Cyber Incident Victim: Zoho
Date:
Nov 2015
Location:
United States of America
Summary
Zoho services experienced a prolonged distributed denial-of-service (DDoS) attack accompanied by extortion threats, causing significant service disruptions including intermittent outages, severe latency, and delayed mail delivery. The company implemented emergency countermeasures such as rerouting traffic through secondary data centers and accelerating pre-planned security updates, which introduced additional instability due to the rushed deployment. While defenses mitigated direct attack impacts, the infrastructure changes created performance bottlenecks affecting customer access. Services gradually stabilized after multiple days of continuous mitigation efforts, with mail functionality being among the last to recover due to protective measures inadvertently interfering with delivery. Law enforcement was engaged during the incident, and no data compromise occurred despite prolonged accessibility issues.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 4, 2015, at 8:15 AM Pacific Time, Zoho experienced a distributed denial-of-service (DDoS) attack targeting its network infrastructure. The attackers flooded Zoho's servers with bogus requests from multiple locations, intending to render services unavailable to legitimate customers. This criminal act was accompanied by explicit threats and a blackmail attempt demanding payment to halt the attacks. Zoho confirmed all customer data remained secure but acknowledged persistent access disruptions, comparing the situation to physical obstruction of a bank entrance where assets remain protected but inaccessible. The company noted this attack mirrored contemporaneous incidents against secure email providers ProtonMail and Runbox, reflecting broader criminal targeting of online services. Initial countermeasures involved collaboration with internet service providers, cybersecurity experts, and law enforcement agencies, though Zoho cautioned that attacks were growing increasingly sophisticated and might persist indefinitely.
Service disruptions intensified on November 8 when another major attack wave at 5:05 PM Pacific Time caused a 33-minute outage, with many services remaining unstable afterward. Zoho's infrastructure team implemented emergency traffic rerouting through a secondary data center on November 9, introducing network latency and intermittent slowness while filtering malicious traffic. Concurrently, engineers accelerated deployment of preplanned DDoS mitigation upgrades originally scheduled over 2-3 weeks, compressing the timeline into a single weekend and inadvertently creating system instability. Mail delivery experienced severe delays due to overactive attack countermeasures blocking legitimate traffic, directly impacting customer operations. By November 10, engineers resolved mail filtering misconfigurations, restoring near-normal delivery while maintaining heightened monitoring. Full service normalization occurred by November 12 following sustained infrastructure upgrades and performance optimizations, though Zoho maintained defensive readiness anticipating future attacks. Throughout the eight-day incident, the company provided near-hourly status updates via its blog and Twitter account while fielding customer reports through support channels.