Technologies
What LastPass Subscribers Need to Do After the Latest Breach
It’s time for LastPass subscribers to find a different password manager after the latest data breach.
LastPass, a popular password manager, has suffered a major data breach, compromising customers’ personal information and putting their online passwords at risk.
In late December, LastPass CEO Karim Toubba acknowledged in a blog post that a security incident the company disclosed in August had eventually led to an unauthorized party stealing customer account information and sensitive vault data. The breach is the latest in a lengthy and troubling string of security incidents involving LastPass that date back to 2011.
It’s also the most alarming.
An unauthorized party was able to gain access to unencrypted subscriber account information like LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses, according to Toubba. That same unauthorized party was also able to steal a copy of customer vault data, which includes unencrypted data like website URLs and encrypted data like the usernames and passwords for all the sites customers have stored in their vaults.
If you’re a LastPass subscriber, the severity of this breach should have you looking for a different password manager, because your passwords and personal data are at serious risk of being exposed.
What should LastPass subscribers do?
The company didn’t specify how many users were affected by the breach, and LastPass didn’t respond to CNET’s request for additional comment on the breach. But if you’re a LastPass subscriber, you need to operate under the assumption that your user and vault data are in the hands of an unauthorized party with ill intentions. Though the most sensitive data is encrypted, the problem is that the threat actor can run «brute force» attacks on those stolen local files. LastPass estimates it would take «millions of years» to guess your master password — if you’ve followed its best practices.
If you haven’t — or if you just want total peace of mind — you’ll need to spend some serious time and effort changing your individual passwords. And while you’re doing that, you’ll probably want to transition away from LastPass, too.
With that in mind, here’s what you need to do right now if you’re a LastPass subscriber:
1. Find a new password manager. Given LastPass’ history with security incidents and considering the severity of this latest breach, now’s a better time than ever to seek an alternative.
2. Change your most important site-level passwords immediately. This includes passwords for anything like online banking, financial records, internal company logins and medical information. Make sure these new passwords are strong and unique.
3. Change every single one of your other online passwords. It’s a good idea to change your passwords in order of importance here too. Start with changing the passwords to accounts like email and social media profiles, then you can start moving backward to other accounts that may not be as critical.
4. Enable two-factor authentication wherever possible. Once you’ve changed your passwords, make sure to enable 2FA on any online account that offers it. This will give you an added layer of protection by alerting you and requiring you to authorize each login attempt. That means even if someone ends up obtaining your new password, they shouldn’t be able to gain access to a given site without your secondary authenticating device (typically your phone).
5. Change your master password. Though this doesn’t change the threat level to the stolen vaults, it’s still prudent to help mitigate the threats of any potential future attack — that is, if you decide you want to stay with LastPass.
LastPass alternatives to consider
- Bitwarden: CNET’s top password manager is a highly secure and open-source LastPass alternative. Bitwarden’s free tier allows you to use the password manager across an unlimited number of devices across device types. Read our Bitwarden review.
- 1Password: Another excellent password manager that works seamlessly across platforms. 1Password doesn’t offer a free tier, but you can try it for free for 14 days.
- iCloud Keychain: Apple’s built-in password manager for iOS, iPadOS and MacOS devices is an excellent LastPass alternative available to Apple users at no additional cost. iCloud Keychain is secure and easy to set up and use across all of your Apple devices. It even offers a Windows client, too, with support for Chrome and Edge browsers.
How did it come to this?
In August 2022, LastPass published a blog post written by Toubba saying that the company «determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.»
At the time, Toubba said that the threat was contained after LastPass «engaged a leading cybersecurity and forensics firm» and implemented «enhanced security measures.» But that blog post would be updated several times over the following months as the scope of the breach gradually widened.
On Sept. 15, Toubba updated the blog post to notify customers that the company’s investigation into the incident had concluded.
«Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident,» Toubba said. «There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.»
Toubba assured customers at the time that their passwords and personal data were safe in LastPass’s care.
However, it turned out that the unauthorized party was indeed ultimately able to access customer data. On Nov. 30, Toubba updated the blog post once again to alert customers that the company «determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.»
