Technologies
LastPass Issues Update on Data Breach, But Users Should Still Change Passwords
You still need to take action to protect your data even though LastPass said it hasn’t seen any threat-related activity since October.
LastPass, one of the world’s most popular password managers, suffered a major data breach in 2022 that compromised users’ personal data and put their online passwords and other sensitive information at risk.
On Dec. 22, LastPass CEO Karim Toubba acknowledged in a blog post that a security incident the company first disclosed in August eventually paved the way for an «unauthorized party» to steal customer account information and sensitive vault data. The breach is the latest in a lengthy and troubling string of security incidents involving LastPass, which date back to 2011.
It’s also the most alarming.
The unauthorized party was able to gain access to unencrypted customer account information like LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses, according to Toubba. That same unauthorized party was also able to steal customer vault data, which includes unencrypted data like website URLs as well as encrypted data like the usernames and passwords for all the sites that LastPass users have stored in their vaults.
In the meantime, LastPass has wrapped up an «exhaustive investigation» into the breach, according to a blog post published by Toubba on Wednesday, March 1, that updates customers on what actions the company has taken in the wake of the breach. Toubba vowed to make things right for customers and promised more effective communication going forward while adding that the company has «not seen any threat-actor activity since October 26, 2022.»
Even so, if you’re a LastPass subscriber, the severity of this breach should have you looking for a different password manager, because your passwords and personal data can still be at serious risk of being exposed. At the very least, you need to change all of the passwords you have stored with LastPass right away if you haven’t already.
What should LastPass subscribers do?
The company didn’t specify how many users were affected, and LastPass didn’t respond to CNET’s request for additional comment on the breach. But if you’re a LastPass subscriber, you need to operate under the assumption that your user and vault data are in the hands of an unauthorized party with ill intentions. Though the most sensitive data is encrypted, the problem is that the threat actor can run «brute force» attacks on those stolen local files. LastPass estimates it would take «millions of years» to guess your master password — if you’ve followed its best practices.
If you haven’t — or if you just want total peace of mind — you’ll need to spend some serious time and effort changing your individual passwords. And while you’re doing that, you’ll probably want to transition away from LastPass, too.
With that in mind, here’s what you need to do right away if you’re a LastPass subscriber:
1. Find a new password manager. Given LastPass’ history with security incidents and considering the severity of this latest breach, now’s a better time than ever to seek an alternative.
2. Change your most important site-level passwords immediately. This includes passwords for anything like online banking, financial records, internal company logins and medical information. Make sure these new passwords are strong and unique.
3. Change every single one of your other online passwords. It’s a good idea to change your passwords in order of importance here too. Start with changing the passwords to accounts like email and social media profiles, then you can start moving backward to other accounts that may not be as critical.
4. Enable two-factor authentication wherever possible. Once you’ve changed your passwords, make sure to enable 2FA on any online account that offers it. This will give you an added layer of protection by alerting you and requiring you to authorize each login attempt. That means even if someone ends up obtaining your new password, they shouldn’t be able to gain access to a given site without your secondary authenticating device (typically your phone).
5. Change your master password. Though this doesn’t change the threat level to the stolen vaults, it’s still prudent to help mitigate the threats of any potential future attack — that is, if you decide you want to stay with LastPass.
LastPass alternatives to consider
- Bitwarden: CNET’s top password manager is a highly secure and open-source LastPass alternative. Bitwarden’s free tier allows you to use the password manager across an unlimited number of devices across device types. Read our Bitwarden review.
- 1Password: Another excellent password manager that works seamlessly across platforms. 1Password doesn’t offer a free tier, but you can try it for free for 14 days.
- iCloud Keychain: Apple’s built-in password manager for iOS, iPadOS and MacOS devices is an excellent LastPass alternative available to Apple users at no additional cost. iCloud Keychain is secure and easy to set up and use across all of your Apple devices. It even offers a Windows client, too, with support for Chrome and Edge browsers.
How did it come to this?
