Keeping you safe in a world full of breaches

Please note that this Security Challenge and breach alert functionality discussed in this post has been updated. For updated information please visit our blog post from 8/5/2020.  Hardly a day goes by without hearing about another company that's experienced a breach. And every year, millions of people are victims of hacked accounts and online fraud. At home and at work, these security threats are often driven by dangerous password habits. According to Verizon's 2017 DBIR, a startling 81% of breaches involved weak, reused, and compromised passwords!

Keeping you safe with breach alerts

For years now, we've offered automated breach alerts to help users identify the passwords they need to change. By working with a partner that aggregates data breaches as they're happening, LastPass users have comprehensive, time-saving tools that alert them when their personal information has been compromised. With access to a database of billions of compromised credentials, LastPass users have the information they need, in real-time, to protect themselves from the aftermath of a breach. Our new partner for this service, PasswordPing, uses a combination of manual research and customized tools to continuously gather credentials that are exposed on the Internet and Dark Web.   While a specialized research process is required, all the credentials indexed by PasswordPing were publicly exposed and at risk of being used for malicious purposes. By making LastPass customers aware that their credentials are no longer secure, we can prevent a wide range of related maladies: from malware to identity theft.

What you should know about breach alerts

All LastPass users enjoy the security benefits of breach alerts. Now powered by PasswordPing, both LastPass account email addresses and the emails stored in the vault as usernames are checked against the database of emails leaked in known breaches. LastPass users are protected with:

• Checks for LastPass account emails: To trigger LastPass to check your credentials, simply go into your vault and click “Security Challenge” in the left hand navigation pane. Once you run the challenge, you will be alerted if any of your credentials are compromised.
• Security Challenge reports: The LastPass Security Challenge provides an audit of your password security, identifying weak, reused, old, and vulnerable passwords. After launching, users are presented with a list of all email addresses found in the vault. By default, every email address in the vault will be checked against PasswordPing's database. When matches are found, alerts are sent affected email addresses. Users can opt-out by unchecking specific email addresses, or skipping the breach check entirely.
• Email notifications: When matches are found, notifications are sent to the affected emails, so users can update the passwords.

The most important thing to do when you receive an alert is to update the account with a new, random password using the password generator. Not reusing passwords makes a big difference in staying ahead of potential security issues.

Helping businesses fight password reuse

In the workplace, password reuse poses a major threat. Hackers use credentials leaked from other breaches to try logging in to corporate networks and accounts. Sadly, with the prevalence of password reuse, it's only a matter of time before they find a login that works. By leveraging breach alerts, employees have insight into possible threats. Plus, they have the tools they need – a password generator and a password vault – to quickly replace the password and store that unique, complex password for next time.

Less effort, better security

Of course, we take precautions to securely transmit user data and safely check if users are impacted by breaches. It starts with PasswordPing securely transmitting a list of leaked emails to LastPass servers so we can check for matches to LastPass account emails. Also, when a user runs the Security Challenge, LastPass locally-generates SHA-256 hashes of the LastPass account email address and the email addresses stored in the vault. With the user’s permission, those hashes are sent over a 256-bit encrypted SSL connection to PasswordPing to check for matches against the hashed emails in their historical database. No passwords or password hashes are ever sent to PasswordPing. We’ve reviewed PasswordPing security practices and are confident that we are providing our customers all the benefits of a specialized data breach service, without exposing your sensitive data to risk. Both at home and in the workplace, data breach alerts are just one more way LastPass helps you stay safer while saving you time and hassle.