Connect with us

Technologies

What LastPass Subscribers Need to Do After the Latest Breach

It’s time for LastPass subscribers to find a different password manager after the latest data breach.

LastPass, a popular password manager, has suffered a major data breach, compromising customers’ personal information and putting their online passwords at risk.

In late December, LastPass CEO Karim Toubba acknowledged in a blog post that a security incident the company disclosed in August had eventually led to an unauthorized party stealing customer account information and sensitive vault data. The breach is the latest in a lengthy and troubling string of security incidents involving LastPass that date back to 2011.

It’s also the most alarming.

An unauthorized party was able to gain access to unencrypted subscriber account information like LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses, according to Toubba. That same unauthorized party was also able to steal a copy of customer vault data, which includes unencrypted data like website URLs and encrypted data like the usernames and passwords for all the sites customers have stored in their vaults.

If you’re a LastPass subscriber, the severity of this breach should have you looking for a different password manager, because your passwords and personal data are at serious risk of being exposed.

What should LastPass subscribers do?

The company didn’t specify how many users were affected by the breach, and LastPass didn’t respond to CNET’s request for additional comment on the breach. But if you’re a LastPass subscriber, you need to operate under the assumption that your user and vault data are in the hands of an unauthorized party with ill intentions. Though the most sensitive data is encrypted, the problem is that the threat actor can run «brute force» attacks on those stolen local files. LastPass estimates it would take «millions of years» to guess your master password — if you’ve followed its best practices.

If you haven’t — or if you just want total peace of mind — you’ll need to spend some serious time and effort changing your individual passwords. And while you’re doing that, you’ll probably want to transition away from LastPass, too.

With that in mind, here’s what you need to do right now if you’re a LastPass subscriber:

1. Find a new password manager. Given LastPass’ history with security incidents and considering the severity of this latest breach, now’s a better time than ever to seek an alternative.

2. Change your most important site-level passwords immediately. This includes passwords for anything like online banking, financial records, internal company logins and medical information. Make sure these new passwords are strong and unique.

3. Change every single one of your other online passwords. It’s a good idea to change your passwords in order of importance here too. Start with changing the passwords to accounts like email and social media profiles, then you can start moving backward to other accounts that may not be as critical.

4. Enable two-factor authentication wherever possible. Once you’ve changed your passwords, make sure to enable 2FA on any online account that offers it. This will give you an added layer of protection by alerting you and requiring you to authorize each login attempt. That means even if someone ends up obtaining your new password, they shouldn’t be able to gain access to a given site without your secondary authenticating device (typically your phone).

5. Change your master password. Though this doesn’t change the threat level to the stolen vaults, it’s still prudent to help mitigate the threats of any potential future attack — that is, if you decide you want to stay with LastPass.

LastPass alternatives to consider

  • Bitwarden: CNET’s top password manager is a highly secure and open-source LastPass alternative. Bitwarden’s free tier allows you to use the password manager across an unlimited number of devices across device types. Read our Bitwarden review.
  • 1Password: Another excellent password manager that works seamlessly across platforms. 1Password doesn’t offer a free tier, but you can try it for free for 14 days.
  • iCloud Keychain: Apple’s built-in password manager for iOS, iPadOS and MacOS devices is an excellent LastPass alternative available to Apple users at no additional cost. iCloud Keychain is secure and easy to set up and use across all of your Apple devices. It even offers a Windows client, too, with support for Chrome and Edge browsers.

How did it come to this?

In August 2022, LastPass published a blog post written by Toubba saying that the company «determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.»

At the time, Toubba said that the threat was contained after LastPass «engaged a leading cybersecurity and forensics firm» and implemented «enhanced security measures.» But that blog post would be updated several times over the following months as the scope of the breach gradually widened.

On Sept. 15, Toubba updated the blog post to notify customers that the company’s investigation into the incident had concluded.

«Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident,» Toubba said. «There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.»

Toubba assured customers at the time that their passwords and personal data were safe in LastPass’s care.

However, it turned out that the unauthorized party was indeed ultimately able to access customer data. On Nov. 30, Toubba updated the blog post once again to alert customers that the company «determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.»

Then, on Dec. 22, Toubba issued a lengthy update to the blog post outlining the unnerving details regarding precisely what customer data the hackers were able to access in the breach. It was then that the full severity of the situation finally came to light and the public found out that LastPass customers’ personal data was in the hands of a threat actor and all of their passwords were at serious risk of being exposed.

Still, Toubba assured customers who follow LastPass’s best practices for passwords and have the latest default settings enabled that no further action on their part is recommended at this time since their «sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture.»

However, Toubba warned that those who don’t have LastPass’s default settings enabled and don’t follow the password manager’s best practices are at greater risk of having their master passwords cracked. Toubba suggested that those users should consider changing the passwords of the websites they have stored.

What does all of this mean for LastPass subscribers?