In August 2022, LastPass published a blog post written by Toubba saying that the company «determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.»
At the time, Toubba said that the threat was contained after LastPass «engaged a leading cybersecurity and forensics firm» and implemented «enhanced security measures.» But that blog post would be updated several times over the following months as the scope of the breach gradually widened.
On Sept. 15, Toubba updated the blog post to notify customers that the company’s investigation into the incident had concluded.
«Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident,» Toubba said. «There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.»
Toubba assured customers at the time that their passwords and personal data were safe in LastPass’s care.
However, it turned out that the unauthorized party was indeed ultimately able to access customer data. On Nov. 30, Toubba updated the blog post once again to alert customers that the company «determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.»
Then, on Dec. 22, Toubba issued a lengthy update to the blog post outlining the unnerving details regarding precisely what customer data the hackers were able to access in the breach. It was then that the full severity of the situation finally came to light and the public found out that LastPass customers’ personal data was in the hands of a threat actor and all of their passwords were at serious risk of being exposed.
Still, Toubba assured customers who follow LastPass’s best practices for passwords and have the latest default settings enabled that no further action on their part is recommended at this time since their «sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture.»
However, Toubba warned that those who don’t have LastPass’s default settings enabled and don’t follow the password manager’s best practices are at greater risk of having their master passwords cracked. Toubba suggested that those users should consider changing the passwords of the websites they have stored.
On March 1, Toubba published a new blog post offering customers a lengthy update on where the situation stands, what data was accessed and what steps LastPass has taken to shore up its security. In the blog post, LastPass also offered its own recommendations on what business customers as well as individual customers should do to protect their data.
The company has completed its investigation into the data breach and said that it hasn’t detected any unauthorized activity since October, according to the blog post. Also, in response to the breach, LastPass «prioritized and initiated significant investments in security, privacy and operational best practices» and «performed a comprehensive review of our security policies and incorporated changes to restrict access and privilege, where appropriate,» according to the blog post.
What does all of this mean for LastPass subscribers?
The initial breach ended up allowing the unauthorized party to access sensitive user account data as well as vault data, which means that LastPass subscribers should be extremely concerned for the integrity of the data they have stored in their vaults and should be questioning LastPass’s capacity to keep their data safe — even considering the latest security improvements outlined by the company in its latest blog post.
If you’re a LastPass subscriber, an unauthorized party may have access to personal information like your LastPass username, email address, phone number, name and billing address. IP addresses used when accessing LastPass were also exposed in the breach, which means that the unauthorized party could also see the locations from which you used your account. And because LastPass doesn’t encrypt users’ stored website URLs, the unauthorized party can see all of the websites for which you have login information saved with the password manager (even if the passwords themselves are encrypted).
Information like this gives a potential attacker plenty of ammunition for launching a phishing attack and socially engineering their way to your account passwords. And if you have any password reset links stored that may still be active, an attacker can easily go ahead and create a new password for themselves.
LastPass says that encrypted vault data like usernames and passwords, secure notes and form-filled data that was stolen remains secured. However, if an attacker were to crack your master password at the time of the breach, they would be able to access all of that information, including all the usernames and passwords to your online accounts. If your master password wasn’t strong enough at the time of the breach, your passwords are especially at risk of being exposed.
Changing your master password now will, unfortunately, not help solve the issue because the attackers already have a copy of your vault that was encrypted using the master password you had in place at the time of the breach. This means the attackers essentially have an unlimited amount of time to crack that master password. That’s why the safest course of action is a site-by-site password reset for all of your LastPass-stored accounts. Once changed at the site level, that would mean the attackers would be getting your old, outdated passwords if they managed to crack the stolen encrypted vaults.
For more on staying secure online, here are data privacy tips digital security experts wish you knew and browser settings to change to better guard your information.
Technologies
Tariffs Explained: Latest on Trump’s Shifting Import Tax Plan, and What It Means
Technologies
Apple, I’m (Sky) Blue About Your iPhone 17 Air Color
Commentary: The rumored new hue of the iPhone 17 Air is more sky blah than sky blue.
