Introducing LastPass Sentry: Always on the Lookout for the Latest Breach

By September 17, 2012 Product Updates 62 Comments

In response to a number of high-profile breaches (including LinkedIn,, and the Apple UDIDs), we’ve provided LastPass users with tools to check if their data is on the leaked lists, and have notified users directly as we’ve discovered their compromised data. We wanted to take this a step further, and partnered with a company dedicated to finding and aggregating all leaks as they’re occurring, to provide a much more comprehensive service.

Today we’re excited to announce our partnership with PwnedList to offer LastPass Sentry, a new feature that will help LastPass users be more proactive about their online security.

With LastPass Sentry, we’ll use PwnedLists’s comprehensive (and growing) database of 24 million publicly leaked usernames and passwords to perform daily “checks” against LastPass account email addresses to look for positive matches.

How it works:

  1. Sentry performs daily checks, with the latest updates to the PwnedList database, to see if LastPass account email addresses are on the list.
  2. If a match is found, an email notification is sent to the LastPass user, notifying them of the domain that was breached and the potential risk. 
  3. Users can then run the LastPass Security Challenge to verify if the password for the breached site is used elsewhere.
  4. We then recommend updating the password for the affected account, and any other accounts using that password, using LastPass to generate a new, strong password.

The feature is available for all free and Premium users, as well as corporate Enterprise users, and is currently opt-out via the email notifications. In the case of Enterprise users, both the Enterprise administrator and the affected employee will receive notifications that a match has been found.

We’re excited that the feature has already generated positive feedback. LastPass Enterprise customer Matthew Wittkin of MoreVisibility commented, “LastPass already helps us to better control and protect our digital assets. With this new feature, our administrators and employees know immediately if any company passwords have been compromised, allowing us to update them within seconds. We hope nothing like this will ever come to pass, but it gives me extra peace of mind knowing that, with LastPass, I’ll be the first to know!”

We have plans to further integrate the service into the LastPass security challenge, so we can check not only the email address that you use for your LastPass account itself, but perform a local check of the entirety of your stored data. We also plan to increase the frequency of our database checks to work towards real-time notifications.

What do you think of LastPass Sentry? Leave your thoughts in the comments below!


  • Anonymous says:

    Will that slow down the browser, at least initially?

  • Aaron says:

    This is the first time in internet history where making something opt-out was the CORRECT decision! <3 LastPass!

  • Anonymous says:

    Excellent Job as always Lastpass! As a premium subscriber for over a year AND a subscriber to the pw3dlist it is a fantastic addition! Keep up the good work!

  • Lastpass is my favorite Internet service, and the price rocks!

  • Anonymous says:

    pwnedlist database synced to my PC?

    Can LastPass let me check the information in my vault against the pwnedlist database locally if I don’t have a local copy of said database?

    How is this supposed to work?

    • Amber says:

      Currently we only check account email addresses for matches in the database information that we receive from PwnedList. If we were to check the vault, we’d have to sync the data to your machine where the check can be performed locally.

  • Anonymous says:

    pwnedlist: Principles Without Principals?

    I find it surprising that doesn’t give the names and backgrounds of their key personnel. I understand that they need to be somewhat secretive to get information from hackers.

    I’m practically blind, so perhaps I missed it…

  • ML says:

    So cool. I love lastpass. Seriously really good job with the service

  • Anonymous says:

    Thanks Guys, Great feature….Unfortunately until it can interogate my database, its not any use to me….Most of my stored accounts use a different email address to the my Lastpass one.

    Great Idea Though

  • pk says:

    Great feature, and will be even better once other email addresses can be checked locally!

    Am I correct in assuming that the actual emails are not being submitted to PwnedList, but rather their SHA-512 hashes? Keep up the good work!, and I am a new Premium user :)

    • Anonymous says:

      Could Lastpass please confirm this important point as to whether e-mail addresses are being sent for verification ?

    • Amber says:

      Email addresses are not being sent for verification, and no other information is shared with them, all checks are performed on our end as we receive the updates to PwnedList’s database. Happy to clarify further if needed!

    • pk says:

      That’s great, thank you Amber! How will the additional emails be sent to LastPass? Hopefully using a locally computed, one-way hash.

  • Luke says:

    This is an awesome feature. So glad to see you guys constantly working on improving the service and enhancing our online safety… that’s why I pay for your service ;-)

  • Jeff Scott says:

    It’s great you’re making this available for everyone, but I couldn’t be happier to support LP with a premium sub. Keep up the amazing work!

  • Suresh says:

    That’s awesome, you guys are top notch. Introducing extra things like this is what i love about LastPass.

  • Anonymous says:

    Thanks guys,you rock.

  • asokad says:

    This is an enhancement of services offered by LastPass. In the recent past, it was possible for me to find that one of accounts was among those millions of passwords cracked.

  • Haqqi says:

    Wow, excellent! I am one of the premium user, will be helped with this feature.

  • That is an excellent service! Thank you for that extra security, that is so much neede nowadays!

