I use both the LastPass Chrome plug-in and the Android mobile app and use them regularly, consistently. When I signed up for LastPass, I purposely created a new email address solely for the purpose of my LastPass login and communicating with LastPass. I use it for nothing else -- not EVER. However, this morning I received a spam/phish email in that account. Since I use this email account for NOTHING but LastPass, there are very few ways someone could have obtained this address: 1) from the email provider, 2) from LastPass, or 3) by sniffing networks where I am operating.
I will monitor this situation but wanted someone here to be aware of it. I knew that creating a ticket would be pointless; it would just be discounted. But I felt it should be brought to your attention.