I’m amazed that what is probably the largest data breach in email marketing history has gone largely unnoticed by the email marketing community. Suppression lists get stolen all the time, but I’ve never heard of an ESP getting hacked and compromising the subscriber lists of all of its customers.
I haven’t seen a single article about it in any of the trade magazines not to mention that TechCrunch usually loves to cover this sort of thing. A few bloggers have talked about it (here and here) and Al Iverson wrote a short post but I’m surprised how little it was covered by the mainstream press. Maybe its due to the timing right before the holiday?
At the end of December, AWeber says their database was hacked by an “overseas organized group” and some, if not all of their subscribers started receiving Viagra spam and other unsolicited email messages. AWeber is an email service provider that claims 65,000 customers. Each of their customers uploads a list of email addresses, so AWeber probably holds tens of millions of unique email addresses.
According to the AWeber blog, they had vulnerabilities in their software that allowed a malicious hacker to gain access to the database containing the email addresses. It’s unclear if they got the whole database or just part of it (and probably impossible to know for sure). AWeber assures us that its all fixed now.
I’m not sure that a customer reading AWeber’s description would get the right idea or understand the significance of what really happened.
AWeber points out with little red flags all the things that were NOT stolen, and make a laundry list of everything they can think of. Pointing out that no “from email addresses” or “website URLs” were stolen seems to be really grasping at straws – maybe they thought that by making the list of NOT bigger it would draw attention away from what was really stolen.
They also point out that the spam being sent to your customers isn’t being sent from AWeber, so it won’t hurt their deliverability. I’m sure that’s comforting for AWeber, and I’m sure its a common question their customers might have – but the way its written downplays the primary issue that their email list was stolen.
They lost the subscriber lists. That’s the most valuable thing they have! If I were a customer of theirs, I’d much rather that they lost my credit card number than lose my list of subscribers. I can cancel my credit card – but I can’t ever get my email addresses back from the foreign criminals and everyone else they sell it to. Those users can never unsubscribe now – they will just get more and more spam until they switch to a new email address.
The criminals can now sell those email lists on the black market over and over. The problem is likely to get worse over time as each generation of the list gets resold. This is a Pandora’s box that can’t be closed after you open it.
I have a unique OtherInbox address that I gave to AWeber when I signed up to try out their service a few years ago. I haven’t received any email at that address since it was first used. But in the past week it has received 5 messages with various subject lines and the same NSFW body showing the before and after images of a penis enlargement device.
You know what I haven’t received? An email from AWeber notifying me that my email address was compromised. I guess they think that posting it to their blog is enough. But considering that none of the owners of the email addresses that were stolen even know who AWeber is, its pretty unlikely that they would be reading the AWeber blog. I don’t think it is adequate notice.
Fortunately, because that email address was only given to AWeber, I can just Block that one email address and be done with it. But if they had your work email address, there is nothing you can do to fix it and it is just going to get worse over time.
If AWeber was the secret service, this is like having the president get shot on their watch. Complete failure to protect their most important asset. I don’t have anything against AWeber and have always respected them – but I don’t see how we can let this one slip under the radar. Customers need to have higher expectations of their Email Service Provider and consumers have to higher expectations of the companies they purchase from.
If I were AWeber, I would be groveling to my customers and begging forgiveness, not pretending that it wasn’t a big deal. It seems like their attitude is all wrong – their original blog post didn’t even have an apology to their customers, it was added afterwards. When I ran SKYLIST and UnsubCentral, if for any reason I felt that our service had not lived up to the expectations we set with our customers I compensated them in some way (a month of free service at a minimum).
If you are an AWeber customer, you should probably consider sending notice to your own customers who were affected by this, the way that ProBlogger did and Seesmic did.
If you are an Email Service Provider, you need to make it clear to your customers that this is NOT something that is acceptable or expected to happen. You need to make it clear to your customers that their subscriber lists are safe and are not going to get hacked.
If you are a salesperson at an Email Service Provider, you should be calling up AWeber customers. Email Data Source can probably show you a list of them.