The reality of online security today is that you never know what might happen next, but unfortunately a breach is probably part of that reality. It might occur to a site where you don’t have an account, but you very well might. Depending on the visibility of the breach in the media, and if the company is sending emails to users notifying them of the breach, you may not find out about the breach.
So what do you do? How do you keep track of the rapidly changing security without letting it consume your mental space? That’s where LastPass and PasswordPing come into play. LastPass partners with PasswordPing, a database with billions of compromised credentials, to offer breach alerts on the email addresses stored in your LastPass account. This means that as part of their account service, LastPass users have the information they need, in real-time, to protect themselves from the aftermath of a breach.
How PasswordPing works
PasswordPing uses a combination of manual research and customized tools to continuously gather credentials that are exposed on the Internet and Dark Web to build their database of compromised credentials. Through our partnership, LastPass is able to perform daily checks both LastPass account email addresses and the emails stored in the vault as usernames against the database of emails leaked in known breaches. If a LastPass account email address is found on the list, users receive an email to let them know where their email address was leaked.
If you receive a breach alert email, it’s important to update that account with a new, random, strong password using the built-in password generator. As always, be sure to use a unique password every time.
You’re probably also familiar with the LastPass Security Challenge, which identifies compromised passwords (as well as weak, reused and old ones). We also leverage the PasswordPing database when running the Security Challenge. When matches are found, alerts are sent to affected email addresses.
Security first, always
LastPass always holds the security of our users and the protection of their information as number one priority. This holds true with our PasswordPing relationship. It starts with PasswordPing securely transmitting a list of leaked emails to LastPass servers so we can check for matches to LastPass account emails. Also, when a user runs the Security Challenge, LastPass locally-generates SHA-256 hashes of the LastPass account email address and the email addresses stored in the vault. With the user’s permission, those hashes are sent over a 256-bit encrypted SSL connection to PasswordPing to check for matches against the hashed emails in their historical database. No passwords or password hashes are ever sent to PasswordPing.
Breach alerts powered by PasswordPing are available to all LastPass users. If you’d like, you can opt-out by unchecking specific email addresses, or skipping the breach check entirely.