LastPass Knocked Offline, Freezing Out Password Users

UPDATED 2:30 p.m. EST Nov. 26 with post-mortem report from LastPass. This story was originally posted at 12:10 p.m. EST Nov. 20.

Servers for LastPass, the widely user password manager, were offline for part of Tuesday (Nov. 20) as the company worked to fix the problem.

Credit: Shutterstock

(Image credit: Shutterstock)

That's a problem, as LastPass's millions of users normally need to connect to the servers to log into websites.

"Cannot login to app or website right now to retrieve my passwords," posted commenter @QuestForEnergy on the DownDetector.com website. "Kinda need my password service available and I can't log in," posted commenter @database_ninja on the same page.

"We are currently working to resolve the intermittent connectivity issue when attempting to load @LastPass," stated the @LastPassStatus Twitter feed. "Offline mode is your best alternative as it is fully operational; more updates to follow soon."

MORE: Best Password Managers

On desktops, LastPass normally runs via browser extensions that connect to LastPass' servers, and the browser extensions are supposed to switch automatically to offline mode if the server connections are lost. (It helps if you're already logged into LastPass when the server goes down.)

The extensions cache local copies of the user's password vault for exactly such occurrences. The LastPass mobile apps, which don't rely on browsers, also maintain local caches.

But many LastPass users on Reddit said they weren't having much luck with offline mode, at least not on desktops.

"Firefox extension is not failing over to offline mode and I can't login at all," posted maxxxxpower on the Reddit r/Lastpass board.

"Phone still works but not the web. This really sucks," wrote djstinger757. "I am not able to have the addins for the browsers here at work so I rely on the web. This is stopping me from getting work done."

However, many of the Reddit posters said they could still access their passwords in their mobile apps.

The LastPass outage started just after 9:00 a.m. Eastern Standard Time Tuesday morning, according to DownDetector.com and LastPass' own status page.

UPDATE: The LastPassStatus Twitter feed said about 1:30 p.m. Eastern time that "we've isolated the issue to be a data center connectivity problem."

"Our team is working hard to fix it as we type," the tweet continued. "Additionally, we want to clarify any chatter: this is not a security related issue."

We'll keep you posted with further developments.

UPDATE: LastPass's status page posted just before 3 p.m. Eastern time that the issue had been resolved. The number of reports at DownDetector dropped off around that time, and many Reddit commenters said they could finally get in.

UPDATE: LastPass posted a post-mortem analysis of the outage on its blog Nov. 21, determining that "the issue originated within our own infrastructure and there was no indication that an external party had accessed our servers and conducted any nefarious actions."

The outage resulted from "corrupt network packets" being sent within LastPass' internal network, which did not result in any spike in network traffic.

But it took a long time to diagnose the problem because LastPass's engineers had rolled out a code update that morning, and other services like Facebook and Instagram were also reporting connectivity problems. Once those factors had been eliminated as causes, switching to a backup data center finally solved the problem.

LastPass said it would be adding more data center capacity as a result of the outage. The company also plans to review its offline mode, which is supposed to switch on automatically once the connection to LastPass' servers is lost. But because "connectivity was intermittent for users throughout the day, offline mode did not kick in properly causing additional frustration and confusion for some users."

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.