  • LinuxTurtle says:

    Does it only check for the lastpass account email? Or does it somehow extract usernames/email addys for all my accounts stored in lastpass? (I’m guessing the former, with work going on to integrate into the security challenge so it *can* do the latter, but just checking to make sure :)

  • Anonymous says:

    LastPass with extra awesomeness! Me likey!

  • Anonymous says:

    Very welcome addition, thanks!

  • Anonymous says:

    Another pointless feature. I’m starting to worry about the focus of LP development team.

    • Anonymous says:

      I tend to agree. Every single one of these additions, and the increasingly “social” flavour pervading everything, has its own security implications to worry about.
      When LP gets around to doing a “local” check for compromised user names and e-mail addresses in our vaults, will this mean that some service somewhere is being sent all our login ID and all our e-mail addresses, opening the risk of that service harvesting all this stuff ?
      I am really getting concerned. Lastpass is now so complex with so many security implications to think about that I am getting worried it is all too much. And too much centralisation.

    • Joe Siegrist says:

      We’d never send your email to a 3rd party, we’re downloading all the leaks and comparing them against our database internally. This really is only about helping protect you in the safest way possible.

    • Steven Grimm says:

      Even if LastPass did a check on their end on request from the client, it would be completely trivial to do it with zero risk to the security of the accounts in your vault. Their client would just send a hashed version of a given address and compare that against a hashed list of compromised accounts. Only in the case of a match (in which case, by definition, your account is *already* compromised, or it wouldn’t have been on the list) would LastPass be able to determine which address was in your vault.

      They could also do an initial check purely on the client side against, say, a Bloom filter several megabytes wide, and only send the hash value if that initial check indicated a potential match.

      Done right, this is no privacy risk.

  • Doe John says:

    Heck yes. Nice addition LastPass. Thank you guys.

  • Anonymous says:

    How are you doing this? LastPass is advertised as encrypting user data before it leaves the user’s machine. The idea being that LastPass cannot get at the information any more than a remote user could without the key in the form of the master password. If you are able to verify the existence of usernames and passwords in my vault and send me an e-mail to that effect, then clearly you have access to the very information you’ve said was unavailable to you. Which is it? Part of the allure of the LastPass system is that I don’t have to “trust” LastPass’ staff to keep my information secure, but rather that the obfuscatory power behind the encryption will ensure that security. If you can find out usernames and passwords remotely, this puts all that into question. Please explain how you can do this without compromising security.

    • Anonymous says:

      I have been wondering the same thing…

    • Anonymous says:

      Ditto on that… and also, wouldn’t it be better to use a LastPass random login name of 12 meaningless characters? Doesn’t that DOUBLE my security. If you try that on most sites, you’ll get an error message, invalid email format or it needs that Login/Email Address to confirm your subscription. We are always adding convenience in lieu of security!

    • Anonymous says:

      Quoting Amber from LP:
      “so that we can locally check against the data in your vault.”

      As I understand it the keyword here is “LOCALLY”. All the work is done on your side, not LP servers.

    • Anonymous says:

      If you read the full article it states that initially you’ll only be notified if the same email you registered with and use to login is part of any leaked list. No logins within your vault are accessed.

      They’re working on integrating this discovery method with the LastPass Security Check, all of which is initiated by you locally and without sending any data to LastPass. This would include all your logins and other email addresses you use.

  • Anonymous says:

    So this just compares your login email address with the database?

  • RichC says:

    Great addition to a already excellent method of reducing exposure to Internet risk.

  • Anonymous says:

    Indeed the typical lastpass user probably uses a number of email addresses or better still a catch-all domain. It should check each site’s credentials for the email address to check against – for the majority of sites it’s the email address stored as username.

  • Anonymous says:

    I love this idea but I use a unique email address for my lastpass account. Would be nice if we could add a wildcard domain (That we can verify ownership on) to the list of email addresses scanned for. I use google apps and create a new email address for every site I visit.

    • Anonymous says:

      Wow, do you just set them all to forward to one central account?

    • Tash Hepting says:

      That’s what I do (unique email addresses, dumped to one inbox). For the ones that are more that receive only I will setup “send-as” for them. If the email address ends up on a spam list I just blackhole it.

      Works great.

    • Bruce L says:

      Same here. Wildcard domain.

      Why couldn’t LastPass also check if the site compromised is one of the sites in your LastPass vault and notify you accordingly?

    • Because LastPass can’t decrypt your vault, which is a VERY good thing. They can only perform this check with your LastPass email address that you use to log in, since they have that on file.

  • Anonymous says:

    It would be interesting if there were a way to list email addresses / usernames for lastpass to check for using sentry, so that more than just the account email address could be used for constant notification.

    It would also be interesting if LastPass could help facilitate in a secure manner checks for the leaked Apple UUIDs and other similar leaks.

  • Tash Hepting says:

    So how do I use this if the email address I use with Lastpass is different from the email address(es) I use for any other web service?

  • Is this a new feature that can be enabled somewhere or is it just automatically on for all users? Not really clear in this blog posting. That said, I think it’s a great addition to LP.

  • Fred Gandt says:

    Awesome thanks!
    A great idea to provide direct personalised action.