Then, on Dec. 22, Toubba issued a lengthy update to the blog post outlining the unnerving details regarding precisely what customer data the hackers were able to access in the breach. It was then that the full severity of the situation finally came to light and the public found out that LastPass customers’ personal data was in the hands of a threat actor and all of their passwords were at serious risk of being exposed.
Still, Toubba assured customers who follow LastPass’s best practices for passwords and have the latest default settings enabled that no further action on their part is recommended at this time since their «sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture.»
However, Toubba warned that those who don’t have LastPass’s default settings enabled and don’t follow the password manager’s best practices are at greater risk of having their master passwords cracked. Toubba suggested that those users should consider changing the passwords of the websites they have stored.
What does all of this mean for LastPass subscribers?
The initial breach ended up allowing the unauthorized party to access sensitive user account data as well as vault data, which means that LastPass subscribers should be extremely concerned for the integrity of the data they have stored in their vaults and should be questioning LastPass’s capacity to keep their data safe.
If you’re a LastPass subscriber, an unauthorized party may have access to personal information like your LastPass username, email address, phone number, name and billing address. IP addresses used when accessing LastPass were also exposed in the breach, which means that the unauthorized party could also see the locations from which you used your account. And because LastPass doesn’t encrypt users’ stored website URLs, the unauthorized party can see all of the websites for which you have login information saved with the password manager (even if the passwords themselves are encrypted).
Information like this gives a potential attacker plenty of ammunition for launching a phishing attack and socially engineering their way to your account passwords. And if you have any password reset links stored that may still be active, an attacker can easily go ahead and create a new password for themselves.
LastPass says that encrypted vault data like usernames and passwords, secure notes and form-filled data that was stolen remains secured. However, if an attacker were to crack your master password at the time of the breach, they would be able to access all of that information, including all the usernames and passwords to your online accounts. If your master password wasn’t strong enough at the time of the breach, your passwords are especially at risk of being exposed.
Changing your master password now will, unfortunately, not help solve the issue because the attackers already have a copy of your vault that was encrypted using the master password you had in place at the time of the breach. This means the attackers essentially have an unlimited amount of time to crack that master password. That’s why the safest course of action is a site-by-site password reset for all of your LastPass-stored accounts. Once changed at the site level, that would mean the attackers would be getting your old, outdated passwords if they managed to crack the stolen encrypted vaults.
For more on staying secure online, here are data privacy tips digital security experts wish you knew and browser settings to change to better guard your information.
Technologies
Memorial Day Deal: My All-Time Favorite Headphones for the Outdoors Are 31% Off Now
If I’m walking or working out outside, the Shokz OpenFit wireless headphones are the ones I turn to, and you can get them for $125 during Amazon’s Memorial Day sale.
For anyone who walks, runs, cycles or does just about anything outside on a regular basis, I always give the same piece of advice: Ditch those noise-canceling headphones. Don’t get me wrong. I have a pair of big over-the-ear headphones that have spectacular noise cancellation, and I love them. But when I’m outside — especially if I’m close to fast-moving cars and heavy traffic — I need to be able to hear the world around me and not just my music or whatever podcast I’m bingeing at the moment. In those cases, I want something like the OpenFit true wireless headphones from Shokz.
I love a good pair of headphones, but I don’t love spending a ton of money on them. My threshold is about $100, which is why when all of my cycling friends started raving about bone-conduction headphones a few years back, I was more than a little hesitant because I would probably only use them when working out. However, now is a great time to get in on this innovative headphone technology.
The Shokz OpenFit headphones are currently marked down to $125, an 31% discount, thanks to Amazon’s Memorial Day sale. These headphones are designed to be used in places where bone conduction may not be enough, and as a result, I’m rarely seen without mine on. You can grab these headphones at a great price in both black and beige.
A week after I picked these up, I was nearly sideswiped by a pickup truck, and the only thing that saved me was hearing it come up behind me. There’s a reason these are recommended on our list of the best running headphones you can buy.
