Famous SSL Certificate Expiry Disasters

SSL certificate expiry isn't a small-company problem. It's an everyone problem. Microsoft, Spotify, LinkedIn, and some of the largest organizations in the world have all been taken down by a single expired certificate. These outages weren't caused by sophisticated attacks or complex technical failures. They were caused by something expiring that nobody was watching.

Here are the incidents that prove it can happen to anyone -- and what you can learn from each one.

Microsoft Teams Outage (February 2020)

What happened: On February 3, 2020, Microsoft Teams went down for approximately three hours. The cause was an expired authentication certificate that Microsoft forgot to renew.

The impact: Millions of users worldwide couldn't sign in, send messages, or join meetings. This was early 2020 -- right when remote work was becoming critical. The outage hit during business hours in the Americas and affected enterprise customers who depended on Teams for daily communication.

Why it happened: The certificate used for authenticating Teams services expired. Microsoft's internal processes didn't flag it in time. The renewal was a manual step that fell through the cracks.

What it cost: Beyond the direct impact on millions of users, Microsoft faced significant reputational damage. The incident became a case study in certificate management failures.

Spotify Outage (August 2020)

What happened: Spotify experienced a significant outage when an expired SSL certificate disrupted its backend services. Users couldn't stream music, access playlists, or log in to their accounts.

The impact: Millions of listeners worldwide were affected. For a service that prides itself on reliability and uptime, the outage was particularly damaging during peak listening hours.

Why it happened: A certificate within Spotify's infrastructure expired without being renewed. The certificate was part of the internal service-to-service communication, making it harder to track than a public-facing certificate.

The lesson: Internal certificates are just as critical as public ones. When services talk to each other over TLS (and they should), those certificates need monitoring too. Internal certs often have longer validity periods, which makes them easier to forget about.

LinkedIn Shortened URLs (November 2021)

What happened: LinkedIn's shortened URL service (lnkd.in) stopped working when its SSL certificate expired. Every shortened link shared on the platform -- in posts, messages, and profiles -- became inaccessible.

The impact: Millions of shared links broke simultaneously. Users clicking on LinkedIn links got browser security warnings instead of the content they expected. For a professional networking platform, broken links in shared content undermine trust.

Why it happened: The certificate for the lnkd.in domain expired. This was a separate domain from linkedin.com, managed by a different process. It's a textbook example of certificates on secondary domains being overlooked.

The lesson: Your main domain probably gets attention. But what about your URL shortener, your CDN domain, your API subdomain, your staging environment? Every domain serving HTTPS needs monitoring.

Equifax Breach Connection (2017)

What happened: This one is different -- and arguably more serious. Equifax's massive data breach, which exposed the personal information of 147 million people, went undetected for 76 days partly because of an expired SSL certificate.

The connection: Equifax had an SSL inspection device (a tool that decrypts HTTPS traffic to scan for threats) monitoring their network. The certificate on this inspection device had expired 19 months earlier. With the certificate expired, the inspection tool stopped decrypting and analyzing traffic. The attackers' data exfiltration went undetected for months.

The impact: 147 million people had their Social Security numbers, birth dates, and addresses exposed. Equifax paid over $700 million in settlements. The CEO, CIO, and CSO all departed.

Why it matters: An expired certificate didn't cause the breach, but it prevented Equifax from detecting it. The attackers were actively extracting data through encrypted connections that should have been inspected. A single expired certificate on an internal security tool created a massive blind spot.

Google Voice (2021)

What happened: Google Voice experienced issues when an expired intermediate certificate disrupted the service. Users reported problems making and receiving calls.

Why it's notable: This wasn't a simple leaf certificate expiry. It was an intermediate certificate -- part of the certificate chain -- that expired. Intermediate certificates are issued by the certificate authority and are often managed separately from the end-entity certificates. They're easy to overlook because they're not directly tied to a specific domain or service.

The lesson: Certificate chain monitoring matters. Your leaf certificate can be perfectly valid, but if an intermediate in the chain expires or is revoked, your site or service still breaks. Good monitoring checks the entire chain, not just the end certificate.

Ericsson/O2 Mobile Network Outage (December 2018)

What happened: An expired certificate in Ericsson's software brought down mobile data services for millions of customers across multiple carriers. In the UK, O2's network went down for nearly 24 hours, affecting 32 million customers.

The impact: This wasn't a website outage -- it was a mobile network outage. Millions of people lost mobile data access. Emergency services were affected. Businesses that relied on mobile connectivity were disrupted. The outage also hit carriers in Japan and other countries using the same Ericsson software.

What it cost: O2 offered affected customers two days of service credit. Ericsson faced lawsuits and contract scrutiny. The total financial impact across all affected carriers ran into hundreds of millions of dollars.

Why it happened: A certificate embedded in Ericsson's SGSN-MME (Serving GPRS Support Node - Mobility Management Entity) software expired. The software had been deployed years earlier, and the certificate's expiration date was not being tracked.

The lesson: Certificates embedded in software and hardware are the hardest to track and the easiest to forget. They often have long validity periods (years), which means by the time they expire, the people who deployed them have moved on.

The Pattern: It Happens to Everyone

Look at these incidents together and the pattern is clear:

How Monitoring Prevents These Disasters

Every one of these incidents would have been caught by basic certificate monitoring. Not complex security tooling. Not AI-powered threat detection. Just something that checks whether a certificate is about to expire and tells someone about it.

What monitoring would have done in each case:

• Microsoft Teams: Alert at 30 days before expiry. Renewed in minutes.
• Spotify: Internal certificate flagged during routine monitoring. Renewed before any impact.
• LinkedIn: lnkd.in domain included in certificate inventory. Alert sent weeks before expiry.
• Equifax: Inspection device certificate tracked alongside all others. 19-month lapse never happens.
• Google Voice: Intermediate certificate expiry flagged in chain monitoring.
• Ericsson/O2: Embedded certificate tracked from deployment. Alert months before expiry.

The fix for every one of these is the same: know what certificates you have, know when they expire, and get alerted before they do.

Don't Assume You're Immune

If your reaction to these stories is "that wouldn't happen to us," consider: every organization on this list thought the same thing. They all had smart people, good processes, and budgets orders of magnitude larger than most companies.

Certificate expiry catches you when you're looking the other way. The only defense is a system that's always looking.

The cheapest outage is the one you prevent. Start monitoring before you become a case study.