Technologies
LastPass Issues Update on Data Breach, But Users Should Still Change Passwords
You still need to take action to protect your data even though LastPass said it hasn’t seen any threat-related activity since October.
LastPass, one of the world’s most popular password managers, suffered a major data breach in 2022 that compromised users’ personal data and put their online passwords and other sensitive information at risk.
On Dec. 22, LastPass CEO Karim Toubba acknowledged in a blog post that a security incident the company first disclosed in August eventually paved the way for an «unauthorized party» to steal customer account information and sensitive vault data. The breach is the latest in a lengthy and troubling string of security incidents involving LastPass, which date back to 2011.
It’s also the most alarming.
The unauthorized party was able to gain access to unencrypted customer account information like LastPass usernames, company names, billing addresses, email addresses, phone numbers and IP addresses, according to Toubba. That same unauthorized party was also able to steal customer vault data, which includes unencrypted data like website URLs as well as encrypted data like the usernames and passwords for all the sites that LastPass users have stored in their vaults.
In the meantime, LastPass has wrapped up an «exhaustive investigation» into the breach, according to a blog post published by Toubba on Wednesday, March 1, that updates customers on what actions the company has taken in the wake of the breach. Toubba vowed to make things right for customers and promised more effective communication going forward while adding that the company has «not seen any threat-actor activity since October 26, 2022.»
Even so, if you’re a LastPass subscriber, the severity of this breach should have you looking for a different password manager, because your passwords and personal data can still be at serious risk of being exposed. At the very least, you need to change all of the passwords you have stored with LastPass right away if you haven’t already.
What should LastPass subscribers do?
The company didn’t specify how many users were affected, and LastPass didn’t respond to CNET’s request for additional comment on the breach. But if you’re a LastPass subscriber, you need to operate under the assumption that your user and vault data are in the hands of an unauthorized party with ill intentions. Though the most sensitive data is encrypted, the problem is that the threat actor can run «brute force» attacks on those stolen local files. LastPass estimates it would take «millions of years» to guess your master password — if you’ve followed its best practices.
If you haven’t — or if you just want total peace of mind — you’ll need to spend some serious time and effort changing your individual passwords. And while you’re doing that, you’ll probably want to transition away from LastPass, too.
With that in mind, here’s what you need to do right away if you’re a LastPass subscriber:
1. Find a new password manager. Given LastPass’ history with security incidents and considering the severity of this latest breach, now’s a better time than ever to seek an alternative.
2. Change your most important site-level passwords immediately. This includes passwords for anything like online banking, financial records, internal company logins and medical information. Make sure these new passwords are strong and unique.
3. Change every single one of your other online passwords. It’s a good idea to change your passwords in order of importance here too. Start with changing the passwords to accounts like email and social media profiles, then you can start moving backward to other accounts that may not be as critical.
4. Enable two-factor authentication wherever possible. Once you’ve changed your passwords, make sure to enable 2FA on any online account that offers it. This will give you an added layer of protection by alerting you and requiring you to authorize each login attempt. That means even if someone ends up obtaining your new password, they shouldn’t be able to gain access to a given site without your secondary authenticating device (typically your phone).
5. Change your master password. Though this doesn’t change the threat level to the stolen vaults, it’s still prudent to help mitigate the threats of any potential future attack — that is, if you decide you want to stay with LastPass.
LastPass alternatives to consider
- Bitwarden: CNET’s top password manager is a highly secure and open-source LastPass alternative. Bitwarden’s free tier allows you to use the password manager across an unlimited number of devices across device types. Read our Bitwarden review.
- 1Password: Another excellent password manager that works seamlessly across platforms. 1Password doesn’t offer a free tier, but you can try it for free for 14 days.
- iCloud Keychain: Apple’s built-in password manager for iOS, iPadOS and MacOS devices is an excellent LastPass alternative available to Apple users at no additional cost. iCloud Keychain is secure and easy to set up and use across all of your Apple devices. It even offers a Windows client, too, with support for Chrome and Edge browsers.
How did it come to this?
In August 2022, LastPass published a blog post written by Toubba saying that the company «determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.»
At the time, Toubba said that the threat was contained after LastPass «engaged a leading cybersecurity and forensics firm» and implemented «enhanced security measures.» But that blog post would be updated several times over the following months as the scope of the breach gradually widened.