I can’t help but feel blue about the latest rumor that Apple’s forthcoming iPhone 17 Air will take flight in a subtle, light-hued color called sky blue.
Sky blue isn’t a new color for Apple. It’s the featured shade of the current M4 MacBook Air, a shimmer of cerulean so subtle as to almost be missed. It’s silver left too close to an aquarium; silver that secretly likes to think it’s blue but doesn’t want everyone else to notice.
Do Apple employees get to go outside and see a real blue sky? It’s actually vivid, you can check for yourself. Perhaps the muted sky blue color reflects a Bay Area late winter/early spring frequent layer of clouds like we typically see here in Seattle.
«Who cares?» you might find yourself saying. «Everyone gets a case anyway.» I hear you and everyone else who’s told me that. But design-focused Apple is as obsessive about colors as they are about making their devices thinner. And I wonder if their heads are in the clouds about which hues adorn their pro products.
Making the case for a caseless color iPhone
I’m more invested in this conversation than most — I’m one of those freaks who doesn’t wrap my phone in a case. I find cases bulky and superfluous, and I like to be able to see Apple’s design work. Also, true story, I’ve broken my iPhone screen only twice: First when it was in a «bumper» that Apple sent free in response to the iPhone 4 you’re-holding-it-wrong Antennagate fiasco, and second when trying to take long exposure starry night photos using what I didn’t realize was a broken tripod mount. My one-week-old iPhone 13 Pro slipped sideways and landed screen-first on a pointy rock. A case wouldn’t have saved it.
My current model is an iPhone 16 Pro in black titanium — which I know seems like avoiding color entirely — but previously I’ve gone for colors like blue titanium and deep purple. I wanted to like deep purple the most but it came across as, in the words of Patrick Holland in his iPhone 14 Pro review, «a drab shade of gray or like Grimace purple,» depending on the light.
Pros can be bold, too
Maybe the issue is too many soft blues. Since the iPhone Pro age began with the iPhone 11 Pro, we’ve seen variations like blue titanium (iPhone 15 Pro), sierra blue (iPhone 13 Pro) and pacific blue (iPhone 12 Pro).
Pacific blue is the boldest of the bunch, if by bold you mean dark enough to discern from silver, but it’s also close enough to that year’s graphite color that seeing blue depends on the surrounding lighting. By comparison, the blue (just «blue») color of the iPhone 12 was unmistakably bright blue.
In fact, the non-Pro lines have embraced vibrant colors. It’s as if Apple is equating «pro» with «sophisticated,» as in «A real pro would never brandish something this garish.» I see this in the camera world all the time: If it’s not all-black, it’s not a «serious» camera.
And yet I know lots of pros who are not sophisticated — proudly so. People choose colors to express themselves, so forcing that idea of professionalism through color feels needlessly restrictive. A bright pink iPhone 16 might make you smile every time you pick it up but then frown because it doesn’t have a telephoto camera.
Color is also important because it can sway a purchase decision. «I would buy a sky blue iPhone yesterday,» my colleague Gael Cooper texted after the first rumor popped online. When each new generation of iPhones arrive, less technically different than the one before, a color you fall in love with can push you into trading in your perfectly-capable model for a new one.
And lest you think Apple should just stick with black and white for its professional phones: Do you mean black, jet black, space black, midnight black, black titanium, graphite or space gray? At least the lighter end of the spectrum has stuck to just white, white titanium and silver over the years.
Apple never got ahead by being beige
I’m sure Apple has reams of studies and customer feedback that support which colors make it to production each year. Like I said, Apple’s designers are obsessive (in a good way). And I must remind myself that a sky blue iPhone 17 Air is a rumored color on a rumored product so all the usual caveats apply.
But we’re talking about Apple here. The scrappy startup that spent more than any other company on business cards at the time because each one included the old six-color Apple logo. The company that not only shaped the first iMac like a tipped-over gumdrop, that not only made the case partially see-through but then made that cover brilliant Bondi blue.
