Get new posts in your inbox

Zoho and the Heartbleed Vulnerability

General | April 10, 2014 | 1 min read

Quick note:
All Zoho servers are patched, and your data is safe.

The details:
Soon after the information about this vulnerability became known, we started patching all our servers using the newer, protected versions of OpenSSL. This operation was completed in a few hours after the news broke out. We renewed our SSL certificates too. So, we are no longer vulnerable.

As of now, we have no indication that the vulnerability has been exploited against any of the Zoho applications. However, we would like you to follow these safeguards.

1. Change your Zoho account passwords immediately.
2. To be doubly safe, enable Two Factor Authentication (TFA) for your accounts.

We will update this post, as and when we have more new info about the vulnerability.

  1. David

    I agree with Marianne Ferrari, I do not want to give out personal information, I have doubts that it remains private.

  2. Sridharan R

    Hi Aravind/Zoho Team,

    I am using Comodo browser(latest update) and i noticed that i have the same problem as “John Carley on April 15, 2014 at 12:56 PM said:” has. I have used other browsers (IE 10, Chrome, Mozilla Firefox) as well but its the same. While writing this comment, to let you know that it still shows as yellow https:// with a triangle symbol. Given the fact that we are experiencing the OpenSSL Vulnerability threat, do the users have to perform any other action other than the steps provided by you?
    And how do we resolve the incomplete secure access to our zoho account.?

  3. John Carley

    I noticed that the “https:” in my Comodo Dragon browser has always shown yellow (caution) at your website. It has indicated this since the beginning when I set up my zoho email account. Though zoho site ownership has been confirmed by the browser, other sites generally show the https in green to indicate authenticity and good security. After the recent security scare I thought it may be corrected, but it continues to show the same yellow caution icon.

  4. Marianne Ferrari

    Hi, Arvind. I realize the benefit of having the add’l authentication you suggest, but I am spleened against providing my cell phone number for authentication by Google. I don’t want them to have this kind of personal information that I almost never give out, except to someone I wish to receive a cell call from.
    Just have to ask: Are you saying that, without this add’l authentication, my date simply will not be safe? I find this utterly dismaying, being a person who releases as little personal information as possible.

  5. carl

    Good job guys. I like the fact you pay this much attention to security, where other companies do not. Kudos/

  6. Penny

    I don’t have a cell phone and have no plans to acquire it. It sounds like the Two Factor Authentication would not apply to me. Is there something I should do instead?