LastPass manages to hide passwords from users
Who can you trust when your password management service is withholding your passwords? LastPass is brought under fire for yet another issue with its service.
From 17 January, users of the password management platform LastPass began reporting issues accessing their password storing system. Unable to access their accounts, users found their passwords were securely stored away from them.
Password admission was denied to a large number of users from LastPass’s site and its range of apps, the majority receiving the error message: “An error has occurred while contacting the LastPass server. Please try again later.”
LastPass then took three days to publicly respond to its users after the issue was first reported, with many user reports going unresponded from the service. When the password management service finally responded, it denied having any issues, saying “no service issues have been identified.”
When contacted by AccountingWEB, the service did not comment on the issue.
The prolificacy of passwords
According to McAfee, computer users have an average of 23 online accounts that require a password. With varying rules on complexity, most of these sites now require passwords with a minimum of eight characters, numbers, lowercase and uppercase letters, and symbols. As a result, password managers are highly useful tools that integrate with a wide variety of browsers to automatically provide a whole host of passwords.
It is unsurprising, therefore, that a company dealing with private information and whose reputation relies on transparency came under fire for such a delayed and contrary response. Instead, users were advised to reinstall apps, log out and in again, clear caches, and the usual ‘where did you last have it?’ advice.
A history of LastPass issues
According to SiliconANGLE, “Transparency should be at the top of the company’s list given its previous issues.” The technology media company is referring to LastPass’s turbulent past – being hacked in 2015, a 2016 vulnerability, two security issues in 2017 leaving passwords exposed, a five-hour outage in October 2018, and an Autumn 2019 bug that leaked user login credentials. These major issues do not include the usual host of glitches experienced by sites regularly attracting high user traffic.
It was a mere nine hours later until the password management service acknowledged the issue had existed when they tweeted: “RESOLVED: After a thorough investigation, we've identified and resolved the login errors caused by a bug in a recent release impacting a small set of users. This has been resolved and all services are now functional.”
Another 24 hours and an apology tweet was finally released:
This was later followed by an official response from LastPass: “Over the weekend, a small group of LastPass users may have experienced error messages when attempting to log into their accounts. The LastPass team identified the isolated issue, confirmed it was not a widespread outage, and it has been completely resolved. All services are now working, and no user action is needed.
“Through our investigation, we determined it was the result of a recent product release and only a very limited set of users with a particular history were affected. The LastPass team identified this bug and rolled back the recent release, stopping this type of behavior. There is no user action needed.”
Last troubles have not yet passed
Unfortunately, LastPass found itself in the news again only two days later. This time, the service was forced to admit via its status report page and Twitter account that it had “accidentally removed” its LastPass extension from the Chrome Web store.
Leaving users with 404 error messages, LastPass confirmed that it was “working with the Google team to restore” the extension once it was “finished being reviewed by Google”. However, the service failed to offer any explanation for how its extension had “accidentally” been removed.
Forgive and forget
LastPass has announced that it “will conduct an internal investigation of this issue and make appropriate improvements to [its] systems to help prevent or minimise future recurrence.”
But despite malfunctions, leaks and bugs, and an inundation of competitors, LastPass remains the most popular global password manager according to the 2019 password manager report. It just goes to show, the bigger the brand, the less deterred users are by security breaches.