The news isn’t great.
I’m reluctant to write yet another LastPass-based article, but it serves as a lesson that applies to almost anything you do online.
It’s about more than your password manager, and it’s true regardless of whether or not there’s been a breach.
Become a Patron of Ask Leo! and go ad-free!
Does my data remain online?
When you leave an online service, you should take proactive steps to delete or invalidate the data you have stored there. Unfortunately, if the service has been breached, that hacked copy of your data is out of your control. Similarly, if the service is backing up properly, those may not be affected by your departure.
Your data, online
In the example I’m using — LastPass — you’ve placed some amount of data online, and have relied on LastPass to properly secure it.1
This applies to anything you place online. That includes the files you share, photos you upload, even email and messages that you exchange with others. You’re relying on the various services involved to store and manage your data securely as it resides on or traverses their servers.
What happens when you leave?
You need to take action
It’s not enough to just set up shop somewhere else. Once you’ve done so, that’s great, and you no longer need to use the original service, but that does nothing to the information stored there.
In our example, moving to 1Password is fine, but your information remains in your old LastPass account until you do something about it.
There are two actions you can consider taking:
- Close the account.
- Keep the account open, but delete individual entries from the account.
I tend to prefer the latter, only because it continues as a safety net should something have been lost in the migration to the new service.
And, again, LastPass is our example, but this applies to any online service in which you have information stored.
And yet, it may not be enough.
When it’s too late
In the case of LastPass, or any service experiencing a breach, deleting items or closing your account doesn’t really help. The damage has been done.
The information was already exposed to and copied by the hackers. This means no matter what you do at the service itself, you can’t affect what’s already been stolen. There’s no way for you to claw back the information from the hackers that have it.
That implies you have a couple of possible actions.
- Secure what’s been stolen. In the case of a password manager, that means changing the passwords at all the sites you consider important. This invalidates anything the hackers may have in their possession. In the case of other kinds of data, it really depends on exactly what that data is. There’s nothing, for example, to “undo” the release of your private emails — just ask any politician who’s been caught saying something they shouldn’t.
- Do nothing. Sometimes this is a choice. You may elect not to bother changing all the passwords that happened to be included in the LastPass breach, for example, just because there were too many, and there’s no data that says any passwords were actually compromised. Or there’s simply nothing you can do, such as those private emails.
The important thing to realize here is that once the information is out there, it’s out there. The genie cannot be put back in the bottle.
Still out of your control
Let’s say all is well. There’s been no hack, no breach, and the service is living up to its security and privacy obligations.
You elect to move elsewhere for other reasons.
You do all the right things. Perhaps you close your account. Perhaps you delete your data. The result is that your information is no longer available online. Great.
The service may still have a copy of your data. In fact, they may have several copies. They’re called backups. As I said, the service is living up to its obligations, and one of those obligations is to ensure they can recover from problems, and one of those safety nets is a comprehensive backup. Just as it is for you.
Those backups aren’t deleted when you delete your data, or even when you delete your account. We also don’t know how long they’re kept — it’ll vary from service to service.
This means that your information could still be available via the service you’re no longer using. Typically, access is restricted to law enforcement, but, again, it depends on the service in question. In theory, I suppose, backups could be hacked into, but I’ve never heard of that happening even once.
Do this
This all may sound like an argument against putting any data online ever. Not only is that impractical, but it’s not what I’m saying at all.
It’s impractical because you’re already doing it. Email and messaging apps are two kinds of online data, and they’re a necessity of day-to-day life for most of us.
For the most part, it’s also not necessary. Most service are reputable, do the right thing, and secure your information properly. They’re safe to use and enable a wide variety of services and functionality.
What matters is that you understand what happens to your data, both while you use the service, and most importantly, if there’s a hack or when you leave. And yes, that means with a password manager such as LastPass, invalidating the information that’s potentially been stolen by changing your passwords may be a very good idea.
Another good idea? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
Footnotes & References
1: We can argue the nuances of “properly” — they did not — but I’ll reiterate that even after the breach, there is not one example of an actual password being exposed as a result. The passwords, at least, appear to have been properly secured.
I just recently discovered your YT channel and have subscribed… to your daily newsletter also. I’m a senior just trying to cope with today’s tech and you obviously know your stuff. But better yet, you can talk to us non-techies, too.
Welcome! And thanks! I do try.
i have long distrusted having my passwords held by a third party. what i use is pwsafe., originally by bruce scheier, nowooen source. i sync passwords between devices by using dropbox.. the only thing that exists outside of my world is an AES encrypted file.
“the only thing that exists outside of my world is an AES encrypted file” -> That’s essentially how password managers work in general.
Bernie, “have long distrusted having my passwords held by a third party.”
” I sync passwords between devices by using dropbox.”
Dropbox IS a third party holding your passwords. No different than having them with a password manager.
Yes, and a password manager can be safer, or at least, easier to stay safe than Dropbox because with a password manager, you don’t have to take care of your own encryption.
I’m still using LastPass, and I believed I’d done everything I could to properly secure my information/passwords (I changed my main password, I changed all my stored account passwords, and upgraded my password iterations count to 600,000), but I forgot that I had debit card info stored there too. I’ve had two unauthorized transactions appear on my checking account in the past year (months apart). I don’t remember whether I had my debit card information stored on LastPass before the breach so I cannot say that is why it happened. I am very proactive about reviewing my checking account information online and I caught both events the day they appeared as pending transactions, so I was able to successfully challenge them and get new cards (both times). Following the second event, I changed my pin and recovery information and removed my debit card data from LastPass (I should have done so the first time), so hopefully it won’t happen again.
Even though I have nothing to indicate that the above mentioned unauthorized transactions are the result in any way of the LastPass breach (they are both probably my fault/shortcoming), I intend to switch to 1Password after I review all my data on LastPass to see if there’s anything else I may have missed (account recovery information, etc.). I expect my review to take a month or two, and I still have to decide just how I will proceed. The review of my stored information should help me make that decision.
As a side note, I have frozen all my Financial Tracking Bureau accounts (Experion, etc.) so it is very unlikely that anyone can open a credit card or other financial account in my name.
I say all this to point out the fact that our Internet/online security is not the only thing we must protect. Our financial information is at least as important as our online identity/data.
I hope all this helps others,
Ernie (Oldster)
After saying I was going to have my wife re-sign up for LastPass since I had a deal, I’m now trialing 1Password. It seems her purchase with LastPass didn’t go through and we passed the date limit. So I said, let me try 1Password. It didn’t import our shared passwords, even though it was in the comma delimited file. But otherwise, seems OK
I don’t understand why anyone would use a debit card when credit cards are available. Many times in the 50+ years I’ve had credit cards I’ve needed to dispute a charge and every time I’ve done so, the bank issuing the card has made me whole. I have never had a debit card and don’t see a single advantage and only risks and drawbacks. BTW I’ve always paid all of my credit cards in full every monthly bill. I’ve never paid their userous finance charges. I have six credit cards all of which have no annual fee. And I get at least 2% cash back with every purchase. Sometimes as much as 5%. What’s not to like? Maybe I’m able to benefit from this because my credit rating is always above 830 points.
I use my credit cards the same way. I’ve opened 0% APR for the first year cards to do major house repairs, but credit cards are a double edged sword. Too many people fall into the trap of maxing out their credit cards.