The news isn’t great.
I’m reluctant to write yet another LastPass-based article, but it serves as a lesson that applies to almost anything you do online.
It’s about more than your password manager, and it’s true regardless of whether or not there’s been a breach.
Become a Patron of Ask Leo! and go ad-free!
Does my data remain online?
When you leave an online service, you should take proactive steps to delete or invalidate the data you have stored there. Unfortunately, if the service has been breached, that hacked copy of your data is out of your control. Similarly, if the service is backing up properly, those may not be affected by your departure.
Your data, online
In the example I’m using — LastPass — you’ve placed some amount of data online, and have relied on LastPass to properly secure it.1
This applies to anything you place online. That includes the files you share, photos you upload, even email and messages that you exchange with others. You’re relying on the various services involved to store and manage your data securely as it resides on or traverses their servers.
What happens when you leave?
You need to take action
It’s not enough to just set up shop somewhere else. Once you’ve done so, that’s great, and you no longer need to use the original service, but that does nothing to the information stored there.
In our example, moving to 1Password is fine, but your information remains in your old LastPass account until you do something about it.
There are two actions you can consider taking:
- Close the account.
- Keep the account open, but delete individual entries from the account.
I tend to prefer the latter, only because it continues as a safety net should something have been lost in the migration to the new service.
And, again, LastPass is our example, but this applies to any online service in which you have information stored.
And yet, it may not be enough.
When it’s too late
In the case of LastPass, or any service experiencing a breach, deleting items or closing your account doesn’t really help. The damage has been done.
The information was already exposed to and copied by the hackers. This means no matter what you do at the service itself, you can’t affect what’s already been stolen. There’s no way for you to claw back the information from the hackers that have it.
That implies you have a couple of possible actions.
- Secure what’s been stolen. In the case of a password manager, that means changing the passwords at all the sites you consider important. This invalidates anything the hackers may have in their possession. In the case of other kinds of data, it really depends on exactly what that data is. There’s nothing, for example, to “undo” the release of your private emails — just ask any politician who’s been caught saying something they shouldn’t.
- Do nothing. Sometimes this is a choice. You may elect not to bother changing all the passwords that happened to be included in the LastPass breach, for example, just because there were too many, and there’s no data that says any passwords were actually compromised. Or there’s simply nothing you can do, such as those private emails.
The important thing to realize here is that once the information is out there, it’s out there. The genie cannot be put back in the bottle.
Still out of your control
Let’s say all is well. There’s been no hack, no breach, and the service is living up to its security and privacy obligations.
You elect to move elsewhere for other reasons.
You do all the right things. Perhaps you close your account. Perhaps you delete your data. The result is that your information is no longer available online. Great.
The service may still have a copy of your data. In fact, they may have several copies. They’re called backups. As I said, the service is living up to its obligations, and one of those obligations is to ensure they can recover from problems, and one of those safety nets is a comprehensive backup. Just as it is for you.
Those backups aren’t deleted when you delete your data, or even when you delete your account. We also don’t know how long they’re kept — it’ll vary from service to service.
This means that your information could still be available via the service you’re no longer using. Typically, access is restricted to law enforcement, but, again, it depends on the service in question. In theory, I suppose, backups could be hacked into, but I’ve never heard of that happening even once.
This all may sound like an argument against putting any data online ever. Not only is that impractical, but it’s not what I’m saying at all.
It’s impractical because you’re already doing it. Email and messaging apps are two kinds of online data, and they’re a necessity of day-to-day life for most of us.
For the most part, it’s also not necessary. Most service are reputable, do the right thing, and secure your information properly. They’re safe to use and enable a wide variety of services and functionality.
What matters is that you understand what happens to your data, both while you use the service, and most importantly, if there’s a hack or when you leave. And yes, that means with a password manager such as LastPass, invalidating the information that’s potentially been stolen by changing your passwords may be a very good idea.
Another good idea? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: We can argue the nuances of “properly” — they did not — but I’ll reiterate that even after the breach, there is not one example of an actual password being exposed as a result. The passwords, at least, appear to have been properly secured.