On Sept. 15, Toubba updated the blog post to notify customers that the company’s investigation into the incident had concluded.
«Our investigation revealed that the threat actor’s activity was limited to a four-day period in August 2022. During this timeframe, the LastPass security team detected the threat actor’s activity and then contained the incident,» Toubba said. «There is no evidence of any threat actor activity beyond the established timeline. We can also confirm that there is no evidence that this incident involved any access to customer data or encrypted password vaults.»
Toubba assured customers at the time that their passwords and personal data were safe in LastPass’s care.
However, it turned out that the unauthorized party was indeed ultimately able to access customer data. On Nov. 30, Toubba updated the blog post once again to alert customers that the company «determined that an unauthorized party, using information obtained in the August 2022 incident, was able to gain access to certain elements of our customers’ information.»
Then, on Dec. 22, Toubba issued a lengthy update to the blog post outlining the unnerving details regarding precisely what customer data the hackers were able to access in the breach. It was then that the full severity of the situation finally came to light and the public found out that LastPass customers’ personal data was in the hands of a threat actor and all of their passwords were at serious risk of being exposed.
Still, Toubba assured customers who follow LastPass’s best practices for passwords and have the latest default settings enabled that no further action on their part is recommended at this time since their «sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture.»
However, Toubba warned that those who don’t have LastPass’s default settings enabled and don’t follow the password manager’s best practices are at greater risk of having their master passwords cracked. Toubba suggested that those users should consider changing the passwords of the websites they have stored.
On March 1, Toubba published a new blog post offering customers a lengthy update on where the situation stands, what data was accessed and what steps LastPass has taken to shore up its security. In the blog post, LastPass also offered its own recommendations on what business customers as well as individual customers should do to protect their data.
The company has completed its investigation into the data breach and said that it hasn’t detected any unauthorized activity since October, according to the blog post. Also, in response to the breach, LastPass «prioritized and initiated significant investments in security, privacy and operational best practices» and «performed a comprehensive review of our security policies and incorporated changes to restrict access and privilege, where appropriate,» according to the blog post.
What does all of this mean for LastPass subscribers?
The initial breach ended up allowing the unauthorized party to access sensitive user account data as well as vault data, which means that LastPass subscribers should be extremely concerned for the integrity of the data they have stored in their vaults and should be questioning LastPass’s capacity to keep their data safe — even considering the latest security improvements outlined by the company in its latest blog post.
If you’re a LastPass subscriber, an unauthorized party may have access to personal information like your LastPass username, email address, phone number, name and billing address. IP addresses used when accessing LastPass were also exposed in the breach, which means that the unauthorized party could also see the locations from which you used your account. And because LastPass doesn’t encrypt users’ stored website URLs, the unauthorized party can see all of the websites for which you have login information saved with the password manager (even if the passwords themselves are encrypted).
Information like this gives a potential attacker plenty of ammunition for launching a phishing attack and socially engineering their way to your account passwords. And if you have any password reset links stored that may still be active, an attacker can easily go ahead and create a new password for themselves.
LastPass says that encrypted vault data like usernames and passwords, secure notes and form-filled data that was stolen remains secured. However, if an attacker were to crack your master password at the time of the breach, they would be able to access all of that information, including all the usernames and passwords to your online accounts. If your master password wasn’t strong enough at the time of the breach, your passwords are especially at risk of being exposed.
Changing your master password now will, unfortunately, not help solve the issue because the attackers already have a copy of your vault that was encrypted using the master password you had in place at the time of the breach. This means the attackers essentially have an unlimited amount of time to crack that master password. That’s why the safest course of action is a site-by-site password reset for all of your LastPass-stored accounts. Once changed at the site level, that would mean the attackers would be getting your old, outdated passwords if they managed to crack the stolen encrypted vaults.
For more on staying secure online, here are data privacy tips digital security experts wish you knew and browser settings to change to better guard your information.
Technologies
iOS 17 Cheat Sheet: Your Questions on the iPhone Update Answered
Here’s what you need to know about new features and upcoming updates for your iPhone.
