Yesterday we sent an email advising recipients they may need to change their Xero password. This email was originally intended for active users in Australia. However, it was distributed more widely. We apologize for any inconvenience or confusion, though this is a useful and timely reminder to change your passwords frequently.


As we have been communicating for the last month, we’ve noticed an increase in the volume of phishing attacks and malware scams. This is an industry-wide problem for business software, online banking and other websites.

Our security team has been tracking a small number of incidents—the result of phishing attacks, where a handful of Xero usernames and passwords have been obtained—we recommend that Xero users update their anti-malware (anti-virus, anti-spyware), and change their passwords.

Our team is continuously looking for patterns of malicious activity and will notify users when we believe there to be a problem – much like when your bank contacts you if they believe your card has been used fraudulently.

We have been building in additional system controls to give our customers further protection against such incidents. For example, on your Xero dashboard you can check when you last logged in, and the location of those logins, including IP address. If you don’t recognize the location or date of the last login, please contact customer support:

When you click on the link you can see when and where you last logged into Xero.

We are currently testing additional Two-Step Authentication (2SA) and will release that as soon as we can. This will provide a further layer of protection. Under 2SA you will need to enter a Time-based One-time Password (TOTP), which will be generated by an authenticator app you’ve installed on your phone or other smart device, and you would need both your password and the TOTP to gain access to Xero.

It is critical that you maintain best practices inside your business. Staying safe online will protect not just your data, but your customers and employees. The most important things you can do to stay safe online are:

  1. Maintain excellent password hygiene. Never share a password. Always use a complex password. And change your password regularly. And don’t use the same password for multiple websites.
  2. Be aware. Phishing emails are a common way to trick you into disclosing data. If it looks even in the slightest bit unusual – don’t click it. A number of you checked in with us first before clicking on the links in the email you received yesterday, which is good practice if you are uncertain about the legitimacy of an email.
  3. Use reputable anti-malware (anti-virus, anti-spyware) software on all of the devices you use and keep this updated with the latest signatures. Also ensure your operating system and applications are kept up to date with the latest security patches.

You can find further tips here to ensure your sensitive data remains secure.

Security is a key focus for us at Xero. We’ll continue to share our security updates and best practices with you.