Xero resets passwords after phishes hook users

Online accounting firm Xero is making subscribers to its software reset their passwords after a phishing campaign saw a "small number" of accounts compromised.

Xero Australia MD Chris Ridd.

The fraudulent phishing messages used Xero's branding to appear realistic.

As financial advisers using the SaaS accounting system can access their customers' accounts, a password compromise could potentially disclose information for multiple people and organisations.

Xero Australia managing director Chris Ridd told iTnews the password reset was part of an ongoing effort by the company to keep its customers safe.

He declined to say how many accounts had been compromised.

Xero was criticised by Australian customers last year for being slow to introduce two-factor authentication with out-of-band challenge and response codes as an added security measure to prevent account compromise.

Ridd today said the feature should arrive "soon".

"I can't reveal exactly when, but we have been working on two-factor authentication for some time now, and the release of it is imminent," Ridd said.

"We have been active in educating users about security recently, telling people to pick strong passwords, not to share them, and have added features such a notification showing them when the last user login was, and from where, to help detect suspicious activity."

Ridd said phishing was widespread on today's internet and not just a Xero problem, but the company had taken extra steps to keep its users secure.

"Security is always at the forefront of what we do," he said. 

"When the phishing campaign first started a few weeks ago, we commissioned KPMG to audit our systems for security issues and vulnerabilities, and we got a clean bill of health."