Largest data breach in email marketing history? @Aweber subscriber lists stolen by foreign organized crime.

I’m amazed that what is probably the largest data breach in email marketing history has gone largely unnoticed by the email marketing community. Suppression lists get stolen all the time, but I’ve never heard of an ESP getting hacked and compromising the subscriber lists of all of its customers.

I haven’t seen a single article about it in any of the trade magazines not to mention that TechCrunch usually loves to cover this sort of thing. A few bloggers have talked about it (here and here) and Al Iverson wrote a short post but I’m surprised how little it was covered by the mainstream press. Maybe its due to the timing right before the holiday?

At the end of December, AWeber says their database was hacked by an “overseas organized group” and some, if not all of their subscribers started receiving Viagra spam and other unsolicited email messages. AWeber is an email service provider that claims 65,000 customers. Each of their customers uploads a list of email addresses, so AWeber probably holds tens of millions of unique email addresses.

According to the AWeber blog, they had vulnerabilities in their software that allowed a malicious hacker to gain access to the database containing the email addresses. It’s unclear if they got the whole database or just part of it (and probably impossible to know for sure). AWeber assures us that its all fixed now.

I’m not sure that a customer reading AWeber’s description would get the right idea or understand the significance of what really happened.

AWeber points out with little red flags all the things that were NOT stolen, and make a laundry list of everything they can think of. Pointing out that no “from email addresses” or “website URLs” were stolen seems to be really grasping at straws – maybe they thought that by making the list of NOT bigger it would draw attention away from what was really stolen.

Screen shot 2009-12-27 at 10.37.50 AM

They also point out that the spam being sent to your customers isn’t being sent from AWeber, so it won’t hurt their deliverability. I’m sure that’s comforting for AWeber, and I’m sure its a common question their customers might have – but the way its written downplays the primary issue that their email list was stolen.

They lost the subscriber lists. That’s the most valuable thing they have! If I were a customer of theirs, I’d much rather that they lost my credit card number than lose my list of subscribers. I can cancel my credit card – but I can’t ever get my email addresses back from the foreign criminals and everyone else they sell it to. Those users can never unsubscribe now – they will just get more and more spam until they switch to a new email address.

The criminals can now sell those email lists on the black market over and over. The problem is likely to get worse over time as each generation of the list gets resold. This is a Pandora’s box that can’t be closed after you open it.

I have a unique OtherInbox address that I gave to AWeber when I signed up to try out their service a few years ago. I haven’t received any email at that address since it was first used. But in the past week it has received 5 messages with various subject lines and the same NSFW body showing the before and after images of a penis enlargement device.

You know what I haven’t received? An email from AWeber notifying me that my email address was compromised. I guess they think that posting it to their blog is enough. But considering that none of the owners of the email addresses that were stolen even know who AWeber is, its pretty unlikely that they would be reading the AWeber blog. I don’t think it is adequate notice.

Fortunately, because that email address was only given to AWeber, I can just Block that one email address and be done with it. But if they had your work email address, there is nothing you can do to fix it and it is just going to get worse over time.

 

OtherInbox Screenshot of AWeber Mailbox

If AWeber was the secret service, this is like having the president get shot on their watch. Complete failure to protect their most important asset. I don’t have anything against AWeber and have always respected them – but I don’t see how we can let this one slip under the radar. Customers need to have higher expectations of their Email Service Provider and consumers have to higher expectations of the companies they purchase from.

If I were AWeber, I would be groveling to my customers and begging forgiveness, not pretending that it wasn’t a big deal. It seems like their attitude is all wrong – their original blog post didn’t even have an apology to their customers, it was added afterwards. When I ran SKYLIST and UnsubCentral, if for any reason I felt that our service had not lived up to the expectations we set with our customers I compensated them in some way (a month of free service at a minimum).

If you are an AWeber customer, you should probably consider sending notice to your own customers who were affected by this, the way that ProBlogger did and Seesmic did.

If you are an Email Service Provider, you need to make it clear to your customers that this is NOT something that is acceptable or expected to happen. You need to make it clear to your customers that their subscriber lists are safe and are not going to get hacked.

If you are a salesperson at an Email Service Provider, you should be calling up AWeber customers. Email Data Source can probably show you a list of them.

 

Tags: ,

30 Responses to “Largest data breach in email marketing history? @Aweber subscriber lists stolen by foreign organized crime.”

