Zoho and the Heartbleed Vulnerability

Quick note:
All Zoho servers are patched, and your data is safe.

The details:
Soon after the information about this vulnerability became known, we started patching all our servers using the newer, protected versions of OpenSSL. This operation was completed in a few hours after the news broke out. We renewed our SSL certificates too. So, we are no longer vulnerable.

As of now, we have no indication that the vulnerability has been exploited against any of the Zoho applications. However, we would like you to follow these safeguards.

1. Change your Zoho account passwords immediately.
2. To be doubly safe, enable Two Factor Authentication (TFA) for your accounts.

We will update this post, as and when we have more new info about the vulnerability.


6 Replies to Zoho and the Heartbleed Vulnerability

  1. I agree with Marianne Ferrari, I do not want to give out personal information, I have doubts that it remains private.

  2. Hi Aravind/Zoho Team, I am using Comodo browser(latest update) and i noticed that i have the same problem as "John Carley on April 15, 2014 at 12:56 PM said:" has. I have used other browsers (IE 10, Chrome, Mozilla Firefox) as well but its the same. While writing this comment, to let you know that it still shows as yellow https:// with a triangle symbol. Given the fact that we are experiencing the OpenSSL Vulnerability threat, do the users have to perform any other action other than the steps provided by you? And how do we resolve the incomplete secure access to our zoho account.?

  3. I noticed that the "https:" in my Comodo Dragon browser has always shown yellow (caution) at your website. It has indicated this since the beginning when I set up my zoho email account. Though zoho site ownership has been confirmed by the browser, other sites generally show the https in green to indicate authenticity and good security. After the recent security scare I thought it may be corrected, but it continues to show the same yellow caution icon.

  4. Hi, Arvind. I realize the benefit of having the add'l authentication you suggest, but I am spleened against providing my cell phone number for authentication by Google. I don't want them to have this kind of personal information that I almost never give out, except to someone I wish to receive a cell call from. Just have to ask: Are you saying that, without this add'l authentication, my date simply will not be safe? I find this utterly dismaying, being a person who releases as little personal information as possible.

  5. I don't have a cell phone and have no plans to acquire it. It sounds like the Two Factor Authentication would not apply to me. Is there something I should do instead?

Leave a Reply

Your email address will not be published.

The comment language code.
By submitting this form, you agree to the processing of personal data according to our Privacy Policy.

Related Posts