Online accounting enfant terrible Xero has apologised for telling too many people to change their passwords, when they didn't need to change their passwords even though it wouldn't hurt them to change their passwords.
Xero has boiled up out of New Zealand with a SaaS accounting package that has sufficient smarts and looks that industry incumbents realise they need to hire the software equivalent of a personal stylist and life coach to guide them through a makeover before the bright young thing in the office makes them look frumpy and slow. The cashed-up company conquered its native land, set heads turing in Australia, where it gave the dominant player a nasty kicking, and his now trying to conquer the civilised world, too.
But over the weekend it hit a little snag: malfeasants have noticed Xero and the company is now the target of phishers and malware authors. As a decent SaaS operation does under those circumstances, Xero sent an email to users it felt had become a target. That email recommended they change passwords just in case. But those emails, which Xero says were “originally intended for active users in Australia" but were also "distributed more widely.”
That meant folks who haven't been phished were told they might have been phished. Which is reassuring. Not.
Xero now says that even if you don't need to change your password, you need to change your password because changing your password is always a good idea, even if you haven't been phished. Two-factor authentication, the company adds, will come to the platform real soon now which should make phishing less of a worry. Unless, of course, Xero worries you by telling you it is a worry when it isn't. Or at least not for you.
We're sure you understand what we, and Xero, mean. If you don't, don't worry and keep changing your passwords from time to time. ®