The initial breach ended up allowing the unauthorized party to access sensitive user account data as well as vault data, which means that LastPass subscribers should be extremely concerned for the integrity of the data they have stored in their vaults and should be questioning LastPass’s capacity to keep their data safe.

If you’re a LastPass subscriber, an unauthorized party may have access to personal information like your LastPass username, email address, phone number, name and billing address. IP addresses used when accessing LastPass were also exposed in the breach, which means that the unauthorized party could also see the locations from which you used your account. And because LastPass doesn’t encrypt users’ stored website URLs, the unauthorized party can see all of the websites for which you have login information saved with the password manager (even if the passwords themselves are encrypted).

Information like this gives a potential attacker plenty of ammunition for launching a phishing attack and socially engineering their way to your account passwords. And if you have any password reset links stored that may still be active, an attacker can easily go ahead and create a new password for themselves.

LastPass says that encrypted vault data like usernames and passwords, secure notes and form-filled data that was stolen remains secured. However, if an attacker were to crack your master password at the time of the breach, they would be able to access all of that information, including all the usernames and passwords to your online accounts. If your master password wasn’t strong enough at the time of the breach, your passwords are especially at risk of being exposed.

Changing your master password now will, unfortunately, not help solve the issue because the attackers already have a copy of your vault that was encrypted using the master password you had in place at the time of the breach. This means the attackers essentially have an unlimited amount of time to crack that master password. That’s why the safest course of action is a site-by-site password reset for all of your LastPass-stored accounts. Once changed at the site level, that would mean the attackers would be getting your old, outdated passwords if they managed to crack the stolen encrypted vaults.

For more on staying secure online, here are data privacy tips digital security experts wish you knew and browser settings to change to better guard your information.

Technologies

Anthropic Launched New Claude 4 Gen AI Models. Here’s What They Do

The models can now use tools like web searches during extended reasoning tasks.

The latest versions of Anthropic’s Claude generative AI models made their debut Thursday, including a heavier-duty model built specifically for coding and complex tasks.

Anthropic launched the new Claude 4 Opus and Claude 4 Sonnet models during its Code with Claude developer conference, and executives said the new tools mark a significant step forward in terms of reasoning and deep thinking skills.

The company launched the prior model, Claude 3.7 Sonnet, in February. Since then, competing AI developers have also upped their game. OpenAI released GPT-4.1 in April, with an emphasis on an expanded context window, along with the new o3 reasoning model family. Google followed in early May with an updated version of Gemini 2.5 Pro that it said is better at coding.

Claude 4 Opus is a larger, more resource-intensive model built to handle particularly difficult challenges. Anthropic CEO Dario Amodei said test users have seen it quickly handle tasks that might have taken a person several hours to complete. 

«In many ways, as we’re often finding with large models, the benchmarks don’t fully do justice to it,» he said during the keynote event.

Claude 4 Sonnet is a leaner model, with improvements built on Anthropic’s Claude 3.7 Sonnet model. The 3.7 model often had problems with overeagerness and sometimes did more than the person asked it to do, Amodei said. While it’s a less resource-intensive model, it still performs well, he said. 

«It actually does just as well as Opus on some of the coding benchmarks, but I think it’s leaner and more narrowly focused,» Amodei said.

Anthropic said the models have a new capability, still being beta tested, in which they can use tools like web searches while engaged in extended reasoning. The models can alternate between reasoning and using tools to get better responses to complex queries.

The models both offer near-instant response modes and extended thinking modes. 

All of the paid plans offer both Opus and Sonnet models, while the free plan just has the Sonnet model.

Continue Reading

Technologies

Today’s NYT Strands Hints, Answers and Help for May 23, #446

Here are hints and answers for the NYT Strands puzzle No. 446 for May 23.

Looking for the most recent Strands answer? Click here for our daily Strands hints, as well as our daily answers and hints for The New York Times Mini Crossword, Wordle, Connections and Connections: Sports Edition puzzles.


Today’s NYT Strands puzzle has a humorous title, and if you understand the reference, you’ll know what words to look for. If you need hints and answers, read on.

I go into depth about the rules for Strands in this story. 

If you’re looking for today’s Wordle, Connections and Mini Crossword answers, you can visit CNET’s NYT puzzle hints page.

Read more: NYT Connections Turns 1: These Are the 5 Toughest Puzzles So Far

Hint for today’s Strands puzzle

Today’s Strands theme is: The musical fruit

If that doesn’t help you, here’s a clue: There are magical ones in fairy tales.

Clue words to unlock in-game hints

Your goal is to find hidden words that fit the puzzle’s theme. If you’re stuck, find any words you can. Every time you find three words of four letters or more, Strands will reveal one of the theme words. These are the words I used to get those hints, but any words of four or more letters that you find will work:

  • REEK, GADS, PLAY, PLAYS, PITA, DIAL, FALL, PALL, PALLS, FALLS, GENIE, BEEN, LACK, DENY, NILL.

