Over the last couple of days, a few of our users received an email from Zoho informing them about a password reset on their Zoho account—that they did not initiate. We want to explain this here.
First, let’s assure you that there has been no security breach, nor was any of your data ever compromised. This was an intentional action from our Zoho Accounts and Security team, as a proactive safety measure.
Many of you may know that hackers often reveal user credentials on the web. These are combinations of accounts and passwords for any service the hackers have breached. At Zoho, our security team is always on the lookout for external security breaches, even those completely unrelated to Zoho.
We work under the assumption that many users—very unwisely—use the same online account names and passwords, across different service providers. This creates a huge vulnerability. Anyone can use these revealed credentials and attempt to login into other online services (that were not breached) and gain unauthorized access. This is what we seek to prevent. We don't want your Zoho account to be compromised due to other leaks on the internet.
Whenever any user credentials are leaked or exposed on the internet, we immediately make sure that any matching Zoho accounts are automatically protected—in the event our users have (unwisely) used the same leaked credentials for their Zoho accounts as well.
This is what we do: The leaked credentials are auto-parsed by our systems and compared with the hashed data of Zoho accounts (Zoho stores your passwords in a hashed format, that is not human-readable). If our systems find a match, they automatically reset the password to protect your account from possible unauthorized access. We then send an email to the registered email address.
If you have recently received an email asking you to reset your password, please do so here: https://accounts.zoho.com/password
What are the lessons here?
First, never reuse passwords across different online service providers. This is your responsibility as a user. Failing to do this is providing easy ammunition for hackers. Second, use multi-factor authentication for your Zoho account. To add an additional layer of security, use our OneAuth app on your mobile device.
From our end, we have learned to tailor the email messages to affected users so they know exactly what happened, rather than receive an unexpected default password-change message that can be unnecessarily alarming.