  1. Neil Schwartzman
    December 29, 2009 at 9:53 am #

    I think saying it is the largest in history is a bit of an overstatement. For example, Lyris' Sparklist was robbed similarly in 2002 http://news.cnet.com/2100-1023-957567.html, and convicted felon Jason Smathers stole 30,000,000 addresses from AOL. http://edition.cnn.com/2005/TECH/internet/02/04/aol.spam.plea/

  2. Joshua Baer
    December 29, 2009 at 10:04 am #

    Thanks for adding more examples of ESP lists being stolen Neil! I forgot about them, but those are good ones.

    The Lyris Sparklist issue didn't seem to be conclusive while the AWeber one is pretty clear and they have acknowledged it.

    AOL technically isn't an ESP, and its quite likely that AWeber's database is bigger than 30 million uniques, so I still think the title of the post is fair.

    Why do you think that the previous breaches were covered by CNN and CNet and this one was largely unnoticed, even though there was lots of conclusive proof and an admission by AWeber?

  3. John Engler
    December 29, 2009 at 11:15 am #

    I think this one is getting overlooked because no "real brands" use Aweber… it's primarily an "affiliate marketing" ESP… so no one like MarketingSherpa, who has a considerable amount of value in their brand, are complaining loudly.

    It's also very likely CNet only picked up the Lyris story after Lyris sent out a press release announcing the story… Journalists rarely break news anymore…

  4. Tara Natanson
    December 30, 2009 at 10:27 am #

    With security breaches like this of course they are going to gloss over the worst parts and highlight the good, especially in public. I really can't fault them for that. They have a reputation to uphold with their customers.

    I think the right thing for them to do would be to suggest to their affected customers that they send out a message to their subscribers about what happened. The reality is that neither Aweber nor their customer's really have to deal with the repercussions of the breach. Its the subscribers who are affected and they should be made aware of the issue, because as someone previously pointed out, the subscribers do not know who Aweber is and are not reading their blog.

  5. J.D. Falk
    December 31, 2009 at 9:42 am #

    I was researching this a bit further, and wanted to quote from some of the conversation here, but quite a bit of it has disappeared. What happened? Typepad bug?

  6. Tim Linden
    January 3, 2010 at 7:35 am #

    Yeah I was surprised too at the lack of response over it. Many of my subscribers noticed an increase of mail, and it's especially bad because many users use a different email for each list so they can see who's giving out the email. Well, now it looks like I did! I had to give a list of links to one subscriber who thought I was BS'ng him when I told him it got hacked. He said ya sure you sold it.. Reputation hurt..

  7. Tony Bright
    January 5, 2010 at 11:41 am #

    I find it interesting that I have heard nothing about this from any of the lists that I am on that use Aweber. I also never heard anything from Aweber since I am a customer.

    I found out about this through a how to make money online forum that has many members using Aweber.

    I have to admit I am somewhat perplexed and lost for what to do about it other than notify my own list. My only concern about doing that is that many may unsubscribe out of fear.

    I suspect that could be the reason for the silence from others whose lists I am on.

  8. craig
    January 5, 2010 at 4:13 pm #

    Good job i have only 148 subscribers and not 14000?
    Very worrying though

  9. steve solem
    January 12, 2010 at 7:46 pm #

    Just heard about this in a forum the other day myself and as a longtime paying customer I find it unacceptable that they wouldn't be proactive enough to contact their clients directly. I asked if maybe I missed the email or of they didn't notify clients directly – their response was that it was posted on the blog and in their control panel when you log in – but news this bad should've been emailed at the least – a phone call wouldn't be out of the question…at least if they want to preserve any remaining good will.

    Unfortunately I'll have a hard time trusting them going forward so they'll probably lose my business, and I'll think twice about signing up for lists that use Aweber as their provider. Funny, I used to only signup for lists that were managed by aweber because I thought my email would be safest with a reliable service like them, now I'll be avoiding them.

    Steve

  10. ATG
    January 13, 2010 at 1:04 am #

    I just received an email from Aweber notifying me of the breach. That is how I got to this page. Too little too late?

  11. Krzysztof Jarecki
    January 13, 2010 at 4:33 am #

    Campaign Monitor got hacked in August, now AWeber in December.
    Maybe spammers found it cheaper and more effective to hack ESPs
    rather than harvest and steal minor amounts of emails from user's contacts with malware. One shot and millions of valid email addresses
    are at their hands…

    Maybe iContact, Constant Contact and GetResponse are next targets?

