Technologies

If You Use LastPass, You Need to Change All of Your Passwords ASAP

You’ll probably also want to find a different password manager, considering the severity of the latest LastPass data breach.

LastPass, one of the world’s most popular password managers, suffered a major data breach in December, putting customers’ online passwords at risk and endangering their personal data.

On Dec. 22, LastPass CEO Karim Toubba acknowledged in a blog post that a security incident the company first disclosed in August eventually led to an «unauthorized party» stealing customer account information and sensitive vault data. The breach is the latest in a lengthy and troubling string of security incidents involving LastPass that date back to 2011.

It’s also the most alarming.

An unauthorized party was able to gain access to unencrypted subscriber account information like LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses, according to Toubba. That same unauthorized party was also able to steal customer vault data, which includes unencrypted data like website URLs as well as encrypted data like the usernames and passwords for all of the sites customers have stored in their vaults.

If you’re a LastPass subscriber, the severity of this breach should have you looking for a different password manager, because your passwords and personal data are at serious risk of being exposed.

What should LastPass subscribers do?

The company didn’t specify how many users were affected by the breach, and LastPass didn’t respond to CNET’s request for additional comment on the breach. But if you’re a LastPass subscriber, you need to operate under the assumption that your user and vault data are in the hands of an unauthorized party with ill intentions. Though the most sensitive data is encrypted, the problem is that the threat actor can run «brute force» attacks on those stolen local files. LastPass estimates it would take «millions of years» to guess your master password — if you’ve followed its best practices.

If you haven’t — or if you just want total peace of mind — you’ll need to spend some serious time and effort changing your individual passwords. And while you’re doing that, you’ll probably want to transition away from LastPass, too.

With that in mind, here’s what you need to do right now if you’re a LastPass subscriber:

1. Find a new password manager. Given LastPass’ history with security incidents and considering the severity of this latest breach, now’s a better time than ever to seek an alternative.

2. Change your most important site-level passwords immediately. This includes passwords for anything like online banking, financial records, internal company logins and medical information. Make sure these new passwords are strong and unique.

3. Change every single one of your other online passwords. It’s a good idea to change your passwords in order of importance here too. Start with changing the passwords to accounts like email and social media profiles, then you can start moving backward to other accounts that may not be as critical.

4. Enable two-factor authentication wherever possible. Once you’ve changed your passwords, make sure to enable 2FA on any online account that offers it. This will give you an added layer of protection by alerting you and requiring you to authorize each login attempt. That means even if someone ends up obtaining your new password, they shouldn’t be able to gain access to a given site without your secondary authenticating device (typically your phone).

5. Change your master password. Though this doesn’t change the threat level to the stolen vaults, it’s still prudent to help mitigate the threats of any potential future attack — that is, if you decide you want to stay with LastPass.

LastPass alternatives to consider

Bitwarden: CNET’s top password manager is a highly secure and open-source LastPass alternative. Bitwarden’s free tier allows you to use the password manager across an unlimited number of devices across device types. Read our Bitwarden review.
1Password: Another excellent password manager that works seamlessly across platforms. 1Password doesn’t offer a free tier, but you can try it for free for 14 days.
iCloud Keychain: Apple’s built-in password manager for iOS, iPadOS and MacOS devices is an excellent LastPass alternative available to Apple users at no additional cost. iCloud Keychain is secure and easy to set up and use across all of your Apple devices. It even offers a Windows client, too, with support for Chrome and Edge browsers.

How did it come to this?

In August 2022, LastPass published a blog post written by Toubba saying that the company «determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.»

At the time, Toubba said that the threat was contained after LastPass «engaged a leading cybersecurity and forensics firm» and implemented «enhanced security measures.» But that blog post would be updated several times over the following months as the scope of the breach gradually widened.

On Sept. 15, Toubba updated the blog post to notify customers that the company’s investigation into the incident had concluded.

«Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident,» Toubba said. «There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.»

Toubba assured customers at the time that their passwords and personal data were safe in LastPass’s care.

However, it turned out that the unauthorized party was indeed ultimately able to access customer data. On Nov. 30, Toubba updated the blog post once again to alert customers that the company «determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.»

Then, on Dec. 22, Toubba issued a lengthy update to the blog post outlining the unnerving details regarding precisely what customer data the hackers were able to access in the breach. It was then that the full severity of the situation finally came to light and the public found out that LastPass customers’ personal data was in the hands of a threat actor and all of their passwords were at serious risk of being exposed.

Still, Toubba assured customers who follow LastPass’s best practices for passwords and have the latest default settings enabled that no further action on their part is recommended at this time since their «sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture.»