Apple’s iOS 17 was released in September, shortly after the company held its Wonderlust event, where the tech giant announced the new iPhone 15 lineup, the Apple Watch Series 9 and the Apple Watch Ultra 2. We put together this cheat sheet to help you learn about and use the new features in iOS 17. It’ll also help you keep track of the subsequent iOS 17 updates.
iOS 17 updates
- iOS 17.4.1 Fixes These Issues on Your iPhone
- iOS 17.4 Brings These New Features to Your iPhone
- Why You Should Download iOS 17.4 Right Now
- iOS 17.3.1 Fixes This Issue on Your iPhone
- iOS 17.3: All the New Features on Your iPhone
- Why You Should Download iOS 17.3 Right Now
- iOS 17.2.1: What You Should Know About the iPhone Update
- iOS 17.2 Brings These New Features to Your iPhone
- What iOS 17.1.2 Fixes on Your iPhone
- iOS 17.1.1 Patches These iPhone Issues
- What New Features iOS 17.1 Brings to Your iPhone
- What to Know About iOS 17.0.1
- Apple Made an iPhone 15 Mistake, but iOS 17.0.2 Is Here to Fix It
- iOS 17.0.3 Fixes This iPhone 15 Pro Problem
Using iOS 17
- Three iPhone Settings to Change After Downloading iOS 17
- iOS 17’s Best New Features
- The iOS 17 Features We’re Excited About
- iOS 17 Is Filled With Delightful Features, Intuitive Improvements and More
- 17 Hidden iOS 17 Features You Shouldn’t Miss
- iOS 17 Upgrades Your iPhone’s Keyboard
- You Can Tag Your Pets In Your ‘People’ Album With iOS 17
- How to Create Live Stickers in iOS 17
- How to Set Up Contact Posters in iOS 17
- How to Automatically Delete Two-Factor Verification Codes in iOS 17
- What to Know About iOS 17’s Unreleased Journal App
- How Good Are Offline Maps in iOS 17?
- How to Use iOS 17’s Live Voicemail Feature
- You Can Change Your Private Browsing Browser in iOS 17
- Hidden iOS 17 Feature Makes It Easier to Send Photos and Videos
- You Can Clone Your Voice with iOS 17. Here’s How
- Are Audio Message Transcripts in iOS 17 Any Good?
- Sharing AirTags in iOS 17 is Easy. Here’s How
- How to Create Camera Shortcuts in iOS 17
- What You Need to Know About the Improved Autocorrect in iOS 17
- Use This Hidden iOS 17 Feature to Reduce Eye Strain
- How to Enable Sensitive Content Warnings on Your iPhone
- Let Your Loved Ones Know You’re Safe With This iOS 17 Feature
- Simplify Your Grocery List With iOS 17
- How to Turn Off FaceTime Reactions in iOS 17
- What Is iOS 17’s Journal App and How Does It Work?
- You Can Use Albums for Photo Shuffle on Your Lock Screen
- Play Daily Crosswords in Apple News With iOS 17
- How to Turn Off the Most Annoying iOS 17 Features
- iOS 17.2 Brings Better Wireless Charging to These iPhones
- How to Turn Inline Predictive Text Off With iOS 17.2
- How to Enable Contact Key Verification With iOS 17.2
- Don’t Like Your iPhone’s Default Alert Tone? Here’s How to Change It
- The Latest Security Features in iOS 17.3
- How to Secure Your Data With Stolen Device Protection
- Apple Music’s Collaborative Playlists Are Here. This Is How You Use Them
- People in the EU Can Download Other App Stores Soon
- All the New Emoji Your iPhone Just Got
- How to Give Your iPhone’s Stolen Device Protection a Boost
- What to Know About Podcast Transcripts on Your iPhone
- How to Enable Siri to Read Texts in Multiple Languages
- Where to Find your Apple Cash Virtual Card Numbers
Getting started with iOS 17
- iOS 17 Review: StandBy Mode Changed My Relationship With My iPhone
- Whether or Not Your iPhone Supports iOS 17
- Do This Before Downloading iOS 17
- How to Download iOS 17 to Your iPhone
Make sure to check back periodically for more iOS 17 tips and how to use new features as Apple releases more updates.
Technologies
Get Ready for a Striking Aurora That Could Also Disrupt Radio Communications
Don’t expect the storm to cause a lingering problem, though.
