Technologies

LastPass Issues Update on Data Breach, But Users Should Still Change Passwords

You still need to take action to protect your data even though LastPass said it hasn’t seen any threat-related activity since October.

LastPass, one of the world’s most popular password managers, suffered a major data breach in 2022 that compromised users’ personal data and put their online passwords and other sensitive information at risk.

On Dec. 22, LastPass CEO Karim Toubba acknowledged in a blog post that a security incident the company first disclosed in August eventually paved the way for an «unauthorized party» to steal customer account information and sensitive vault data. The breach is the latest in a lengthy and troubling string of security incidents involving LastPass, which date back to 2011.

It’s also the most alarming.

The unauthorized party was able to gain access to unencrypted customer account information like LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses, according to Toubba. That same unauthorized party was also able to steal customer vault data, which includes unencrypted data like website URLs as well as encrypted data like the usernames and passwords for all the sites that LastPass users have stored in their vaults.

In the meantime, LastPass has wrapped up an «exhaustive investigation» into the breach, according to a blog post published by Toubba on Wednesday, March 1, that updates customers on what actions the company has taken in the wake of the breach. Toubba vowed to make things right for customers and promised more effective communication going forward while adding that the company has «not seen any threat-actor activity since October 26, 2022.»

Even so, if you’re a LastPass subscriber, the severity of this breach should have you looking for a different password manager, because your passwords and personal data can still be at serious risk of being exposed. At the very least, you need to change all of the passwords you have stored with LastPass right away if you haven’t already.

What should LastPass subscribers do?

The company didn’t specify how many users were affected, and LastPass didn’t respond to CNET’s request for additional comment on the breach. But if you’re a LastPass subscriber, you need to operate under the assumption that your user and vault data are in the hands of an unauthorized party with ill intentions. Though the most sensitive data is encrypted, the problem is that the threat actor can run «brute force» attacks on those stolen local files. LastPass estimates it would take «millions of years» to guess your master password — if you’ve followed its best practices.

If you haven’t — or if you just want total peace of mind — you’ll need to spend some serious time and effort changing your individual passwords. And while you’re doing that, you’ll probably want to transition away from LastPass, too.

With that in mind, here’s what you need to do right away if you’re a LastPass subscriber:

1. Find a new password manager. Given LastPass’ history with security incidents and considering the severity of this latest breach, now’s a better time than ever to seek an alternative.

2. Change your most important site-level passwords immediately. This includes passwords for anything like online banking, financial records, internal company logins and medical information. Make sure these new passwords are strong and unique.

3. Change every single one of your other online passwords. It’s a good idea to change your passwords in order of importance here too. Start with changing the passwords to accounts like email and social media profiles, then you can start moving backward to other accounts that may not be as critical.

4. Enable two-factor authentication wherever possible. Once you’ve changed your passwords, make sure to enable 2FA on any online account that offers it. This will give you an added layer of protection by alerting you and requiring you to authorize each login attempt. That means even if someone ends up obtaining your new password, they shouldn’t be able to gain access to a given site without your secondary authenticating device (typically your phone).

5. Change your master password. Though this doesn’t change the threat level to the stolen vaults, it’s still prudent to help mitigate the threats of any potential future attack — that is, if you decide you want to stay with LastPass.

LastPass alternatives to consider

Bitwarden: CNET’s top password manager is a highly secure and open-source LastPass alternative. Bitwarden’s free tier allows you to use the password manager across an unlimited number of devices across device types. Read our Bitwarden review.
1Password: Another excellent password manager that works seamlessly across platforms. 1Password doesn’t offer a free tier, but you can try it for free for 14 days.
iCloud Keychain: Apple’s built-in password manager for iOS, iPadOS and MacOS devices is an excellent LastPass alternative available to Apple users at no additional cost. iCloud Keychain is secure and easy to set up and use across all of your Apple devices. It even offers a Windows client, too, with support for Chrome and Edge browsers.

How did it come to this?

In August 2022, LastPass published a blog post written by Toubba saying that the company «determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.»

At the time, Toubba said that the threat was contained after LastPass «engaged a leading cybersecurity and forensics firm» and implemented «enhanced security measures.» But that blog post would be updated several times over the following months as the scope of the breach gradually widened.

On Sept. 15, Toubba updated the blog post to notify customers that the company’s investigation into the incident had concluded.

«Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident,» Toubba said. «There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.»

Toubba assured customers at the time that their passwords and personal data were safe in LastPass’s care.

However, it turned out that the unauthorized party was indeed ultimately able to access customer data. On Nov. 30, Toubba updated the blog post once again to alert customers that the company «determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.»

Then, on Dec. 22, Toubba issued a lengthy update to the blog post outlining the unnerving details regarding precisely what customer data the hackers were able to access in the breach. It was then that the full severity of the situation finally came to light and the public found out that LastPass customers’ personal data was in the hands of a threat actor and all of their passwords were at serious risk of being exposed.

