Staff Writer AccountingWEB
Share this content

LastPass manages to hide passwords from users

Who can you trust when your password management service is withholding your passwords? LastPass is brought under fire for yet another issue with its service.

30th Jan 2020
Staff Writer AccountingWEB
Share this content

From 17 January, users of the password management platform LastPass began reporting issues accessing their password storing system. Unable to access their accounts, users found their passwords were securely stored away from them.

LastPass tweet

Password admission was denied to a large number of users from LastPass’s site and its range of apps, the majority receiving the error message: “An error has occurred while contacting the LastPass server. Please try again later.”

LastPass then took three days to publicly respond to its users after the issue was first reported, with many user reports going unresponded from the service. When the password management service finally responded, it denied having any issues, saying “no service issues have been identified.”

LastPass tweet

When contacted by AccountingWEB, the service did not comment on the issue.

The prolificacy of passwords

According to McAfee, computer users have an average of 23 online accounts that require a password. With varying rules on complexity, most of these sites now require passwords with a minimum of eight characters, numbers, lowercase and uppercase letters, and symbols. As a result, password managers are highly useful tools that integrate with a wide variety of browsers to automatically provide a whole host of passwords.

It is unsurprising, therefore, that a company dealing with private information and whose reputation relies on transparency came under fire for such a delayed and contrary response. Instead, users were advised to reinstall apps, log out and in again, clear caches, and the usual ‘where did you last have it?’ advice.

A history of LastPass issues

According to SiliconANGLE, “Transparency should be at the top of the company’s list given its previous issues.” The technology media company is referring to LastPass’s turbulent past – being hacked in 2015, a 2016 vulnerability, two security issues in 2017 leaving passwords exposed, a five-hour outage in October 2018, and an Autumn 2019 bug that leaked user login credentials. These major issues do not include the usual host of glitches experienced by sites regularly attracting high user traffic.

It was a mere nine hours later until the password management service acknowledged the issue had existed when they tweeted: “RESOLVED: After a thorough investigation, we've identified and resolved the login errors caused by a bug in a recent release impacting a small set of users. This has been resolved and all services are now functional.”

Another 24 hours and an apology tweet was finally released:

LastPass tweet

This was later followed by an official response from LastPass: “Over the weekend, a small group of LastPass users may have experienced error messages when attempting to log into their accounts. The LastPass team identified the isolated issue, confirmed it was not a widespread outage, and it has been completely resolved. All services are now working, and no user action is needed.  

“Through our investigation, we determined it was the result of a recent product release and only a very limited set of users with a particular history were affected. The LastPass team identified this bug and rolled back the recent release, stopping this type of behavior. There is no user action needed.”

Last troubles have not yet passed

Unfortunately, LastPass found itself in the news again only two days later. This time, the service was forced to admit via its status report page and Twitter account that it had “accidentally removed” its LastPass extension from the Chrome Web store. 

Leaving users with 404 error messages, LastPass confirmed that it was “working with the Google team to restore” the extension once it was “finished being reviewed by Google”. However, the service failed to offer any explanation for how its extension had “accidentally” been removed.

Forgive and forget

LastPass has announced that it “will conduct an internal investigation of this issue and make appropriate improvements to [its] systems to help prevent or minimise future recurrence.”

But despite malfunctions, leaks and bugs, and an inundation of competitors, LastPass remains the most popular global password manager according to the 2019 password manager report. It just goes to show, the bigger the brand, the less deterred users are by security breaches.

Replies (3)

Please login or register to join the discussion.

Sarah Douglas - HouseTree Business Ltd
By sarah douglas
30th Jan 2020 18:01

Hi

We pay for Lasspass enterprise and we have had none of the issues mentioned about the server.

Like all companies, they probably take more care of paid clients. There is no such thing as a free lunch

Thanks (2)
avatar
By pauljohnston
31st Jan 2020 12:15

We too used paid accounts and have had none of the problems

Thanks (0)
avatar
By jamesalls
31st Jan 2020 16:49

We used Lastpass business for several years - following personal use it was perfect

Sadly things went down hill for us; billing issues relating to tax treatment, slow support and constant issues with the chrome plugin. What was the nail in the coffin was when they just hiked the price to a ridiculous amount for minimum number of users when we didn't need that many.

One thing that they did provide was a good export data tool allowing us to move to another solution.

Not everyone will be unhappy with LastPass, they do provide a service that IMO should be compulsory for business to force staff to use - we were delighted with what they offered for years but since competitors had matured and surpassed LastPass I can only say that you shouldn't be tolerating shoddy failures of a service since there are excellent alternatives!

Thanks (1)