[conradk]

I don't think encrypting an email address would create any issues. In fact, if I was to provide a service, I'd save the hash email address for easy authentication (ie hash the email given during a login and compare with the hash you have) and one encrypted version of the email address so I can use it if needed (to inform the user or whatever).

I started getting a lot of spam about one month ago too and even emailed LastPass a bit angry. But this Mozilla incident could well be the cause of the spam...

[nitrogen]

The encrypted e-mail address has to be read somehow, so it's just as likely that an attacker gets the decryption key as the database itself (unless you use e.g. a hardware security module). That's probably good enough for e-mail addresses, but as you likely know, not acceptable for passwords.