Still, Toubba assured customers who follow LastPass’s best practices for passwords and have the latest default settings enabled that no further action on their part is recommended at this time since their «sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture.»

However, Toubba warned that those who don’t have LastPass’s default settings enabled and don’t follow the password manager’s best practices are at greater risk of having their master passwords cracked. Toubba suggested that those users should consider changing the passwords of the websites they have stored.

On March 1, Toubba published a new blog post offering customers a lengthy update on where the situation stands, what data was accessed and what steps LastPass has taken to shore up its security. In the blog post, LastPass also offered its own recommendations on what business customers as well as individual customers should do to protect their data.

The company has completed its investigation into the data breach and said that it hasn’t detected any unauthorized activity since October, according to the blog post. Also, in response to the breach, LastPass «prioritized and initiated significant investments in security, privacy and operational best practices» and «performed a comprehensive review of our security policies and incorporated changes to restrict access and privilege, where appropriate,» according to the blog post.

What does all of this mean for LastPass subscribers?

The initial breach ended up allowing the unauthorized party to access sensitive user account data as well as vault data, which means that LastPass subscribers should be extremely concerned for the integrity of the data they have stored in their vaults and should be questioning LastPass’s capacity to keep their data safe — even considering the latest security improvements outlined by the company in its latest blog post.

If you’re a LastPass subscriber, an unauthorized party may have access to personal information like your LastPass username, email address, phone number, name and billing address. IP addresses used when accessing LastPass were also exposed in the breach, which means that the unauthorized party could also see the locations from which you used your account. And because LastPass doesn’t encrypt users’ stored website URLs, the unauthorized party can see all of the websites for which you have login information saved with the password manager (even if the passwords themselves are encrypted).

Information like this gives a potential attacker plenty of ammunition for launching a phishing attack and socially engineering their way to your account passwords. And if you have any password reset links stored that may still be active, an attacker can easily go ahead and create a new password for themselves.

LastPass says that encrypted vault data like usernames and passwords, secure notes and form-filled data that was stolen remains secured. However, if an attacker were to crack your master password at the time of the breach, they would be able to access all of that information, including all the usernames and passwords to your online accounts. If your master password wasn’t strong enough at the time of the breach, your passwords are especially at risk of being exposed.

Changing your master password now will, unfortunately, not help solve the issue because the attackers already have a copy of your vault that was encrypted using the master password you had in place at the time of the breach. This means the attackers essentially have an unlimited amount of time to crack that master password. That’s why the safest course of action is a site-by-site password reset for all of your LastPass-stored accounts. Once changed at the site level, that would mean the attackers would be getting your old, outdated passwords if they managed to crack the stolen encrypted vaults.

For more on staying secure online, here are data privacy tips digital security experts wish you knew and browser settings to change to better guard your information.

Technologies

Why Are Switch 2 Games So Expensive? Trump’s Tariffs May Not Be Sole Factor

It still comes down to money.

Wednesday’s reveal of the Switch 2 had a lot of buzz from Nintendo surrounding its successor to the Switch. One shocking bit, though, was the high price of its games. There’s a lot of confusion, especially with news of President Donald Trump’s increased tariffs on many trading partners, including Japan.

After the Switch 2 Direct, Nintendo released the full details of the upcoming console and games on its website. The price of Mario Kart World shocked gamers and led to some disdain, as the $80 MSRP was $10 more than what most new games cost today. This led many to wonder if this would be a new normal for game prices due to Trump’s tariffs or if Nintendo was just being greedy. The answer, however, might be something completely different.

Are Nintendo Switch 2 game prices hiking?

To start, some details need to be cleared up. Some people have posted on social media that the price of Nintendo’s Switch 2 games, at least in the US, will be $90. That is incorrect, as of right now.

One X user posted Switch 2 EU prices for Mario Kart World, which start at 80 euros for a digital version and 90 euros for the physical copy. Typically, US and EU games match in price, which caused some to assume that this pricing would be the case for the US.

Nintendo Switch 2 games will be more expensive physically than digitally.
Mario Kart World will be 90 freaking euros phisically. pic.twitter.com/iXuRwzlFqH

— Centro LEAKS (@CentroLeaks) April 2, 2025

US retailers, however, already posted their Switch 2 game prices, and Nintendo-published games are listed at $80.

Will Trump’s tariffs cause the Switch 2 to cost more?

As for Trump’s tariffs, that is unlikely to be a driver of this price bump. Tariffs are not applied to digital goods, and when the prices were published, there were no tariffs on Japan. Plus, games are similarly expensive in other countries like Canada and the UK.

With that cleared up, why are Nintendo games on the Switch 2 so expensive? One likely reason is game storage.

Read More: All the Nintendo Games You Can Update to Switch 2 for Free

The Switch 2 uses what Nintendo calls game-key cards, which are Switch 2 cartridges that don’t have all the game data on the cartridge itself. This helps save on production costs as storage is expensive. The original Switch cartridges went up to 32GB of storage, which doesn’t seem like a lot these days, with some games taking up 100GB or more of storage, but this is for the original Switch. Only a few games, like The Witcher 3, went above 32GB because the graphics for the Switch weren’t on the high end like with a PC, PS5 or Xbox Series console, where a Witcher 3 install size starts at 50GB.