Answers for today’s Strands puzzle

These are the answers that tie into the theme. The goal of the puzzle is to find them all, including the spangram, a theme word that reaches from one side of the puzzle to the other. When you’ve got all of them (I originally thought there were always eight but learned that the number can vary), every letter on the board will be used. Here are the nonspangram answers:

  • FAVA, NAVY, BLACK, GREEN, PINTO, KIDNEY, CANNELLINI

Today’s Strands spangram

Today’s Strands spangram is BEANSALAD. To find it, start with the B that’s three letters to the right on the top row, and wind down.

Continue Reading

Technologies

The Marvel Rivals Auto Battler Is a Natural Evolution of Hero Shooters

Move over Teamfight Tactics. Marvel Rivals’ new limited-time mode is the perfect addition to the auto battler genre.

Marvel Rivals has been a breath of fresh air for the hero shooter genre, combining popular comic book characters and chaotic third-person shooter action to create epic team fights that keep me coming back for more.

Fast-paced combat is the name of the game in Marvel Rivals, which is why it could come across as a confusing development that the next limited-time mode launching in Marvel Rivals Season 2.5 is a form of auto battler (also frequently referred to as auto chess).

Ultron’s Battle Matrix Protocol is an experimental mode launching on June 6, where six players will draft teams of heroes to go head to head with their opponents’ drafts. You’ll be able to support your AI teams while the new hero Ultron (also debuting in season 2.5) is chipping in extra healing and damage to the fight.

Aside from the fact that it’ll be cool to stage your own version of Marvel Comics’ Secret Wars, is the decision to add an auto battler to Marvel Rivals (which has previously released limited-time modes that mostly tracked with the shooter’s core gameplay loop) really all that far out of left field? I don’t think so.

Why is Marvel Rivals getting an auto battler mode?

The new mode is similar to multiplayer online battle arena spinoffs such as Dota Auto Chess and League of Legends’ Teamfight Tactics. I think drawing the line from a multiplayer online battle arena (MOBA) to auto battler is easy for most people.

MOBAs are strategy games first and foremost, where players pick and choose items to craft builds that will help them win their lane, while also contributing to big team fights. Players need to work together to overwhelm the other team and push them back to their spawn.

MOBAs and auto battlers are both about team synergy, positioning and picking the right upgrades, so it’s not surprising to people when characters from a game in one of these genres appear in another.

There are many people that wouldn’t associate hero shooters with MOBAs in the slightest. Games like Marvel Rivals have a high ceiling for very different mechanical skills — especially aiming. But hero shooters are also complex strategy games that share many of the same fundamentals as a MOBA.

Putting together a viable team composition with strong character is the most important part of a hero shooter — and Marvel Rivals takes this to another level with the strongest team-up abilities that require multiple heroes to activate.

An auto battler will allow people to experiment team compositions that don’t often get played in real Marvel Rivals’ matches, and could even help the community find new experimental hero combinations that have the potential to shake up common ways people play the game.

In Ultron’s Battle Matrix Protocol, as the auto battler mode is called, players will be able to put together balanced teams, lock in the risky GATOR strategy (which is nightmarishly similar to Overwatch’s GOATS meta) or fall back on triple support with brand new upgrades that change how the game works.

Absurd power scaling might look like Overwatch 2’s Stadium mode

There’s a clear rivalry between Overwatch 2 and Marvel Rivals, since they’re the two biggest hero shooters on the market right now. Blizzard’s hero shooter is entering its ninth year of life with flagging interest, but its solid fundamentals have been a high bar for Marvel Rivals to hurdle.

Both games have been trying out bold new things — Overwatch 2 recently shipped the MOBA-like Stadium mode that lets players augment popular abilities and take powerful passives as they fight in a flurry of different objectives in a best of seven gauntlet.

Ultron’s Battle Matrix Protocol in some ways feels like NetEase’s response to Blizzard’s big success with Stadium mode. You might not have quite as much influence on the outcome of each battle, but this serves as a proof of concept for Marvel Rivals’ hero power scaling.

This new mode also lets players pick passive abilities that buff certain roles as well as more powerful hero-specific upgrades that drastically alter the course of a fight, so the snowballing power of a Stadium match is very much emulated here.

In the Season 2.5 developer vision video, we got a look at what some of the upgrades will look like.

Venom can grow into a hulking monster after devouring enemies with his ultimate ability, Hela cuts a swath through the playing field with a field of flying daggers, Psylocke zips around her ultimate ability’s area of effect at twice her normal speed and Namor summons many more squid turrets to attack his enemies.

It’s safe to assume that every character in the game will have some kind of special power unlocked in the later rounds of an Ultron’s Battle Matrix Protocol match. This definitely isn’t NetEase reheating Blizzard’s nachos, but I do think it’s indicative of a broader shift toward making hero shooters feel a little bit more chaotic and unrestrained.

Game balance is important, but one of the biggest draws of this genre is that each character is a unique power fantasy you can’t find elsewhere. I can’t imagine such in-depth upgrades were designed for a one-and-done mode, so it’ll be interesting to see where they might show up next.

Continue Reading

Trending

Copyright © Verum World Media