SSL certificates expire. That's not news. What's news is how often billion-dollar companies let it happen — and how much it costs them when they do.
Here are 10 of the most expensive SSL certificate failures in history, what went wrong, and what they teach every IT team about expiration tracking.
1. Microsoft Teams (February 2020)
Impact: 20+ million users locked out for 3+ hours
Microsoft Teams — the company's flagship collaboration tool — went completely dark because someone forgot to renew an SSL certificate. During the outage, users couldn't sign in, send messages, or join meetings. The irony? Microsoft literally sells the infrastructure to prevent this.
The incident made international headlines and prompted Microsoft to implement automated certificate monitoring across its services.
Lesson: If Microsoft can forget to renew a cert, so can you.
2. Spotify (2022)
Impact: Podcast streaming disrupted for millions
Spotify's podcast infrastructure suffered a major outage when an internal SSL certificate expired without anyone noticing. The Megaphone podcast hosting platform — which Spotify acquired for $235 million — was knocked offline, affecting publishers and listeners worldwide.
Lesson: Acquisitions mean inherited infrastructure. If you're not tracking what you bought, something will expire.
3. Equifax (2017)
Impact: 147 million customer records breached
This one goes beyond a simple outage. Equifax's expired SSL certificate on a network monitoring tool meant they couldn't inspect encrypted traffic for malicious activity. For 76 days, attackers exfiltrated personal data — Social Security numbers, birth dates, addresses — from 147 million Americans.
The expired cert wasn't the vulnerability itself, but it blinded the security team to the breach. Equifax settled for $700 million.
Lesson: Expired certificates don't just cause outages — they create security blind spots.
4. LinkedIn (2019)
Impact: All shortened links (lnkd.in) broken for hours
LinkedIn let the certificate on its URL shortener domain expire, breaking every shortened link ever shared on the platform. Years of shared content, job postings, and professional connections suddenly pointed to certificate warnings.
Lesson: It's not just your main domain. Every domain, subdomain, and service needs tracking.
5. Cisco (2020)
Impact: Meraki cloud management platform down
Cisco's Meraki platform — used by thousands of organizations to manage their networks — went down due to an expired certificate. Network administrators couldn't manage routers, switches, or access points remotely. For managed service providers who depend on Meraki, it was a nightmare.
Lesson: When your product IS infrastructure management, letting your own certs expire is especially painful.
6. Ericsson / O2 UK (2018)
Impact: 32 million mobile customers lost service for 24 hours
An expired certificate in Ericsson's SGSN-MME software caused a cascading failure that knocked out O2's entire UK mobile network. 32 million customers lost data services for nearly a full day. The outage also affected other carriers using Ericsson equipment across 11 countries.
Ericsson paid £100 million in compensation.
Lesson: Certificate failures cascade. One expired cert in a critical system can take down an entire network.
7. Starlink (2023)
Impact: Satellite internet service disrupted globally
SpaceX's Starlink internet service experienced widespread outages traced back to an expired ground station certificate. Users in rural and remote areas — many with no alternative internet provider — were left without connectivity.
Lesson: Modern infrastructure depends on certificate chains. The more distributed your system, the more certificates you need to track.
8. California State Government (2020)
Impact: COVID-19 testing results delayed for weeks
During the height of the pandemic, California's disease surveillance system stopped processing lab results because of — you guessed it — an expired SSL certificate. The backlog grew to nearly 300,000 unreported cases, distorting the state's pandemic data and delaying public health responses.
Lesson: Certificate management isn't just an IT problem. It's a public safety issue.
9. Shopify (2022)
Impact: Thousands of online stores briefly inaccessible
Shopify experienced a significant outage affecting custom domain SSL certificates, making thousands of stores show security warnings to customers. For e-commerce businesses, a security warning is essentially a "don't buy here" sign.
Lesson: When you host other people's businesses, your certificate management is their problem too.
10. UK Government (Gov.uk, 2019)
Impact: Multiple government services disrupted
The UK government's main service portal experienced certificate issues that prevented citizens from accessing essential services including tax filing, benefits, and licensing. The incident highlighted how even large, well-funded IT organizations struggle with certificate lifecycle management.
Lesson: Scale doesn't solve this problem. Manual tracking eventually fails, regardless of team size.
The Pattern
Every one of these incidents shares the same root cause: someone was supposed to renew something, and they didn't.
It's not that these organizations have bad engineers. They have great engineers. But great engineers are busy shipping features, fighting fires, and managing infrastructure. Certificate renewals are low-urgency until they're suddenly critical — and by then, it's too late.
What Actually Prevents This
The organizations that avoid certificate disasters share common practices:
- Automated discovery — They don't rely on humans to remember every cert. They scan their infrastructure.
- Multi-channel alerts — Not just an email that gets buried. Slack, Teams, SMS for the ones about to blow.
- Single source of truth — One dashboard, not six spreadsheets and a shared calendar.
- Multiple warning thresholds — Alerts at 90, 30, 14, 7, and 1 day. Escalating urgency.
- Assigned ownership — Every cert has a name attached. No "I thought you were handling that."
This is exactly why we built Lapse.watch — a single dashboard to track every SSL certificate, domain, warranty, and contract that expires. Because the cost of prevention is always less than the cost of an outage.