In response to a number of high-profile breaches (including LinkedInLast.fm, and the Apple UDIDs), we’ve provided LastPass users with tools to check if their data is on the leaked lists, and have notified users directly as we’ve discovered their compromised data. We wanted to take this a step further, and partnered with a company dedicated to finding and aggregating all leaks as they’re occurring, to provide a much more comprehensive service.

We have partnered with PwnedList to offer LastPass Sentry, a new feature that will help LastPass users be more proactive about their online security.

With LastPass Sentry, we use PwnedLists’s comprehensive (and growing) database of 24 million publicly leaked usernames and passwords to perform daily “checks” against LastPass account email addresses to look for positive matches:

How It Works

  1. Sentry performs daily checks, with the latest updates to the PwnedList database, to see if LastPass account email addresses are on the list.
  2. If a match is found, an email notification is sent to the LastPass user, notifying them of the domain that was breached and the potential risk.
  3. Users can then run the LastPass Security Challenge to verify if the password for the breached site is used elsewhere.
  4. We then recommend updating the password for the affected account, and any other accounts using that password, using LastPass to generate a new, strong password.

This feature is available for all free and Premium users, as well as corporate Enterprise users, and is currently opt-out via the email notifications. In the case of Enterprise users, both the Enterprise administrator and the affected employee will receive notifications that a match has been found.

We have plans to further integrate the service into the LastPass security challenge, so we can check not only the email address that you use for your LastPass account itself, but perform a local check of the entirety of your stored data. We also plan to increase the frequency of our database checks to work towards real-time notifications.

FAQs

  1. What data is sent to PwnedList.com? None, we pull the latest updates to the PwnedList database and run a check against LastPass email addresses on our end. No data is shared with PwnedList.
  2. What information is LastPass checking for breaches? We currently check against all emails saved within your LastPass Vault.
  3. Does this mean my LastPass account has been hacked? No, but if you used the same email address and password combination for your LastPass account as you did for the site that was breached, we strongly recommend you update your Master Password as soon as possible. Otherwise, follow our instructions to update the password for the affected site, and run the LastPass Security Challenge (in the LastPass add-on under the Tools menu) to search for any other accounts using the same password.