Cloud-based accounting service Xero has told its customers to reset their passwords after a “small number” of users had their accounts compromised.
The email claims that Xero has seen an increase in phishing attacks exploiting the firm’s brand, and that a “small number of customers have had their Xero accounts compromised.”
Clearly, that’s far from ideal as businesses will have a great deal of information about their finances, clients and suppliers inside their Xero account.
Furthermore, Xero warns that users should scan their computers for malware using an up-to-date anti-virus – presumably to reduce the chances that spyware is present on customers’ PCs that could be stealing usernames and passwords that way.
We strongly recommend that you update your anti-malware (anti-virus) software with the latest signatures and run a full scan of your computer before you reset your password. Please do this on all computers you use to access Xero.
You should always maintain your operating system and applications by keeping them up to date with security patches.
Sensibly, the company says to do the scan *before* you change your password – although, of course, you could always change your password on another computer which you believe not to be compromised or from a device which is less likely to be affected, such as your smartphone.
Reuse of passwords is one of the biggest security problems out there – particularly amongst people who haven’t yet learnt the trick of using a password manager to generate complex, unique passwords and handle the hassle of remembering them.
I also have to take Xero to task for not putting clear information on its website, as I’m sure many users would have wanted to confirm that the email advisory was genuine.
I wasn’t the only one who considered whether the email might be actually a phishing attempt itself:
Details on how to change your Xero password can be found on the site’s help page.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.