A geomagnetic storm is threatening radio communications Monday night, but that doesn’t mean you should be concerned. In fact, it may be an opportunity to see a colorful aurora in the night sky.
The National Oceanic and Atmospheric Administration has issued a geomagnetic storm watch after witnessing a coronal mass ejection from the sun on Saturday. The watch, which was issued over the weekend and will expire after Monday, said the onset of the storm passing over Earth on Sunday night represented a «moderate» threat to communications. As the storm continues to pass through, it could deliver a «strong» threat on Monday night that could cause radio communications to be temporarily disrupted during the worst of it.
Even so, NOAA said, «the general public should not be concerned.»
A coronal mass ejection occurs when magnetic field and plasma mass are violently expelled from the sun’s corona, or the outermost portion of the sun’s atmosphere. In the vast majority of cases, the ejection occurs with no real threat to Earth. However, in the event the ejection happens in the planet’s direction, a geomagnetic storm occurs, and the Earth’s magnetic field is temporarily affected.
In most cases, geomagnetic storms cause little to no disruption on Earth, with radio communications and satellites affected most often. In extreme cases, a geomagnetic storm can cause significant and potentially life-threatening power outages — a prospect that, luckily, the planet hasn’t faced.
Switching poles
Every 11 years, the sun’s magnetic poles switch, with the north pole and south pole swapping positions. During those cycles, the sun’s activity ramps up as it gets closer to pole-switching time. The height of its activity is called solar maximum, and scientists believe we either may be entering the solar maximum or may be already in it.
During periods of heightened solar activity, sunspots increase on the sun and there’s an increase in coronal mass ejections, among other phenomena. According to NOAA, solar maximum could extend into October of this year before the sun’s activity calms and it works towards its less-active phase, solar minimum.
Even when geomagnetic storms hit Earth and disrupt communications, the effects are usually short-lived. Those most affected, including power grid operators and pilots and air traffic controllers communicating over long distances, have fail-safe technologies and backup communications to ensure operational continuity.
But geomagnetic storms aren’t only about radios. In most cases, they also present unique opportunities to see auroras in the night sky. When the storms hit, the plasma they carry creates a jaw-dropping aurora, illuminating the night sky with brilliant colors. Those auroras can be especially pronounced during the most intense phases of the storm, making for nice stargazing.
If you’re interested in seeing the aurora, you’ll need to be ready. The NOAA said the «brunt of the storm has passed» and even if it lingers into Tuesday, there won’t be much to see after Monday night.
Technologies
Last Total Solar Eclipse for 20 Years Is Coming: How to See and Photograph It
It’s your last chance until 2044.
Get your eclipse glasses ready, Skygazers: the Great American Eclipse is on its way. On April 8, there’ll be a total eclipse over North America, the last one until 2044.
A total solar eclipse happens when the moon passes between the Earth and the sun, blocking the sun and turning an otherwise sunny day to darkness for a short period of time. Depending on the angle at which you’re viewing the eclipse, you may see the sun completely shrouded by the moon (called totality) or some variation of it. The more off-angle you are and the further you are from the path of the eclipse, the less likely you’ll be to see the totality.
The 2024 total solar eclipse will happen on Monday, April 8. The Great American Eclipse will reach the Mexican Pacific coast at 11:07 a.m. PT (2:07 p.m. ET), and then traverse the US in a northeasterly direction from Texas to Maine, and on into easternmost Canada. If you want a good look at it, but don’t live in the path of totality, you shouldn’t wait much longer to book accommodation and travel to a spot on the path.
Or how about booking a seat in the sky? Delta Airlines made headlines for offering a flight that allows you to see the entire path of totality. Its first eclipse flight, from Austin, Texas, to Detroit sold out quickly. But as of Monday, Delta has added a second flight from Dallas to Detroit, which also covers the path of totality. The airline also has five flights that will offer prime eclipse viewing.
Not everyone can get on one of those elusive eclipse-viewing flights. Here’s a look at other options to nab a chance to see this rare sight and what to know about it.
Total solar eclipse path
The eclipse will cross over the Pacific coast of Mexico and head northeast over mainland Mexico. The eclipse will then make its way over San Antonio at approximately 2:30 p.m. ET on April 8 and move through Texas, over the southeastern part of Oklahoma and northern Arkansas by 2:50 p.m. ET.