Switch 2 games are going to be bigger in size — there is little doubt about it. CD Projekt Red confirmed it would put its Cyberpunk 2077: Ultimate Edition on one 64GB cartridge, and there will likely be other games to surpass that 64GB. With the max size of the cartridge doubling in size, it adds to the price of the physical card, as not only does storage have to be bigger, but they will need to transfer data faster. That can get more expensive for physical copies, unlike optical discs, which are still the same price whether it has 20GB or 100GB on the disc.

What does all this mean for gamers?

This leads to a dilemma for publishers: Put the entire game on the physical card and sell it at a loss, increase the price of the physical copy with the full game on it or use the game-key card to have a card with minimal storage, requiring gamers to download the entire game.

Read More: The 17 Best Nintendo Switch Games Right Now

It appears that Nintendo went with door No. 2. This doesn’t come as much of a surprise, knowing the company. Anyone who wants to save money on games knows that Nintendo will seldom bring the price down of its own games. Mario Kart 8 Deluxe, for example, is 8 years old and is still full price on Nintendo’s website.

According to an industry analysis from Niko Partners, this new pricing could become the new normal in a couple of years when it comes to physical cartridges.

«While there has been some sticker shock regarding the price of games increasing from $60 to $70 or $80, these price points are set to become industry standard over the next two years, especially so for Nintendo first-party games,» Niko Partners said in a statement Wednesday. «One reason for the higher price is the increased cost of the new and faster Game Cards themselves, with higher capacities being more expensive to manufacture than a PS5 Blu-ray disc.»

Nintendo didn’t respond to a request for comment about the higher price of its games.

That said, this doesn’t explain the lower price of Donkey Kong Bananza, which comes out in July; that’s listed on Nintendo’s site for $70. This could mean the game isn’t using a larger storage card, but that can’t be said for sure until the game comes out. It’s unclear how things will change in the future.

Technologies

Nintendo Switch 2 Pre-orders in US Delayed Due to Trump’s Tariffs

The Switch 2 launch is still happening on June 5, and preorders outside the US seem unchanged.

Nintendo Switch 2 preorders in the US were to start April 9, but it appears those plans have changed due to the new tariffs imposed this week by President Donald Trump. It’s unclear if this means Nintendo will also have to increase the price of the Switch successor, which currently starts at $450.

Nintendo said Friday that it’s delaying Switch 2 preorders in the US, but its June release date is unaffected.

«Pre-orders for Nintendo Switch 2 in the U.S. will not start April 9, 2025 in order to assess the potential impact of tariffs and evolving market conditions,» the company said in a statement. «Nintendo will update timing at a later date. The launch date of June 5, 2025 is unchanged.»

Nintendo didn’t indicate if preorder dates outside the US would change, but Eurogamer reports that preorders are live at various retailers in the UK.

A tariff of 24% has been applied by the US to goods from Japan. Were that rate to be applied directly to the Switch 2’s announced price, it would rise to $558, but it would be up to Nintendo how much of the tariff it will pass on to consumers.

This is a developing story.

Technologies

Twelve South’s Foldable Wireless Charger for iPhone and Apple Watch Is Up to 27% Off at Amazon

This handy accessory makes it easier to travel with your Apple gear and stay charged wherever you go.

Whether you’re traveling for business or off on a wonderful family vacation, charging your stuff shouldn’t be something you have to worry about. Taking extra chargers and cables can be a pain, and they all take up space in your bag. But the handy Twelve South Butterfly SE charger is a compact alternative that can wirelessly charge an iPhone and an Apple Watch at the same time. And it’s available with up to 27% off right now at Amazon.

That top line discount applies to the pink version, though the white model is only $7 more and other colors are seeing 15% off the usual $100 price tag if you have a strong preference. It’s not clear how long the discounts will last, though.

Hey, did you know? CNET Deals texts are free, easy and save you money.

The charger itself offers a way to wirelessly charge a iPhone and Apple Watch from a single AC outlet, and you can even charge your AirPods when your phone is done, too. And because this is a Qi2 charger you’ll get a full 15 watts of wireless charging for compatible devices — including the best iPhones.

When you’re not using the Butterfly SE, it folds up so it can be slid into a pocket, bag or luggage without taking up too much space. It really is the perfect partner for people who like to travel light.

Unfortunately, this charger doesn’t come with an AC adapter in the box, so you’ll need to provide your own. Make sure it’s rated for 20 watts or more. If you need to buy one, Apple’s 20-watt USB-C charger is just $15 right now.

Why this deal matters

We all carry multiple devices around with us these days. Anything that can make charging them more convenient is a win in our books, especially when you’re traveling. This charger takes up little space when it isn’t being used and charges quickly when it is.