Technologies

If You Use LastPass, You Need to Change All of Your Passwords ASAP

You’ll probably also want to find a different password manager, considering the severity of the latest LastPass data breach.

LastPass, one of the world’s most popular password managers, suffered a major data breach in December, putting customers’ online passwords at risk and endangering their personal data.

On Dec. 22, LastPass CEO Karim Toubba acknowledged in a blog post that a security incident the company first disclosed in August eventually led to an «unauthorized party» stealing customer account information and sensitive vault data. The breach is the latest in a lengthy and troubling string of security incidents involving LastPass that date back to 2011.

It’s also the most alarming.

An unauthorized party was able to gain access to unencrypted subscriber account information like LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses, according to Toubba. That same unauthorized party was also able to steal customer vault data, which includes unencrypted data like website URLs as well as encrypted data like the usernames and passwords for all of the sites customers have stored in their vaults.

If you’re a LastPass subscriber, the severity of this breach should have you looking for a different password manager, because your passwords and personal data are at serious risk of being exposed.

What should LastPass subscribers do?

The company didn’t specify how many users were affected by the breach, and LastPass didn’t respond to CNET’s request for additional comment on the breach. But if you’re a LastPass subscriber, you need to operate under the assumption that your user and vault data are in the hands of an unauthorized party with ill intentions. Though the most sensitive data is encrypted, the problem is that the threat actor can run «brute force» attacks on those stolen local files. LastPass estimates it would take «millions of years» to guess your master password — if you’ve followed its best practices.

If you haven’t — or if you just want total peace of mind — you’ll need to spend some serious time and effort changing your individual passwords. And while you’re doing that, you’ll probably want to transition away from LastPass, too.

With that in mind, here’s what you need to do right now if you’re a LastPass subscriber:

1. Find a new password manager. Given LastPass’ history with security incidents and considering the severity of this latest breach, now’s a better time than ever to seek an alternative.

2. Change your most important site-level passwords immediately. This includes passwords for anything like online banking, financial records, internal company logins and medical information. Make sure these new passwords are strong and unique.

3. Change every single one of your other online passwords. It’s a good idea to change your passwords in order of importance here too. Start with changing the passwords to accounts like email and social media profiles, then you can start moving backward to other accounts that may not be as critical.

4. Enable two-factor authentication wherever possible. Once you’ve changed your passwords, make sure to enable 2FA on any online account that offers it. This will give you an added layer of protection by alerting you and requiring you to authorize each login attempt. That means even if someone ends up obtaining your new password, they shouldn’t be able to gain access to a given site without your secondary authenticating device (typically your phone).

5. Change your master password. Though this doesn’t change the threat level to the stolen vaults, it’s still prudent to help mitigate the threats of any potential future attack — that is, if you decide you want to stay with LastPass.

LastPass alternatives to consider

Bitwarden: CNET’s top password manager is a highly secure and open-source LastPass alternative. Bitwarden’s free tier allows you to use the password manager across an unlimited number of devices across device types. Read our Bitwarden review.
1Password: Another excellent password manager that works seamlessly across platforms. 1Password doesn’t offer a free tier, but you can try it for free for 14 days.
iCloud Keychain: Apple’s built-in password manager for iOS, iPadOS and MacOS devices is an excellent LastPass alternative available to Apple users at no additional cost. iCloud Keychain is secure and easy to set up and use across all of your Apple devices. It even offers a Windows client, too, with support for Chrome and Edge browsers.

How did it come to this?

In August 2022, LastPass published a blog post written by Toubba saying that the company «determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.»

At the time, Toubba said that the threat was contained after LastPass «engaged a leading cybersecurity and forensics firm» and implemented «enhanced security measures.» But that blog post would be updated several times over the following months as the scope of the breach gradually widened.

On Sept. 15, Toubba updated the blog post to notify customers that the company’s investigation into the incident had concluded.

«Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident,» Toubba said. «There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.»