By 3 p.m. ET, the eclipse will be over southern Illinois, and just 5 minutes later, will be traveling over Indianapolis. Folks in northwestern Ohio will be treated to the eclipse by 3:15 p.m. ET, and it will then travel over Lake Erie and Buffalo, New York, by 3:20 p.m. ET. Over the next 10 minutes, the eclipse will be seen over northern New York state, then over Vermont. By 3:35 p.m. ET, the eclipse will work its way into Canada and off the Eastern coast of North America.
Best places to watch the Great American Eclipse
When evaluating the best places to watch this year’s total eclipse, you’ll first want to determine where you’ll have the best angle to see the totality. The farther off-angle you are — in other words, the farther north or south of the eclipse’s path — the less of an impact you can expect.
Therefore, if you want to have the best chance of experiencing the eclipse, you’ll want to be in its path. As of this writing, most of the cities in the eclipse’s path have some hotel availability, but recent reports have suggested that rooms are booking up. And as more rooms are booked, prices are going up.
So if you want to be in the eclipse’s path, and need a hotel to do it, move fast. And Delta’s eclipse-viewing flight from Dallas to Detroit has just four seats left at the time of publication.
Eclipse eye safety and photography
As with any solar eclipse, it’s critical you keep eye safety in mind.
During the eclipse, and especially during the periods before and after totality, don’t look directly at the sun without special eye protection. Also, be sure not to look at the sun through a camera (including the camera on your phone), binoculars, a telescope or any other viewing device. This could cause serious eye injury. Sunglasses aren’t enough to protect your eyes from damage.
If you want to view the eclipse, you’ll instead need solar viewing glasses that comply with the ISO 12312-2 safety standard. Anything that doesn’t meet that standard or greater won’t be dark enough to protect your eyes. Want to get them for free? If you’ve got a Warby Parker eyeglasses store nearby, the company is giving away free, ISO-certified solar eclipse glasses at all of its stores from April 1 until the eclipse, while supplies last.
If you don’t have eclipse viewing glasses handy, you can instead use indirect methods for viewing the eclipse, like a pinhole projector.
Read more: A Photographer’s Adventure With the Eclipse
In the event you want to take pictures of the eclipse, attach a certified solar filter to your camera. Doing so will protect your eyes and allow you to take photos while you view the eclipse through your lens.
There’s also a new app to help you both protect your eyes and take better photos of the eclipse on your phone. Solar Snap, designed by a former Hubble Space Telescope astronomer, comes with a Solar Snap camera filter that attaches to the back of an iPhone or Android phone, along with solar eclipse glasses for protecting your eyesight during the event. After you attach the filter to your phone, you can use the free Solar Snap Eclipse app to zoom in on the eclipse, adjust exposure and other camera settings, and ultimately take better shots of the eclipse.
2024 eclipse compared to 2017
The last total solar eclipse occurred in 2017, and many Americans had a great view. Although there are plenty of similarities between the 2017 total solar eclipse and the one coming April 8, there are a handful of differences. Mainly, the 2024 eclipse is going to cover more land and last longer.
The 2017 eclipse started over the northwest US and moved southeast. Additionally, that eclipse’s path was up to 71 miles wide, compared with a maximum width of 122 miles for this year’s eclipse. Perhaps most importantly, the moon completely covered the sun for just 2 minutes, 40 seconds in 2017. This year, maximum totality will last for nearly four-and-a-half minutes.
-
Technologies1 год agoTech Companies Need to Be Held Accountable for Security, Experts Say
-
Technologies3 года agoVerum, Wickr and Threema: next generation secured messengers
-
Technologies2 года agoOlivia Harlan Dekker for Verum Messenger
-
Technologies3 года agoGoogle to require vaccinations as Silicon Valley rethinks return-to-office policies
-
Technologies3 года agoiPhone 13 event: How to watch Apple’s big announcement tomorrow
-
Technologies2 года agoMade in the USA: Baseball bats, sticky notes, kitchen mixers and more
-
Technologies2 года agoBlack Friday 2021: The best deals on TVs, headphones, kitchenware, and more
-
Technologies2 года agoRegen-COV might work before COVID exposure, trial shows: What to know about monoclonal antibodies
