[GoMonad]

> In the end they said the checks are done locally—by downloading dozen-gigabyte leak archives like the exploit.in, I guess?

I would guess they are doing the checks with a technique called k-anonymity. It doesn't require sending the password, nor does it send too much data to the client. Troy Hunt offers a service using this technique.

[aasasd]

They could do that in theory, yes, but we don't know if they did so back in 2015, or what they did at all. Because there was no documentation as to what actually was happening—except that emails which are in a leak are very likely exposed to the Lastpass backend, since LP sends a notification to that address.

And my objection here is not to a leak of passwords (as they're not what is checked)—I don't want my emails or usernames to be thrown around either.