The dark web monitoring feature in the Security Dashboard of your LastPass vault has an integrated partnership with Enzoic (formerly known as PasswordPing).

When you select Start monitoring (as an end user) or enable the "Control dark web monitoring" policy (if you are a LastPass Business admin), the following happens:

1. Permission is granted for LastPass to share a hashed version of the email addresses (associated with the stored items within the user's LastPass vault) with Enzoic's monitoring system.
2. These hashed email addresses are checked against Enzoic's database of hashed email addresses leaked in known breaches.
   Notice: In addition to providing real-time monitoring of your email addresses, LastPass retroactively checks against breaches for up to one year prior to the date that dark web monitoring becomes enabled (only once, at the time of sign-up).
   • If Enzoic determines that any of the email addresses have been compromised (i.e., the hashed email address LastPass shares with Enzoic matches the hashed version they have in their list of compromised email addresses), LastPass relays this information in the form of dark web monitoring alerts as an email notification, an in-product message alert in the Security Dashboard, and a "Compromised" status indicator next to the email address in the dark web monitoring pane. This is why the email addresses associated with your vault items are never sent from LastPass, and never known to Enzoic – only hashed versions of the email addresses are used in both sides.
   • If none of the hashed email addresses have been compromised, the email addresses displays a "Secure" status in the dark web monitoring pane of the Security Dashboard.

LastPass operates on a zero-knowledge security model, where all encryption and decryption occurs locally on the user's device, not on our servers. This means that your sensitive vault data is only transferred to LastPass once it has been encrypted, and never travels over the Internet unencrypted. The same is true for our partnership with Enzoic. Your passwords are never transferred or visible to anyone (because they remain encrypted) – only a hashed version of your email addresses for your vault item entries are provided to Enzoic in order to monitor it against their database of compromised email addresses. Please be aware that only your hashed email addresses will be shared with Enzoic, and that they will not be used for any purpose other than monitoring for security breaches.