[dmurdoch]

> Even when requests do come in, the company can only provide limited data, they added. That includes customer contact information, billing addresses and IP addresses. It could also reveal what apps a customer is storing passwords for in LastPass

> what apps a customer is storing passwords for

I guess that means if you have any passwords stored for a website you don't want anyone to know about, put it under a note with an unrelated or gibberish title? The fact they reveal the apps is kinda lame.

[aasasd]

> put it under a note with an unrelated or gibberish title

More like, don't use Lastpass if they can't keep all your password-use data on the client side, which is supposed to be their entire shtick? This detail about the metadata leak should be the main outtake, if not the news of the day.

When I looked into using Lastpass, I asked them on the support forum why their own documentation says they can alert you when emails you use on websites appear in leaks, if the password database is supposed to be inaccessible by the Lastpass backend. They said I'm reading the docs wrong and it's only the Lastpass account email that they alert about. I re-checked the docs: nope, clearly says website accounts that I put into the database.

Here's the thread, which has a screenshot of the docs at that time: https://forums.lastpass.com/viewtopic.php?f=12&t=165485

In the end they said the checks are done locally—by downloading dozen-gigabyte leak archives like the exploit.in, I guess? But still I suppose the alert emails are sent server-side. And the support saying I was “misquoting the manual” was enough for me.

[GoMonad]

> In the end they said the checks are done locally—by downloading dozen-gigabyte leak archives like the exploit.in, I guess?

I would guess they are doing the checks with a technique called k-anonymity. It doesn't require sending the password, nor does it send too much data to the client. Troy Hunt offers a service using this technique.

[aasasd]

They could do that in theory, yes, but we don't know if they did so back in 2015, or what they did at all. Because there was no documentation as to what actually was happening—except that emails which are in a leak are very likely exposed to the Lastpass backend, since LP sends a notification to that address.

And my objection here is not to a leak of passwords (as they're not what is checked)—I don't want my emails or usernames to be thrown around either.

[NikkiA]

That's not what that says at all, it's talking about apps associated with the service, ie firefox, chrome, the ios app, the android app.

It's utterly useless as metadata goes (it simply says 'I'm using lastpass', well duh) , but those auth tokens identify the customer's associated 'apps' and as such is metadata a court order can get at.

[zaroth]

Competently agree. Why should the app name be available without the master password?

[tinus_hn]

It might be the user agent sent with the storage and retrieval requests.