If you’re looking for outdoor-friendly workout headphones, my first recommendation is always Shokz, formerly known as Aftershokz. Bone-conduction headphones sit just outside your ear, resting on the bone. Music vibrates through a set of pads into your skull, and you hear those sounds as if they’re coming from a speaker a few feet away.
You can hear everything you’re listening to on your phone without interrupting the sounds coming from the rest of the world around you. For cyclists and runners — really anyone who does anything outside — this is a game-changing experience. It’s more accurate and pleasing than normal headphones with «passthrough mode,» and you sacrifice very little in audio quality.
My favorite bone-conduction headphones — and I’ve tried them all — are the OpenRun Pro headphones from Shokz. They’re waterproof (which means they’re easy to clean when I’m all sweaty), the battery lasts me about 7 hours on a charge (perfect for those 70-mile riding days), and they’re comfortable enough that I can wear them all day and not feel them pressing on me. They charge magnetically with a proprietary charger, but Shokz includes two cables in the box in case you lose things as I do.
If these headphones are a little rich for your blood, no worries. Shokz also has cheaper OpenRun and OpenMove bone-conduction headphones with up to 6 hours of battery life and IP55 dust and water resistance. Whether you’re physically active outdoors or you just like exploring new things, I highly recommend giving these headphones a try.
HEADPHONE DEALS OF THE WEEK
-
$200 (save $151)
-
$229 (save $120)
-
$298 (save $102)
The Shokz OpenMove make a great gift for an outdoor runner
The Shokz make a great gift, either for yourself or the outdoor runner in your life. Not only are they the best of their kind, but gifting these to a runner may also give you some peace of mind to know they’re a little safer when they’re out running alongside busy streets or other high-traffic areas.
If you’re looking for other gift ideas, check out our roundup of the best Father’s Day gifts or the best gifts for grads. For more discounted tech, check out the best Memorial Day deals going on now and our running list of the best headphone deals.
Technologies
Apple’s AI Smart Glasses to Arrive in 2026, According to Report
The iPhone and Vision Pro maker is playing catchup with Meta and Google.
Apple’s take on smart glasses could arrive next year, according to a report from Bloomberg on Thursday. While the description of the specs sound a lot like what Meta and Google are doing in that area, Apple has a reputation for fashion-forward and iconic products that could help set it apart as it plays catchup.
The glasses are expected to ship late in 2026 with cameras, microphones and speakers, as well as multimodal AI that could respond to requests via Siri and that can «see» and analyze the environment of the wearer, Bloomberg reported.
The report comes just two days after Google’s I/O conference, where the company revealed more details about its Android XR platform, alongside partners including Warby Parker, for creating smart glasses offerings.
The smart glasses from Apple would be distinct from the company’s Vision Pro VR headset, a well-reviewed but bulky and expensive product that has failed to catch on with consumers.
The Bloomberg report also said that Apple is scrapping plans to put a camera in its Apple Watch devices.
Apple did not immediately respond to CNET’s request for comment.
Will Apple’s smart glasses just be more of the same?
According to the report, Apple’s smart glasses will ship with cameras, microphones and speakers, all of which are necessary for the rumored AI feature expected to come from them. The wearer will be able to perform several actions you can do on a smartphone today, like controlling music playback and asking Siri questions.
However, the AI smarts will kick it up by being able to see what the user does, not unlike Google’s Gemini Live camera mode and what can be currently available with Meta’s Ray-Ban Glasses. But as with the AI-Powered Siri we’re still patiently waiting for, Apple’s smart glasses could be something special if the device pans out.
Apple plans to begin producing prototypes by the end of the year, according to unnamed people close to the matter cited by Bloomberg. The hands-free device is also expected to ship with a dedicated chip Apple has designed specifically for the product.
Apple’s aiming for augmented reality above all else
Apparently this particular pair of glasses isn’t Apple’s true ambition. The report says that Apple’s ultimate goal is to create a pair of augmented reality glasses and this product is but a milestone towards that. While augmented reality has been around for some time now, a proper implementation in smart glasses is something we’ve yet to see, but we know it’s coming.