However, Toubba warned that those who don’t have LastPass’s default settings enabled and don’t follow the password manager’s best practices are at greater risk of having their master passwords cracked. Toubba suggested that those users should consider changing the passwords of the websites they have stored.

What does all of this mean for LastPass subscribers?

The initial breach ended up allowing the unauthorized party to access sensitive user account data as well as vault data, which means that LastPass subscribers should be extremely concerned for the integrity of the data they have stored in their vaults and should be questioning LastPass’s capacity to keep their data safe.

If you’re a LastPass subscriber, an unauthorized party may have access to personal information like your LastPass username, email address, phone number, name and billing address. IP addresses used when accessing LastPass were also exposed in the breach, which means that the unauthorized party could also see the locations from which you used your account. And because LastPass doesn’t encrypt users’ stored website URLs, the unauthorized party can see all of the websites for which you have login information saved with the password manager (even if the passwords themselves are encrypted).

Information like this gives a potential attacker plenty of ammunition for launching a phishing attack and socially engineering their way to your account passwords. And if you have any password reset links stored that may still be active, an attacker can easily go ahead and create a new password for themselves.

LastPass says that encrypted vault data like usernames and passwords, secure notes and form-filled data that was stolen remains secured. However, if an attacker were to crack your master password at the time of the breach, they would be able to access all of that information, including all the usernames and passwords to your online accounts. If your master password wasn’t strong enough at the time of the breach, your passwords are especially at risk of being exposed.

Changing your master password now will, unfortunately, not help solve the issue because the attackers already have a copy of your vault that was encrypted using the master password you had in place at the time of the breach. This means the attackers essentially have an unlimited amount of time to crack that master password. That’s why the safest course of action is a site-by-site password reset for all of your LastPass-stored accounts. Once changed at the site level, that would mean the attackers would be getting your old, outdated passwords if they managed to crack the stolen encrypted vaults.

For more on staying secure online, here are data privacy tips digital security experts wish you knew and browser settings to change to better guard your information.

Technologies

How to Get Verizon’s New Internet Plan for Just $25 Per Month

Technologies

This $20K Humanoid Robot Promises to Tidy Your Home. But There Are Strings Attached

The new Neo robot from 1X is designed to do chores. It’ll need help from you — and from folks behind the curtain.

It stands 5 feet, 6 inches tall, weighs about as much as a golden retriever and costs near the price of a brand-new budget car.

This is Neo, the humanoid robot. It’s billed as a personal assistant you can talk to and eventually rely on to take care of everyday tasks, such as loading the dishwasher and folding laundry.

Neo doesn’t work cheap. It’ll cost you $20,000. And even then, you’ll still have to train this new home bot, and possibly need a remote assist as well.

If that sounds enticing, preorders are now open (for a mere $200 down). You’ll be signing up as an early adopter for what Neo’s maker, a California-based company called 1X, is calling a «consumer-ready humanoid.» That’s opposed to other humanoids under development from the likes of Tesla and Figure, which are, for the moment at least, more focused on factory environments.

Neo is a whole order of magnitude different from robot vacuums like those from Roomba, Eufy and Ecovacs, and embodies a long-running sci-fi fantasy of robot maids and butlers doing chores and picking up after us. If this is the future, read on for more of what’s in store.

Don’t miss any of our unbiased tech content and lab-based reviews. Add CNET as a preferred Google source.

What the Neo robot can do around the house

The pitch from 1X is that Neo can do all manner of household chores: fold laundry, run a vacuum, tidy shelves, bring in the groceries. It can open doors, climb stairs and even act as a home entertainment system.

Neo appears to move smoothly, with a soft, almost human-like gait, thanks to 1X’s tendon-driven motor system that gives it gentle motion and impressive strength. The company says it can lift up to 154 pounds and carry 55 pounds, but it is quieter than a refrigerator. It’s covered in soft materials and neutral colors, making it look less intimidating than metallic prototypes from other companies.

The company says Neo has a 4-hour runtime. Its hands are IP68-rated, meaning they’re submersible in water. It can connect via Wi-Fi, Bluetooth and 5G. For conversation, it has a built-in LLM, the same sort of AI technology that powers ChatGPT and Gemini.

The primary way to control the Neo robot will be by speaking to it, just as if it were a person in your home.

Still, Neo’s usefulness today depends heavily on how you define useful. The Wall Street Journal’s Joanna Stern got an up-close look at Neo at 1X’s headquarters and found that, at least for now, it’s largely teleoperated, meaning a human often operates it remotely using a virtual-reality headset and controllers.

«I didn’t see Neo do anything autonomously, although the company did share a video of Neo opening a door on its own,» Stern wrote last week.

