LastPass Users Hit by Another Data Breach This Week

A WIRED investigation has peeled back the curtain on a predictive policing program in Bristol, England, revealing a decade-long initiative involving 23 distinct models designed to assess individuals’ likelihood of committing or falling victim to various crimes. Drawing on public records requests and additional reporting, the probe exposes a fragmented law enforcement system that carries significant consequences for the community yet remains largely unknown to residents.

Following last week’s leak of identities belonging to members of Peter Thiel’s private “Dialog” group, the organization blamed a “criminal” hacker for the breach. However, evidence suggests that personal details of members, including a White House intelligence official and an active-duty special operations officer, were left publicly accessible due to a Dialog website misconfiguration.

As Anthropic and the White House continued negotiations over the release of its latest Claude Mythos 5 and Fable 5 models, critics pointed to the company’s rapid accumulation of power, a strategy Anthropic defends as essential for AI safety and responsible development. On Friday evening, the White House granted Anthropic permission to make Mythos 5 available again to a select group of US companies and government agencies.

Amid this turbulence, OpenAI launched an upgraded version of its limited-release GPT-5.5-Cyber model and unveiled “Patch the Planet,” a full-scale initiative to support open source projects in vulnerability patching and security, as AI accelerates both bug discovery and exploit development. Meanwhile, as the AI arms race between China and the US intensifies, WIRED spoke with several leading Chinese AI experts, who expressed mutual concerns about a potential “Chernobyl moment.”

As the World Cup knockout stage approaches, scams tied to the tournament are becoming increasingly sophisticated and harder to detect.

And there’s more. Each week, we compile the security and privacy stories we didn’t cover in depth. Click the headlines for full details. And stay safe out there.

LastPass users are facing yet another data breach. This week, the password manager notified customers that attackers accessed names, phone numbers, email addresses, physical addresses, support case data, and sales-related information. The breach originated at the AI business intelligence firm Klue, where attackers compromised access tokens for Klue customers, including LastPass, and used them to extract data from Salesforce and other integrated platforms. LastPass stressed that its own infrastructure was not compromised and that password vaults were unaffected.

“We recommend that customers remain vigilant of potential phishing attacks or social engineering attempts, which could leverage exposed contact details,” LastPass wrote in its notification. “Always exercise caution regarding unsolicited communications, including emails, phone calls, or requests for sensitive information.”

Former national security adviser John Bolton pleaded guilty on Friday to a single count of mishandling and illegally retaining classified defense information. Bolton, 77, entered a plea deal that could allow him to avoid prison time, though the agreement recommends a sentence of no more than five years. US District Judge Theodore Chuang in Maryland will determine sentencing at a hearing scheduled for October 28. Bolton served in the first Trump administration but later became a vocal critic of President Donald Trump. As part of the deal, he also agreed to pay a $2.25 million fine, though he can withdraw his plea if Chuang imposes a larger fine or longer sentence.

Microsoft, Europol, and other partners announced Wednesday that they disrupted the infrastructure of the Amadey and StealC infostealers, malware central to the cybercriminal ecosystem. The operation, part of Operation Endgame, targeted platforms and tools enabling ransomware and other cybercrime. Authorities identified, mapped, and seized malware infrastructure, taking action against 326 servers and 142 domains. The effort flagged approximately $47 million in stolen cryptocurrency and recovered up to 27 million stolen credentials. Microsoft noted that the action was enabled by AI-assisted analysis, which revealed that Amadey and StealC relied on the same backend infrastructure and could be targeted together.

Australia’s Security and Intelligence Organisation (ASIO) announced this week that it is establishing teams to counter nation-state cyberattacks on critical infrastructure after discovering actors inside the country’s systems. “We discovered nation-state hackers had compromised the network of an Australian critical infrastructure provider,” ASIO Director General Mike Burgess said Wednesday. “ASIO assessed the hackers were preparing for sabotage. They were mapping out the network and maintaining access so they could cripple it at a time of their choosing.”

Burgess spoke alongside the release of ASIO’s annual threat assessment. “In this case, a state-sponsored group didn’t just achieve access to the Australian critical infrastructure provider, it successfully acquired credentials,login details and passwords,for active users of the networks, including the IT professionals guarding it,” he added.