A Note on Your Zoho Account Security

General | February 2, 2018 | 2 min read

Over the last couple of days, a few of our users received an email from Zoho informing them about a password reset on their Zoho account—that they did not initiate. We want to explain this here.

First, let’s assure you that there has been no security breach, nor was any of your data ever compromised. This was an intentional action from our Zoho Accounts and Security team, as a proactive safety measure.

What happened? 

Many of you may know that hackers often reveal user credentials on the web. These are combinations of accounts and passwords for any service the hackers have breached. At Zoho, our security team is always on the lookout for external security breaches, even those completely unrelated to Zoho.

We work under the assumption that many users—very unwisely—use the same online account names and passwords, across different service providers. This creates a huge vulnerability. Anyone can use these revealed credentials and attempt to login into other online services (that were not breached) and gain unauthorized access. This is what we seek to prevent. We don’t want your Zoho account to be compromised due to other leaks on the internet.

Whenever any user credentials are leaked or exposed on the internet, we immediately make sure that any matching Zoho accounts are automatically protected—in the event our users have (unwisely) used the same leaked credentials for their Zoho accounts as well.

This is what we do: The leaked credentials are auto-parsed by our systems and compared with the hashed data of Zoho accounts (Zoho stores your passwords in a hashed format, that is not human-readable). If our systems find a match, they automatically reset the password to protect your account from possible unauthorized access. We then send an email to the registered email address.

If you have recently received an email asking you to reset your password, please do so here: https://accounts.zoho.com/password

What are the lessons here?

First, never reuse passwords across different online service providers. This is your responsibility as a user. Failing to do this is providing easy ammunition for hackers. Second, use multi-factor authentication for your Zoho account. To add an additional layer of security, use our OneAuth app on your mobile device.

From our end, we have learned to tailor the email messages to affected users so they know exactly what happened, rather than receive an unexpected default password-change message that can be unnecessarily alarming.

  1. Ron

    Fantastic that your team is pro-active in this. What would even better, is to let the owner of the account know of which service the account credentials have been leaked… For those of us who indeed use the same combination on more than two services.

  2. Locke Lamora

    The Intention is good here. But, the context of mail could have be toned better.

    Instead of sending a mail stating that your password Password has been changed, it could have been with an added indication that your account was compromised in some other non-zoho apps and kindly reset your password.

    As an end User, the mail was quite alarming!

    • Vijay Sundaram

      I agree with you Loche. This should not have been the standard “password has been changed” message. We have now fixed it. Thanks for your support.