Toubba assured customers at the time that their passwords and personal data were safe in LastPass’s care.

However, it turned out that the unauthorized party was indeed ultimately able to access customer data. On Nov. 30, Toubba updated the blog post once again to alert customers that the company «determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.»

Then, on Dec. 22, Toubba issued a lengthy update to the blog post outlining the unnerving details regarding precisely what customer data the hackers were able to access in the breach. It was then that the full severity of the situation finally came to light and the public found out that LastPass customers’ personal data was in the hands of a threat actor and all of their passwords were at serious risk of being exposed.

Still, Toubba assured customers who follow LastPass’s best practices for passwords and have the latest default settings enabled that no further action on their part is recommended at this time since their «sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture.»

However, Toubba warned that those who don’t have LastPass’s default settings enabled and don’t follow the password manager’s best practices are at greater risk of having their master passwords cracked. Toubba suggested that those users should consider changing the passwords of the websites they have stored.

What does all of this mean for LastPass subscribers?

The initial breach ended up allowing the unauthorized party to access sensitive user account data as well as vault data, which means that LastPass subscribers should be extremely concerned for the integrity of the data they have stored in their vaults and should be questioning LastPass’s capacity to keep their data safe.

If you’re a LastPass subscriber, an unauthorized party may have access to personal information like your LastPass username, email address, phone number, name and billing address. IP addresses used when accessing LastPass were also exposed in the breach, which means that the unauthorized party could also see the locations from which you used your account. And because LastPass doesn’t encrypt users’ stored website URLs, the unauthorized party can see all of the websites for which you have login information saved with the password manager (even if the passwords themselves are encrypted).

Information like this gives a potential attacker plenty of ammunition for launching a phishing attack and socially engineering their way to your account passwords. And if you have any password reset links stored that may still be active, an attacker can easily go ahead and create a new password for themselves.

LastPass says that encrypted vault data like usernames and passwords, secure notes and form-filled data that was stolen remains secured. However, if an attacker were to crack your master password at the time of the breach, they would be able to access all of that information, including all the usernames and passwords to your online accounts. If your master password wasn’t strong enough at the time of the breach, your passwords are especially at risk of being exposed.

Changing your master password now will, unfortunately, not help solve the issue because the attackers already have a copy of your vault that was encrypted using the master password you had in place at the time of the breach. This means the attackers essentially have an unlimited amount of time to crack that master password. That’s why the safest course of action is a site-by-site password reset for all of your LastPass-stored accounts. Once changed at the site level, that would mean the attackers would be getting your old, outdated passwords if they managed to crack the stolen encrypted vaults.

For more on staying secure online, here are data privacy tips digital security experts wish you knew and browser settings to change to better guard your information.

Technologies

Today’s NYT Connections Hints, Answers and Help for March 18, #1011

Here are some hints and the answers for the NYT Connections puzzle for March 18 #1011.

Looking for the most recent Connections answers? Click here for today’s Connections hints, as well as our daily answers and hints for The New York Times Mini Crossword, Wordle, Connections: Sports Edition and Strands puzzles.

Today’s NYT Connections puzzle is pretty tricky, but musicians might find the blue group easy. Read on for clues and today’s Connections answers.

The Times has a Connections Bot, like the one for Wordle. Go there after you play to receive a numeric score and to have the program analyze your answers. Players who are registered with the Times Games section can now nerd out by following their progress, including the number of puzzles completed, win rate, number of times they nabbed a perfect score and their win streak.

Read more: Hints, Tips and Strategies to Help You Win at NYT Connections Every Time

Hints for today’s Connections groups

Here are four hints for the groupings in today’s Connections puzzle, ranked from the easiest yellow group to the tough (and sometimes bizarre) purple group.

Yellow group hint: Time between two things, maybe.

Green group hint: That smarts!

Blue group hint: Rockers know these well.

Purple group hint: You might write one out to pay a bill.

Answers for today’s Connections groups

Yellow group: Interval.

