Page 1 of 1

sentry alert

PostPosted: Sun Jan 20, 2019 12:01 pm
by john721
Hi, I,just got this email from lastpass
I cant recall having an email of this type before - one item goes back to 2016

What should I do about them ?

Email: Hello ****@************************ (I've left data blank for security)

The results of the data compromise report you have requested are in the table below.

We are showing 3 exposures, with 3 of them being new since the last time this was run.

The new exposures are in bold below.
________________________________________
2016-07-31
exploit.in database compilation
________________________________________
2016-12-23
Anti Public
________________________________________
2018-11-27
Unknown source (2018-11-27 23:15:58)

Re: sentry alert

PostPosted: Tue Jan 22, 2019 11:02 am
by Goalieguy16
I would also like some direction in regards to this email. I haven't had any issues with exposures since I started using LastPass, now all of the sudden it says I have eleven!? There is not enough relevant data tied to each exposure for me to do anything to rectify it. Assistance needed ASAP please!

Re: sentry alert

PostPosted: Tue Jan 22, 2019 1:30 pm
by FlyingHawk
Using LastPass doesn't prevent the sites you use to leak your data. Data breaches are very common nowadays.

LastPass flags "compromised passwords" based on the site URL only, it doesn't check whether your username/email or password are actually in the breach.

LastPass Sentry alerts you of an exposure based on your email only.
Because some leaked data dumps contain email+password pairs only, and have no info on the source website, you may receive an exposure alert without seeing any site in your vault flagged as "compromised".

LastPass doesn't check if your actual passwords are in any breaches/dumps, because the service LastPass uses to check for exposures doesn't provide a secure interface/API to check passwords.

To provide more concrete information, LastPass has to implement a secure way to check whether our actual passwords are in a breach or data dump.
One such service (and probably the only one) is "Pwned Passwords" from "Have I Been Pwned" (HIBP):
https://haveibeenpwned.com/Passwords

You can join other users to request LastPass to integrate HIBP here:
viewtopic.php?f=7&t=321495
Please also open a support ticket to voice your request:
https://lastpass.com/supportticket.php
It's important to open a support ticket, because the forum is basically abandoned by LastPass.

You can read some more details (my posts) here:
viewtopic.php?f=7&t=321495&start=40#p1076505
viewtopic.php?f=7&t=321495&start=50#p1076845