1X CEO Bernt Børnich told her that Neo will do most things autonomously in 2026, though he also acknowledged that the quality «may lag at first.»

The company’s FAQ says that for any chore request Neo doesn’t know how to accomplish, «you can schedule a 1X Expert to guide it» to help the robot «learn while getting the job done.»

What you need to know about Neo and privacy

Part of what early adopters are signing up for is to let Neo learn from their environment so that future versions can operate more independently.

That learning process raises privacy and trust questions. The robot uses a mix of visual, audio and contextual intelligence — meaning it can see, hear and remember interactions with users throughout their homes.

«If you buy this product, it is because you’re OK with that social contract,» Børnich told the Journal. «It’s less about Neo instantly doing your chores and more about you helping Neo learn to do them safely and effectively.»

Neo’s reliance on human operation behind the scenes prompted a response from John Carmack, a computer industry luminary known for his work with VR systems and the lead programmer of classic video games including Doom and Quake.

«Companies selling the dream of autonomous household humanoid robots today would be better off embracing reality and selling ‘remote operated household help’,» he wrote in a post on the X social network (formerly Twitter) on Monday.

1X says it’s taking steps to protect your privacy: Neo listens only when it recognizes it’s being addressed, and its cameras will blur out humans. You can restrict Neo from entering or viewing specific areas of your home, and the robot will never be teleoperated without owner approval, the company says.

But inviting an AI-equipped humanoid to observe your home life isn’t a small step.

The first units will ship to customers in the US in 2026. There is a $499 monthly subscription alternative to the $20,000 full-purchase price, though that will be available at an unspecified later date. A broader international rollout is promised for 2027.

Neo’s got a long road ahead of it to live up to the expectations set by Rosie the Robot in The Jetsons way back when. But this is no Hanna-Barbera cartoon. What we’re seeing now is a much more tangible harbinger of change.

Technologies

I Wish Nintendo’s New Switch 2 Zelda Game Was an Actual Zelda Game

Hyrule Warriors: Age of Imprisonment has great graphics, a great story and Zelda is actually in it. But the gameplay makes me wish for another true Zelda title instead.

I’ve never been a Hyrule Warriors fan. Keep that in mind when I say that Nintendo’s new Switch 2-exclusive Zelda-universe game has impressed me in several ways, but the gameplay isn’t one of them. Still, this Zelda spinoff has succeeded in showing off the Switch 2’s graphics power. Now can we have a true Switch 2 exclusive Zelda game next?

The upgraded graphics in Tears of the Kingdom and Breath of the Wild has made the Switch 2 a great way to play recent Zelda games, which had stretched the Switch’s capabilities to the limit before. And they’re both well worth revisiting, because they’re engrossing, enchanting, weird, epic wonders. Hyrule Warriors: Age of Imprisonment, another in the Koei-Tecmo developed spinoff series of Zelda-themed games, is a prequel to Tears of the Kingdom. It’s the story of Zelda traveling back in time to ancient Hyrule, and the origins of Ganondorf’s evil. I’m here for that, but a lot of hack and slash battles are in my way.

A handful of hours in, I can say that the production values are wonderful. The voices and characters and worlds feel authentically Zelda. I feel like I’m getting a new chapter in the story I’d already been following. The Switch 2’s graphics show off smooth animation, too, even when battles can span hundreds of enemies.

But the game’s central style, which is endless slashing fights through hordes of enemies, gets boring for me. That’s what Hyrule Warriors is about, but the game so far feels more repetitive than strategic. And I just keep button-mashing to get to the next story chapter. For anyone who’s played Hyrule Warriors: Age of Calamity, expect more of the same, for the most part.

I do like that the big map includes parts in the depths and in the sky, mirroring the tri-level appeal of Tears of the Kingdom. But Age of Calamity isn’t a free-wandering game. Missions open up around the map, each one opening a contained map to battle through. Along the way, you unlock an impressive roster of Hyrule characters you can control.

As a Switch 2 exclusive to tempt Nintendo fans to make the console upgrade, it feels like a half success. I admire the production values, and I want to keep playing just to see where the story goes. But as a purchase, it’s a distant third to Donkey Kong Bananza and Mario Kart World.

Hyrule Warriors fans, you probably know what you’re probably in for, and will likely get this game regardless. Serious Zelda fans, you may enjoy it just for the story elements alone.

As for me? I think I’ll play some more, but I’m already sort of tuning the game out a bit. I want more exploration, more puzzles, more curiosity. This game’s not about that. But it does show me how good a true next-gen Zelda could be on the Switch 2, whenever Nintendo decides to make that happen.