  12. Marek "Maznu" Isalski
    January 28, 2010 at 5:31 am #

    Krzysztof: looks like you made a good guess there. http://blog.deliverability.com/2010/01/is-your-list-hosted-at-icontact-it-may-have-been-stolen.html :-)

  13. Cheap Computers Canada
    April 14, 2010 at 6:20 am #

    Security is areal problem as we never even know what hits us till we land flat on our faces.

  14. Assertiveness Courses
    May 17, 2010 at 6:58 am #

    The thing that really gets me about this is that no-one is taking any responsibility. What happens if our customers complain because they find out about this – who do they have a right to complain to? Is it us because we chose where to hold their data?

    Very iffy stuff.

  15. cheap computers canada
    July 5, 2010 at 7:26 am #

    This is very shocking news and cant imagine it that data can be leaked . I think proper measures should have been taken by the company during the marketing campaign. Thanks for sharing this news.

  16. affiliate marketing ebook
    July 27, 2010 at 5:40 pm #

    I have to say that it is certainly surprising how unnoticed this incident went. It should serve as a warning to other companies to ensure they take the necessary precautions to prevent another incident like this from happening.

  17. Prosolution pills reviews
    September 2, 2010 at 11:08 pm #

    I am surprised with this kind of negligence about the email list. I would like to suggest that this is an important issue and they have to go last mile for protecting the email lists.
    A part from this thanks for sharing such a informative article here.
    Regards,

  18. Refurbished Computers
    September 16, 2010 at 7:45 am #

    That's really shocking that such a big company's server gets hacked and nothing happens.

    This is a serious crime which I feel should be taken seriously

  19. Evan
    November 3, 2010 at 4:37 pm #

    This is an old post, but guess what, it happened again!
    http://www.bustspammers.com/aweber-hacked-email-addresses-stolen.html

    They didn't even notify list owners and they don't give a sh.. because most subscribers will never know about AWeber.

    You're putting YOUR business reputation at stake here. Your subscribers think you sold their email address when they suddenly get spam. Happened to me and it's not funny!

    Once – maybe a hacker just got really lucky. Twice – there's something wrong with your security! I'm moving my list elsewhere.

  20. billige mobiler
    December 13, 2010 at 11:04 am #

    oh lord, not Aweber!!! It seems like almost everybody's using this service.

  21. Prosolution pills reviews
    January 7, 2011 at 5:27 am #

    Really a great loss for them.

  22. Billig Abonnement
    January 8, 2011 at 12:47 pm #

    Yeah, It must be.. But I don't care anyway:-p

  23. Sergio
    January 12, 2011 at 5:16 pm #

    I'm shocked!! I use aweber and i was not informed. I'm an internet marketer myself and even though I have not receive any comment from my customers regarding any unwanted information I really think Aweber should have told me so I could send an e-mail to my list about it.

    It is really a shame what happened and even worse, how the company reacted.

  24. Sergio Vertizf
    January 12, 2011 at 5:54 pm #

    I'm afraid to ask, is it possible I get sued?

  25. Martin
    January 12, 2011 at 5:59 pm #

    I'm an Aweber customer, I must say it's terrible this happened and what's even worse is the company didn't bother to tell his customer as soon as it happened. It is disappointing how they managed it. What will happen with our credibility?

  26. Andy
    January 12, 2011 at 6:04 pm #

    It's already hard to get people trust so they provide personal data with all the spammers around and now this!!
    The very least they could do is sent an apology so the users of this service could have forward it to their customers.

  27. roger
    January 18, 2011 at 8:45 am #

    It's really glad to read about the following topic which has enhanced my

    knowledge regarding topic and plus has given alot of ideas which I can think on.
    So I would say thank you to the blog owner for providing this amazing information.

  28. roger
    January 19, 2011 at 5:04 am #

    It's really glad to read about the following topic which has enhanced my knowledge regarding topic and plus has given alot of ideas which I can think on.
    So I would say thank you to the blog owner for providing this amazing information.

  29. roger
    January 19, 2011 at 5:07 am #

    It's really glad to read about the following topic which has enhanced my knowledge regarding topic and plus has given alot of ideas which I can think on.
    So I would say thank you to the blog owner for providing this amazing information.

  30. cheap computers
    January 20, 2011 at 6:26 am #

    The blog has a full of information which I have been looking for and not only this it also helps us in getting the correct facts and figures. The blogger has done a really good work in updating his blog. Keep it up

UA-9835597-1