Green group: React to a stubbed toe.

Blue group: Guitar effects pedals.

Purple group: ____ check.

Read more: Wordle Cheat Sheet: Here Are the Most Popular Letters Used in English Words

What are today’s Connections answers?

The yellow words in today’s Connections

The theme is interval. The four answers are patch, period, spell and stretch.

The green words in today’s Connections

The theme is react to a stubbed toe. The four answers are curse, hop, wince and yell.

The blue words in today’s Connections

The theme is guitar effects pedals. The four answers are delay, reverb, wah and whammy.

The purple words in today’s Connections

The theme is ____ check. The four answers are blank, coat, rain and reality.

Toughest Connections puzzles

We’ve made a note of some of the toughest Connections puzzles so far. Maybe they’ll help you see patterns in future puzzles.

#5: Included «things you can set,» such as mood, record, table and volleyball.

#4: Included «one in a dozen,» such as egg, juror, month and rose.

#3: Included «streets on screen,» such as Elm, Fear, Jump and Sesame.

#2: Included «power ___» such as nap, plant, Ranger and trip.

#1: Included «things that can run,» such as candidate, faucet, mascara and nose.

Technologies

My Kid Wanted Video Games. I Was Against It. This Console Gave Us Both the Win

The movement-based Nex Playground might be the antidote to parental screen time guilt.

When our 8-year-old started asking for video games, I knew we were about to engage in an uphill battle. Anytime we’ve been to friends’ houses with gaming consoles, he goes full zombie mode, then has an epic meltdown once the sensory overload wears off. And since he inevitably ropes his 6-year-old brother in, we’re essentially sealing both their fates.

So when our neighbors started raving about a movement-based gaming console called Nex Playground, my first instinct was to shut it down. The words «gaming console» alone were enough to put me in a mental block. Add in my own memories of Wii tennis sessions where I nearly took out the ceiling fan, and I was firmly in the «no» camp.

But after doing a little more research, I was intrigued enough to try it out.

Screen time isn’t something I take lightly. With three kids ages 2 to 8, my husband and I have always been intentional about how and what they watch. They don’t have their own tablets, and most of their screen time happens on our family TV, which means whatever the oldest is exposed to quickly trickles down to our toddler. So anything we bring into the house has to work for all of them. Tall order, I know, but the Nex Playground gets surprisingly close.

Getting started is easy

The console itself is refreshingly simple. It’s a small cube, slightly larger than a Rubik’s cube, with a circular camera and motion sensor, a light indicator and two ports for power, and an HDMI connection to the TV. There’s no controller beyond a basic remote for navigating menus. For most games, your body is the controller.

Setup is quick. Plug it in, connect it to your TV, and you’re ready to go. It doesn’t store video or upload footage to the cloud, which was an immediate plus. It also comes with a magnetic privacy cover that you can put on the lens when it’s not in use.

At $250, it’s not cheap, but it’s less than some of the popular gaming consoles for this age range, like the Nintendo Switch 2. That gets you a five-game starter pack: Fruit Ninja, Go Keeper (soccer), Starri (think Guitar Hero for your whole body), Party Fowl (an AR emoji frenzy) and Whack-a-Mole. Additional games require a subscription: $89 a year or $49 for three months, which unlocks a library of 50-plus games and counting. New titles dropped even as I was writing this.

The library spans a surprisingly wide range. There are board game adaptations like Connect Four and Candy Land, character-driven games with Peppa Pig, Bluey and the Ninja Turtles, and sports like baseball and, yes, tennis — minus the ceiling fan hazard. There’s even parent-friendly content like Zumba workouts, which I may or may not have fully committed to on a rainy afternoon.

Even my toddler has gotten in on the action, mostly bouncing her way through Hungry Hungry Hippos when her brothers finally concede.

