There are a few scenarios to consider.Database Compromised
If our database is compromised (for example, someone got a list of all users and their hashed passwords), there are still some safeguards. We salt your hashed password with a user-specific salt, and a server-specific salt. The server-specific salt is not stored in the database. In this event, it would be practically impossible for someone to obtain your password, unless they know the server salt.Server Compromised
If the server is compromised and someone deploys malicious code, there isn't much they can do. Your device expects an encrypted message that basically says "start the wipe". The server does not encrypt the message, your browser does. The server is simply there to pass the message from your browser to your device. Even if the server is compromised, it does not have enough information to generate an encrypted message that the device will understand, because it does not know your password. The most an attacker could do is send a "password reset" message to your device, effectively rendering the find and wipe capabilities useless, until you log back in on the device.Password Compromised
If your password is compromised, an attacker can remotely wipe or locate your phone. It is is up to you to choose a secure password, just as you would with any other web service.
As for the security, I'll write up something in more detail later in the week, as the entire process is complex and too much information for a comment on a post. The important thing to know is that your location is never sent to our servers in plaintext. All messages between your browser/device are encrypted using AES256. The key that is used for these encrypted messages is exchanged between the browser/phone using ECDH. The server only ever knows the public keys of both parties, which is not enough information to calculate the AES key. Even if the server generates its own public key, all messages are signed using HMAC-SHA256, where the key is derived from your password and a random salt using PBKDF2.