Embrace the iPhone colors, Apple.
If that makes you nervous, don’t worry: Most people will put a case on it anyway.
Technologies
Astronomers Say There’s an Increased Possibility of Life on This Distant Planet
Using the James Webb Space Telescope, astronomers are working to confirm potential evidence of life on a distant exoplanet dubbed K2-18b.
Astronomers are nearing a statistically significant finding that could confirm the potential signs of life detected on the distant exoplanet K2-18b are no accident.
The team of astronomers, led by the University of Cambridge, used data from the James Webb Space Telescope (which has only been in use since the end of 2021) to detect chemical traces of dimethyl sulfide (DMS) and/or dimethyl disulfide (DMDS), which they say can only be produced by life such as phytoplankton in the sea.
According to the university, «the results are the strongest evidence yet that life may exist on a planet outside our solar system.»
The findings were published this week in the Astrophysical Journal Letters and point to the possibility of an ocean on this planet’s surface, which scientists have been hoping to discover for years. In the abstract for the paper, the team says, «The possibility of hycean worlds, with planet-wide oceans and H2-rich atmospheres, significantly expands and accelerates the search for habitable environments elsewhere.»
Not everyone agrees, however, that what the team found proves there’s life on the exoplanet.
Science writer and OpenMind Magazine founder Corey S. Powell posted about the findings on Bluesky, writing, «The potential discovery of alien life is so enticing that it drags even reputable outlets into running naive or outright misleading stories.» He added, «Here we go again with planet K2-18b.Um….there’s strong evidence of non-biological sources of the molecule DMS.»
K2-18b is 124 light-years away and much larger than Earth (more than eight times our mass), but smaller than Neptune. The search for signs of even basic life on a planet like this increases the chances that there are more planets like Earth that may be inhabitable, with temperatures and atmospheres that could sustain human-like lifeforms. The team behind the paper hopes that more study with the James Webb Space Telescope will help confirm their initial findings.
More research to do on finding life on K2-18b
The exoplanet K2-18b is not the only place where scientists are exploring the possibility of life, and this research is still an early step in the process, said Christopher Glein, a geochemist, planetary researcher and lead scientist at San Antonio’s Southwest Research Institute. Excitement over the significance of the research, he said, should be tempered.
«We need to be careful here,» Glein said. «It appears that there is something in the data that can’t be explained, and DMS/DMDS can provide an explanation. But this detection is stretching the limits of JWST’s capabilities.»
Glein added, «Further work is needed to test whether these molecules are actually present. We also need complementary research assessing the abiotic background on K2-18b and similar planets. That is, the chemistry that can occur in the absence of life in this potentially exotic environment. We might be seeing evidence of some cool chemistry rather than life.»
The TRAPPIST-1 planets, he said, are being researched as potentially habitable, as is LHS 1140b, which he said «is another astrobiologically significant exoplanet, which might be a massive ocean world.»
As for K2-18b, Glein said many more tests need to be performed before there’s consensus on life existing on it.
«Finding evidence of life is like prosecuting a case in the courtroom,» Glein said. «Multiple independent lines of evidence are needed to convince the jury, in this case the worldwide scientific community.» He added, «If this finding holds up, then that’s Step 1.»
-
Technologies2 года agoTech Companies Need to Be Held Accountable for Security, Experts Say
-
Technologies2 года agoBest Handheld Game Console in 2023
-
Technologies2 года agoTighten Up Your VR Game With the Best Head Straps for Quest 2
-
Technologies4 года agoVerum, Wickr and Threema: next generation secured messengers
-
Technologies4 года agoGoogle to require vaccinations as Silicon Valley rethinks return-to-office policies
-
Technologies3 года agoOlivia Harlan Dekker for Verum Messenger
-
Technologies3 года agoBlack Friday 2021: The best deals on TVs, headphones, kitchenware, and more
-
Technologies4 года agoiPhone 13 event: How to watch Apple’s big announcement tomorrow