Cloud-based accounting service Xero has told its customers to reset their passwords after a “small number” of users had their accounts compromised.
At the time of writing there was no obvious advisory on Xero’s website, blog or Twitter account, but news of the security warning was sent out to customers in an email.
The email claims that Xero has seen an increase in phishing attacks exploiting the firm’s brand, and that a “small number of customers have had their Xero accounts compromised.”
Clearly, that’s far from ideal as businesses will have a great deal of information about their finances, clients and suppliers inside their Xero account.
Furthermore, Xero warns that users should scan their computers for malware using an up-to-date anti-virus – presumably to reduce the chances that spyware is present on customers’ PCs that could be stealing usernames and passwords that way.
We strongly recommend that you update your anti-malware (anti-virus) software with the latest signatures and run a full scan of your computer before you reset your password. Please do this on all computers you use to access Xero.
You should always maintain your operating system and applications by keeping them up to date with security patches.
Sensibly, the company says to do the scan *before* you change your password – although, of course, you could always change your password on another computer which you believe not to be compromised or from a device which is less likely to be affected, such as your smartphone.
It should go without saying that you should also ensure that you are not using your Xero password anywhere else on the net.
Reuse of passwords is one of the biggest security problems out there – particularly amongst people who haven’t yet learnt the trick of using a password manager to generate complex, unique passwords and handle the hassle of remembering them.
I also have to take Xero to task for not putting clear information on its website, as I’m sure many users would have wanted to confirm that the email advisory was genuine.
I wasn’t the only one who considered whether the email might be actually a phishing attempt itself:
https://twitter.com/vanderaj/status/657351357775540224
Details on how to change your Xero password can be found on the site’s help page.
Thanks for sharing this info. According to their twitter feed and from http://www.nbr.co.nz/opinion/scammers-gain-access-xero-customers-accounts they didn't mean to send this to all their customers and have admitted to this. Though it's not a bad thing for people to change their passwords that they probably haven't changed for month's or years. I think it's a good thing they are being pro-active and vigilant and I am sure they will listen to and act on any feedback.
I agree with you that the biggest problem is with people using the same password for all their sites. I agree with you and always recommend that people use a password manager like LastPass so they can have unique, complex passwords for all their internet accounts.
Good idea about having information on their website that people could check the email is genuine, only have to look at the questions being asked on their Twitter account.
Must point out though that the Xero team did advise people not to use their Xero password anywhere else on the net but worded it as "We recommend using a different password for Xero than for other applications you access and turning off your password autosave."
I always enjoy reading your blog Graham, many thanks.
"It should go without saying – although, sadly, Xero missed the opportunity to say it – that you should also ensure that you are not using your Xero password anywhere else on the net."
They did say it and it's in your screenshot:
"We recommend using a different password for Xero than for other applications you access and turning off your password autosave."
Thanks to you (and others) who pointed that out. I would like to argue that I was being pedantic about the difference between apps and websites, but the truth is that I simply overlooked it when I wrote the article in the wee small hours of the morning. What a wombat I am.
I'll edit the article to remove that grumble.
Cheers!
If important data such as accounting information is stored on that site, shouldn't 2-factor auth be mandatory?
If the Xero email isn't a phishing scam, why did I get it? I'm in Pennsylvania and I'm not a Xero customer, I never even heard of them until I got their email. ???
How stupid of Xero to start the message with a simple 'Hi,'. Most simple phishing messages use this and when I don't see my name mentioned I am already very suspicious and delete it. Xero should have made clear to me that their message was sent by them and not by scammers. And what if I receive shortly a message inviting me to click on a link to update my login details? This would be the ideal moment for the scammers to do this.
Anyhow… I feel sorry for Xero.
This email is legitimate. The email advising recipients about resetting their password was intended for active users in Australia, however we are aware that it was distributed more widely than intended. While sent to some users in error the email is a useful reminder for customers to change their passwords frequently.
We take a proactive approach to communicating to our customers about staying safe online. The online security of Xero users and partners is of critical importance to us, especially where their sensitive data is involved.
Apologies for any confusion this may have caused. For more information, please read this update on our blog:
https://www.xero.com/blog/2015/10/security-update-and-password-management/
Emma Izatt
Senior Communications Manager, Xero
@xero