Gameplay is where it wins

The movements range from swinging your arms to keep a ball in motion, hopping or full-body launches that are far more aggressive than what the game actually requires. (I’m not about to tell the kids otherwise.) After a 45-minute session, my kids are tired and sometimes even drenched in sweat. The Nex Playground entertains and burns energy in one fell swoop.

The graphics also seem intentionally simple and arcade-like, which fits the minimalist play experience. There’s no POV storyline to get lost in, no leveling up into a new world at 9 p.m. on a school night. Some games keep score, which awakens my kids’ competitive streak, but the vibe is more collaborative and hasn’t been the catalyst for more fighting like other games. If anything, it’s done the opposite.

I still don’t love defaulting to a screen when my kids are bored, so we try to use it in moderation. In our house, piano practice is the only thing that unlocks weekend play time, and the fact that they’ll sit at the piano for a full hour tells you everything you need to know.

The verdict that matters most

But the real test: Does it hold up to an 8-year-old who was dead set on a Nintendo Switch?

Short answer: yes. At least for now. He’d still pick the Switch if you asked him, but not for the reasons you’d expect.

«The Playground is more tiring,» he told me, which only helped seal the deal for me. His current favorite is Homerun Hitters. «It’s basically a baseball game where you go against ranked global players. Me and my brother are really good at it.»

This from a kid whose primary hobby is annoying his younger brother. The fact that he said «me and my brother» as a collective was an unexpected bonus.

The Switch may still show up on the Christmas list this year. And realistically, I know I’m on borrowed time. As kids get older, «cool» becomes the currency, and a motion-based cube probably won’t hold up against an Xbox or a Switch once playdates turn into side-by-side gaming sessions.

The Nex Playground isn’t a replacement for those. It’s more of a detour; it gives them a taste of gaming without all the usual side effects. Even if I do eventually cave, I can still see it sticking around for the occasional family game night or as a rainy-day sibling diffuser.

In the meantime, I’ll relish this simpler version of gaming while I still can. He’s not exactly rushing me to return this review unit. More importantly, neither am I.

Technologies

Don’t Wait for New Emoji in iOS 26.4, Here’s How to Create Them on Your Own

If your iPhone has Apple Intelligence, you can create your own emoji now.

Apple will likely add new emoji to your iPhone when the company releases iOS 26.4. Those new emoji could include an orca, a distorted smiley face and more. According to Emojipedia, there are 3,953 emoji with more on the way. The current list of emoji include smileys, sports players, weather conditions and flags. But there’s no emoji for a dog wearing pajamas, a plate with burgers and fries and many other things. But if you have Genmoji on your iPhone you can create these emoji and many more.

Apple released iOS 18.2 in 2024 and the company introduced its own emoji generator, called Genmoji, to Apple Intelligence-capable iPhones at that time. The Unicode Standard, a universal character encoding standard, is responsible for creating new emoji, and approved emoji are added to all devices once a year. With Genmoji, you don’t have to wait for new emoji to appear on your iPhone each year. You can just create them as you need them.

Read on to learn how to use Genmoji on iPhone to create your own custom emoji. Just note that only iPhones with Apple Intelligence, like the iPhone 17 lineup, can use Genmoji at this time.

How to make custom emoji

1. Open Messages and go into a chat.
2. Tap the plus (+) button next to your text box.
3. Tap Genmoji.

You can then type a description of an emoji into the text box near the bottom of your screen and tap the check mark on your keyboard to enter that description into Genmoji. You can also tap different suggestions and themes that are right above the text box. And with iOS 26 or later, you can also combine and use emoji to create others rather than describing a new emoji or using suggestions.

Your iPhone will generate a series of new emoji for you to pick from according to your description, and you can swipe through these new emoji. When you find the one you want, tap Add in the top right corner of your screen and the new emoji will be available to use as an emoji, tapback or a sticker. Now you don’t have to wait for the Unicode Standard to propose, create and bring new emoji to devices.

For more iOS news, here’s what to know about iOS 26.3.1 and iOS 26.3. You can also check out our iOS 26 cheat sheet for other tips and tricks.