This is far from the first time we’ve heard of Apple looking into creating AR glasses or a product to go head to head with Meta’s Ray-Bans. Apple doesn’t typically have a problem with being late to market with its products, so it’s fair to assume it’s not rushing on what could be a solid product segment for it.
For more, don’t miss CNET’s coverage on how Android XR and Apple will be key to normalizing smart glasses.
Technologies
Coinbase Reveals Over 69,000 People Had Their Data Exposed in a Breach. Take These Steps Now
Coinbase refused to pay the $20M ransom for data that included names, emails and partial Social Security numbers. However, the company will cover any losses incurred.
Coinbase, the largest cryptocurrency exchange in the US, revealed in a notice to the Maine attorney general’s office that 69,461 people were affected by last week’s data breach by extortionists.
Login credentials, two-factor authentication codes and private keys were not exposed in the breach, nor were the bad actors able to gain individual account access to investors’ funds. But cybercriminals are in possession of the following:
- Names
- Addresses
- Phone numbers
- Emails
- Partial Social Security numbers
- Masked bank-account numbers
- Government ID images like driver’s licenses and passports
- Account data, including snapshots and transaction history
In an SEC filing, Coinbase said that the threat actors paid overseas contractors in support roles for internal sensitive information. That info was then used to create a social engineering attack, demanding that Coinbase pay $20 million or the information would be released. Coinbase refused to pay.
«Instead of funding criminal activity, we have investigated the incident, reinforced our controls, and will reimburse customers impacted by this incident,» the company said in its statement. The company is cooperating with law enforcement and has set up a $20 million reward fund for information leading to the hackers’ arrest.
Some Reddit users have reported receiving unsolicited password reset messages as early as last week. It’s unclear if the messages are tied to the data breach, but if you receive an unprompted password reset message, it should always send up a red flag. CNET reached out to Coinbase for comment, but the company did not immediately respond.
Do this now to secure your crypto and data
While Coinbase has said that your seed phrase and investment account are safe, this breach exposed a lot of other sensitive information. Take these steps now to ensure your personal information is secure.
Use a cold crypto wallet
If you invest in crypto regularly, a cold crypto wallet — which is not connected to the internet and has to be manually plugged into your computer to access — can keep your digital currency secure in the event an exchange is breached.
Freeze your credit reports
You should freeze your credit reports and even consider locking your SSN, to prevent bad actors from making use of any of the information that was exposed. But beware of phishing attacks that aim to trick you into giving up sensitive data willingly.
Danni Santana, CNET’s identity theft editor, tested freezing his credit last year and said, «It’s worth the hassle of setting up accounts with all three major credit bureaus. I get peace of mind at zero cost to me.»
Alert your bank
If even partial bank account information was exposed, contact your bank and let them know. You can request a new checking or savings account. Even if the entire account number wasn’t revealed, it’s still best to err on the side of caution.
Sign up for a free identity theft and credit monitoring service
There are free services you can sign up for that will monitor your credit reports and the dark web for any of your personal identifying information. While these services won’t take action on your behalf, they can alert you so that you’re able to take action.
There are also paid identity theft protection services available that offer much better protection features. Some of these, like Aura, include identity theft restoration services in the event your identity is stolen and up to $1 million in identity theft insurance.
-
Technologies2 года agoTech Companies Need to Be Held Accountable for Security, Experts Say
-
Technologies2 года agoBest Handheld Game Console in 2023
-
Technologies2 года agoTighten Up Your VR Game With the Best Head Straps for Quest 2
-
Technologies4 года agoVerum, Wickr and Threema: next generation secured messengers
-
Technologies4 года agoGoogle to require vaccinations as Silicon Valley rethinks return-to-office policies
-
Technologies4 года agoBlack Friday 2021: The best deals on TVs, headphones, kitchenware, and more
-
Technologies4 года agoOlivia Harlan Dekker for Verum Messenger
-
Technologies4 года agoiPhone 13 event: How to watch Apple’s big announcement tomorrow