the 9A, but it still performs quite well compared to other phones in its price range.
Google’s $499 Pixel 10A uses nearly the same cameras as last year’s Pixel 9A, but I wanted to see how its photos directly match up to its midrange Android rivals: the $650 Samsung Galaxy S25 FE and the $550 Motorola Edge.
I traveled with all three phones around St. Petersburg, Florida, checking how flexible each was in different environments, from bright outdoor settings to an indoor coffee shop and an evening brewery. All three environments can be challenging for the small image sensors on each phone.
While I find the cameras on all three phones to have different strengths and weaknesses depending on the setting, I’m quite impressed with how the Pixel 10A keeps up. In my tests, the photos include lots of detail, even though certain settings appear to involve a lot of processing to improve them.
Wide and telephoto cameras
Starting with photos taken on the sidewalk in downtown St. Petersburg, I notice that all three phones handle bright sunlight slightly differently, especially how it’s depicted on the street.
For the Pixel 10A, the sun provides a slight exposure mark over the Bay First sign at the top of the frame, but it remains fairly cordoned off to focus on the rest of the streetscape. Zooming in, you can see the Century 21 location, but the street is captured in the most detail, with the phone’s camera maintaining its natural gray color.
For both the Galaxy S25 FE and the Motorola Edge, the sun has a more pronounced effect on the rest of the image. The pavement’s color is notably brighter. I also find both the S25 FE and the Edge have slightly more clarity on the business signs on the Bay First building, including the aforementioned Century 21 logo.
Since the S25 FE and the Edge each include a telephoto camera that supports 3x optical zoom, I took a photo at that zoom with each phone. The Pixel 10A uses digital zoom on the phone’s 48-megapixel wide camera, but a lot of the scene’s detail remains preserved.
The Pixel’s zoom photo provides a clear view of the 7th St N sign, the trees and the plants. However, if you look further back at the next intersection, you’ll notice that the 7th St S sign and the Colony Grill are much harder to see. It’s those smaller details that are captured by the S25 FE and the Edge, both aided by telephoto cameras, making them more visible.
Of the three zoom photo examples, I feel like the S25 FE has the best color reproduction while also retaining details like the signs further back. Even though the photo was taken with the S25 FE’s 8-megapixel telephoto camera rather than its 50-megapixel wide camera, the colors remain complementary when comparing the 1x to the 3x. Meanwhile, the Edge’s 10-megapixel telephoto camera looks quite a bit different from the 50-megapixel wide camera — the whole image has a more yellowish hue.
Ultrawide cameras
Moving inside the Southern Grounds coffee shop, I decided to use the ultrawide cameras to capture my sausage, egg and cheese on toast. The three photos came out wildly different.
The Pixel 10A’s 13-megapixel ultrawide and S25 FE’s 12-megapixel ultrawide have a more balanced set of colors and details, in my opinion. The wheat toast appears lighter in the Pixel’s photo than in the darker hues captured by both the S25 FE and the Edge.
When zooming into my notebook, however, the Pixel and S25 FE captured more of the page markings, details that blur together more in the photo taken by the Edge. While the Edge’s 50-megapixel ultrawide camera is a higher-spec number, I noticed it had a harder time distinguishing toast levels, giving more of it a darker look. If I hadn’t eaten it myself, I’d have thought it was burned based on the Edge’s photo.
Night photography
Moving over to a nighttime setting, I used the three phones to take photos outside of 3 Daughters Brewing. I felt like all three did a decent job at producing the colors of the building, but they differ in how they handle light sources.
Both the Pixel and the S25 FE tone back the glare produced by the various lighting fixtures. Meanwhile, the Edge’s photos show noticeable streaks that dominate the sky. When inspecting the photos more closely, I find that the Galaxy captured a sharper view of the furniture, like in the Connect 4 set next to the blue chairs in the center of the frame. The same details are visible in the Pixel’s and the Edge’s depictions of the scene, but they appear smudgy by comparison.
This type of scene needs to take advantage of a phone’s processing power in order to iron out visibility issues, and I do find that the Edge appears to come up short here in this regard, with a lot of noticeable image noise.
Selfies
Each phone takes selfies with noticeable differences in style and color choices. For this test example, I’m in a well-lit daytime room with natural light from a window. The 12-megapixel front-facing camera on Google’s Pixel 10A brightened up my face as if there was a light in front of me, and captured a decent amount of the details of my hair and face.
