LastPass says its almost 12-hour outage yesterday was caused by a bad update to its Google Chrome extension.
Starting at around 1 PM ET yesterday, LastPass users were suddenly unable to access their password vaults or log into their accounts, instead seeing "404 Not Found" errors, which typically indicate a page does not exist.
The impact did not go unnoticed, with LastPass customers venting their frustration on Reddit and Twitter about the outage and their inability to retrieve their saved credentials and log in to sites.
"Even their offline login doesn't work. I'm shifting my family over to 1Password," a person on Reddit wrote.
"I can't believe they don't have contingencies in their infrastructure. I am essentially locked out of all the websites I use until they fix this," said another user.
At approximately 8 PM ET, LastPass said they resolved the issue, stating that a bad update to the Chrome extension put too much stress on their servers.
"Our engineers have identified that an update to our chrome browser extension earlier today inadvertently caused load issues on our backend infrastructure," reads the LastPass status page.
"We are working hard to address the issue and are actively working towards a resolution."
Throughout Friday, LastPass continued with new status updates stating that performance is now stable and operational.
However, users continued to complain into today that since they installed June 6th update, they have been unable to log in to LastPass, or certain features didn't work, indicating that the outage lasted longer than initially stated.
"Won't work in Chrome since the last update. I can access my vault, but cannot launch any of the sites I have in it. Clicking the "Launch" button does nothing!!," reads a review on the Chrome web store.
It is unclear what changes were made to the Chrome extension, but for it to affect the company's online services, it likely meant that the extension was creating too many requests, essentially DDoSing the platform.
Update 6/7/24: LastPass shared the following statement about the outage:
LastPass customers may be experiencing login issues and product latency due to an update to our Chrome browser extension earlier today which inadvertently caused load issues on our backend infrastructure. The LastPass engineering team is actively working diligently to resolve these issues as quickly as possible. Customers can visit the LastPass Status Page for updates and details on product components that are experiencing login and latency issues.
Comments
joshwenke - 3 weeks ago
Looking at the past headlines on LastPass, I am surprised that anyone would still use them. This recent outage does not surprise me in the least. (https://www.bleepingcomputer.com/tag/lastpass/)
- LastPass is now encrypting URLs in password vaults for better security (why were they not doing this the whole time? 1Password has been doing this for years)
- Cybercriminals pose as LastPass staff to hack password vaults
- LastPass: Hackers targeted employee in failed deepfake CEO call
- Fake LastPass password manager spotted on Apple’s App Store
- LastPass now requires 12-character master passwords for better security (LOL, too little, too late)
- LastPass breach linked to theft of $4.4 million in crypto
- LastPass users furious after being locked out due to MFA resets
- Lastpass: Hackers stole customer vault data in cloud storage breach
- GoTo says hackers breached its dev environment, cloud storage
- Lastpass says hackers accessed customer data in new breach
- LastPass says hackers had internal access for four days
- LastPass users warned their master passwords are compromised
- Keep your passwords secure with 30% off LastPass Premium (Haha, thought it was funny that BleepingComputer was advertising LastPass. Good thing they haven't done that for a couple years!)
- LastPass Mistakenly Removes Extension from Chrome Store, Causes Outage
- Vulnerability Rendered LastPass Two-Factor Authentication Useless
- LastPass Bugs Allow Malicious Websites to Steal Passwords
joshwenke - 3 weeks ago
For those that will inevitably defend LastPass (perhaps @ChipBoundary from the thread on April 18, 2024), I encourage you to compare their security practices to other password managers.
Here are headlines from 1Password. One security incident, and it didn't involve any customer data and was immediately addressed by the 1Password security team.
https://www.bleepingcomputer.com/tag/1password/
Cavehomme - 3 weeks ago
No need for you to plug 1Password, there are plenty of other very secure apps available, such as the open-source based:
Bitwarden
KeePass
ProtonPass
Plenty of other closed-source apps too, such as Dashlane.
Mr.Tom - 2 weeks ago
And don't forget the old tried and true pen & paper. ;)