Introducing LastPass Sentry: Always on the Lookout for the Latest Breach

By September 17, 2012 Product Updates 62 Comments

In response to a number of high-profile breaches (including LinkedIn, Last.fm, and the Apple UDIDs), we’ve provided LastPass users with tools to check if their data is on the leaked lists, and have notified users directly as we’ve discovered their compromised data. We wanted to take this a step further, and partnered with a company dedicated to finding and aggregating all leaks as they’re occurring, to provide a much more comprehensive service.

Today we’re excited to announce our partnership with PwnedList to offer LastPass Sentry, a new feature that will help LastPass users be more proactive about their online security.

With LastPass Sentry, we’ll use PwnedLists’s comprehensive (and growing) database of 24 million publicly leaked usernames and passwords to perform daily “checks” against LastPass account email addresses to look for positive matches.

How it works:

  1. Sentry performs daily checks, with the latest updates to the PwnedList database, to see if LastPass account email addresses are on the list.
  2. If a match is found, an email notification is sent to the LastPass user, notifying them of the domain that was breached and the potential risk.
  3. Users can then run the LastPass Security Challenge to verify if the password for the breached site is used elsewhere.
  4. We then recommend updating the password for the affected account, and any other accounts using that password, using LastPass to generate a new, strong password.

The feature is available for all free and Premium users, as well as corporate Enterprise users, and is currently opt-out via the email notifications. In the case of Enterprise users, both the Enterprise administrator and the affected employee will receive notifications that a match has been found.

We’re excited that the feature has already generated positive feedback. LastPass Enterprise customer Matthew Wittkin of MoreVisibility commented, “LastPass already helps us to better control and protect our digital assets. With this new feature, our administrators and employees know immediately if any company passwords have been compromised, allowing us to update them within seconds. We hope nothing like this will ever come to pass, but it gives me extra peace of mind knowing that, with LastPass, I’ll be the first to know!”

We have plans to further integrate the service into the LastPass security challenge, so we can check not only the email address that you use for your LastPass account itself, but perform a local check of the entirety of your stored data. We also plan to increase the frequency of our database checks to work towards real-time notifications.

What do you think of LastPass Sentry? Leave your thoughts in the comments below!

62 Comments

  • Anonymous says:

    Thanks Guys, Great feature….Unfortunately until it can interogate my database, its not any use to me….Most of my stored accounts use a different email address to the my Lastpass one.

    Great Idea Though

  • pk says:

    Great feature, and will be even better once other email addresses can be checked locally!

    Am I correct in assuming that the actual emails are not being submitted to PwnedList, but rather their SHA-512 hashes? Keep up the good work!, and I am a new Premium user :)

    • Anonymous says:

      Could Lastpass please confirm this important point as to whether e-mail addresses are being sent for verification ?

    • Amber says:

      Email addresses are not being sent for verification, and no other information is shared with them, all checks are performed on our end as we receive the updates to PwnedList’s database. Happy to clarify further if needed!

    • pk says:

      That’s great, thank you Amber! How will the additional emails be sent to LastPass? Hopefully using a locally computed, one-way hash.

  • Luke says:

    This is an awesome feature. So glad to see you guys constantly working on improving the service and enhancing our online safety… that’s why I pay for your service ;-)

  • Jeff Scott says:

    It’s great you’re making this available for everyone, but I couldn’t be happier to support LP with a premium sub. Keep up the amazing work!

  • Suresh says:

    That’s awesome, you guys are top notch. Introducing extra things like this is what i love about LastPass.