The front-facing camera on Samsung’s Galaxy S25 FE shows a noticeably darker color tone, but it still captures a similar shade of orange on the wall behind me. Of the three photos, I felt like the S25 captures the most details, including strands of hair, and defaulted to a closer crop than the other two.
The photos taken by the 50-megapixel selfie camera on the Motorola Edge feel a bit smoothed out. The orange color on the wall is noticeably different from the Pixel and the S25 FE, though it does capture a lot of my face details, from hair strands to the fabric textures on my shirt.
The $499 Pixel 10A camera keeps up and, in some cases, exceeds the detail captured by the slightly more expensive $550 Motorola Edge and $650 Galaxy S25 FE. I’m quite impressed by how the Pixel camera handles colors and low-light environments, but the phone’s processing work sometimes makes scenes appear brighter than they are in real life.
The Galaxy S25 FE is no slouch either, with a third telephoto lens for capturing more detail farther away. While I did find the Motorola Edge to struggle in low light, it is one of the lowest-cost phone options currently available for someone who must have a 3x optical telephoto camera.
But if you can live without the telephoto lens, the Pixel 10A’s low cost and photography abilities will likely be a good fit for most people.
Technologies
Today’s NYT Strands Hints, Answers and Help for March 14 #741
Here are hints and answers for the NYT Strands puzzle for March 14, No. 741.
Looking for the most recent Strands answer? Click here for our daily Strands hints, as well as our daily answers and hints for The New York Times Mini Crossword, Wordle, Connections and Connections: Sports Edition puzzles.
Does today’s date seem memorable to you? If so, today’s NYT Strands puzzle might be easy. Some of the answers are difficult to unscramble, so if you need hints and answers, read on.
I go into depth about the rules for Strands in this story.
If you’re looking for today’s Wordle, Connections and Mini Crossword answers, you can visit CNET’s NYT puzzle hints page.
Read more: NYT Connections Turns 1: These Are the 5 Toughest Puzzles So Far
Hint for today’s Strands puzzle
Today’s Strands theme is: A math teacher’s favorite dessert.
If that doesn’t help you, here’s a clue: 3.14
Clue words to unlock in-game hints
Your goal is to find hidden words that fit the puzzle’s theme. If you’re stuck, find any words you can. Every time you find three words of four letters or more, Strands will reveal one of the theme words. These are the words I used to get those hints but any words of four or more letters that you find will work:
- RITE, SPIT, TIPS, STAT, STATE, GIVE, RUST, FINE, LAZE, SURE, PEAL
Answers for today’s Strands puzzle
These are the answers that tie into the theme. The goal of the puzzle is to find them all, including the spangram, a theme word that reaches from one side of the puzzle to the other. When you have all of them (I originally thought there were always eight but learned that the number can vary), every letter on the board will be used. Here are the nonspangram answers:
- VENT, CRUST, FRUIT, EDGES, GLAZE, FILLING, LATTICE
Today’s Strands spangram
Today’s Strands spangram is HAPPYPIDAY. To find it, start with the H that’s six rows down and three to the right from the upper-left corner, and make — well, a pie shape.
Toughest Strands puzzles
Here are some of the Strands topics I’ve found to be the toughest.
#1: Dated slang. Maybe you didn’t even use this lingo when it was cool. Toughest word: PHAT.
#2: Thar she blows! I guess marine biologists might ace this one. Toughest word: BALEEN or RIGHT.
#3: Off the hook. Again, it helps to know a lot about sea creatures. Sorry, Charlie. Toughest word: BIGEYE or SKIPJACK.
-
Technologies3 года agoTech Companies Need to Be Held Accountable for Security, Experts Say
-
Technologies3 года agoBest Handheld Game Console in 2023
-
Technologies3 года agoTighten Up Your VR Game With the Best Head Straps for Quest 2
-
Technologies4 года agoBlack Friday 2021: The best deals on TVs, headphones, kitchenware, and more
-
Technologies5 лет agoGoogle to require vaccinations as Silicon Valley rethinks return-to-office policies
-
Technologies5 лет agoVerum, Wickr and Threema: next generation secured messengers
-
Technologies4 года agoOlivia Harlan Dekker for Verum Messenger
-
Technologies5 лет agoiPhone 13 event: How to watch Apple’s big announcement tomorrow