December 29, 2009
Largest data breach in email marketing history? @Aweber subscriber lists stolen by foreign organized crime.
I'm amazed that what is probably the largest data breach in email marketing history has gone largely unnoticed by the email marketing community. Suppression lists get stolen all the time, but I've never heard of an ESP getting hacked and compromising the subscriber lists of all of its customers.
I haven't seen a single article about it in any of the trade magazines not to mention that TechCrunch usually loves to cover this sort of thing. A few bloggers have talked about it (here and here) and Al Iverson wrote a short post but I'm surprised how little it was covered by the mainstream press. Maybe its due to the timing right before the holiday?
At the end of December, AWeber says their database was hacked by an "overseas organized group" and some, if not all of their subscribers started receiving Viagra spam and other unsolicited email messages. AWeber is an email service provider that claims 65,000 customers. Each of their customers uploads a list of email addresses, so AWeber probably holds tens of millions of unique email addresses.
According to the AWeber blog, they had vulnerabilities in their software that allowed a malicious hacker to gain access to the database containing the email addresses. It's unclear if they got the whole database or just part of it (and probably impossible to know for sure). AWeber assures us that its all fixed now.
I'm not sure that a customer reading AWeber's description would get the right idea or understand the significance of what really happened.
AWeber points out with little red flags all the things that were NOT stolen, and make a laundry list of everything they can think of. Pointing out that no "from email addresses" or "website URLs" were stolen seems to be really grasping at straws - maybe they thought that by making the list of NOT bigger it would draw attention away from what was really stolen.
They also point out that the spam being sent to your customers isn't being sent from AWeber, so it won't hurt their deliverability. I'm sure that's comforting for AWeber, and I'm sure its a common question their customers might have - but the way its written downplays the primary issue that their email list was stolen.
They lost the subscriber lists. That's the most valuable thing they have! If I were a customer of theirs, I'd much rather that they lost my credit card number than lose my list of subscribers. I can cancel my credit card - but I can't ever get my email addresses back from the foreign criminals and everyone else they sell it to. Those users can never unsubscribe now - they will just get more and more spam until they switch to a new email address.
The criminals can now sell those email lists on the black market over and over. The problem is likely to get worse over time as each generation of the list gets resold. This is a Pandora's box that can't be closed after you open it.I have a unique OtherInbox address that I gave to AWeber when I signed up to try out their service a few years ago. I haven't received any email at that address since it was first used. But in the past week it has received 5 messages with various subject lines and the same NSFW body showing the before and after images of a penis enlargement device.
You know what I haven't received? An email from AWeber notifying me that my email address was compromised. I guess they think that posting it to their blog is enough. But considering that none of the owners of the email addresses that were stolen even know who AWeber is, its pretty unlikely that they would be reading the AWeber blog. I don't think it is adequate notice.
Fortunately, because that email address was only given to AWeber, I can just Block that one email address and be done with it. But if they had your work email address, there is nothing you can do to fix it and it is just going to get worse over time.
If AWeber was the secret service, this is like having the president get shot on their watch. Complete failure to protect their most important asset. I don't have anything against AWeber and have always respected them - but I don't see how we can let this one slip under the radar. Customers need to have higher expectations of their Email Service Provider and consumers have to higher expectations of the companies they purchase from.
If I were AWeber, I would be groveling to my customers and begging forgiveness, not pretending that it wasn't a big deal. It seems like their attitude is all wrong - their original blog post didn't even have an apology to their customers, it was added afterwards. When I ran SKYLIST and UnsubCentral, if for any reason I felt that our service had not lived up to the expectations we set with our customers I compensated them in some way (a month of free service at a minimum).
If you are an AWeber customer, you should probably consider sending notice to your own customers who were affected by this, the way that ProBlogger did and Seesmic did.
If you are an Email Service Provider, you need to make it clear to your customers that this is NOT something that is acceptable or expected to happen. You need to make it clear to your customers that their subscriber lists are safe and are not going to get hacked.
If you are a salesperson at an Email Service Provider, you should be calling up AWeber customers. Email Data Source can probably show you a list of them.
I think saying it is the largest in history is a bit of an overstatement. For example, Lyris' Sparklist was robbed similarly in 2002 http://news.cnet.com/2100-1023-957567.html, and convicted felon Jason Smathers stole 30,000,000 addresses from AOL. http://edition.cnn.com/2005/TECH/internet/02/04/aol.spam.plea/
Posted by: Neil Schwartzman | December 29, 2009 at 09:53 AM
Thanks for adding more examples of ESP lists being stolen Neil! I forgot about them, but those are good ones.
The Lyris Sparklist issue didn't seem to be conclusive while the AWeber one is pretty clear and they have acknowledged it.
AOL technically isn't an ESP, and its quite likely that AWeber's database is bigger than 30 million uniques, so I still think the title of the post is fair.
Why do you think that the previous breaches were covered by CNN and CNet and this one was largely unnoticed, even though there was lots of conclusive proof and an admission by AWeber?
Posted by: Joshua Baer | December 29, 2009 at 10:04 AM
I think this one is getting overlooked because no "real brands" use Aweber... it's primarily an "affiliate marketing" ESP... so no one like MarketingSherpa, who has a considerable amount of value in their brand, are complaining loudly.
It's also very likely CNet only picked up the Lyris story after Lyris sent out a press release announcing the story... Journalists rarely break news anymore...
Posted by: John Engler | December 29, 2009 at 11:15 AM
With security breaches like this of course they are going to gloss over the worst parts and highlight the good, especially in public. I really can't fault them for that. They have a reputation to uphold with their customers.
I think the right thing for them to do would be to suggest to their affected customers that they send out a message to their subscribers about what happened. The reality is that neither Aweber nor their customer's really have to deal with the repercussions of the breach. Its the subscribers who are affected and they should be made aware of the issue, because as someone previously pointed out, the subscribers do not know who Aweber is and are not reading their blog.
Posted by: Tara Natanson | December 30, 2009 at 10:27 AM
I was researching this a bit further, and wanted to quote from some of the conversation here, but quite a bit of it has disappeared. What happened? Typepad bug?
Posted by: J.D. Falk | December 31, 2009 at 09:42 AM
Yeah I was surprised too at the lack of response over it. Many of my subscribers noticed an increase of mail, and it's especially bad because many users use a different email for each list so they can see who's giving out the email. Well, now it looks like I did! I had to give a list of links to one subscriber who thought I was BS'ng him when I told him it got hacked. He said ya sure you sold it.. Reputation hurt..
Posted by: Tim Linden | January 03, 2010 at 07:35 AM
I find it interesting that I have heard nothing about this from any of the lists that I am on that use Aweber. I also never heard anything from Aweber since I am a customer.
I found out about this through a how to make money online forum that has many members using Aweber.
I have to admit I am somewhat perplexed and lost for what to do about it other than notify my own list. My only concern about doing that is that many may unsubscribe out of fear.
I suspect that could be the reason for the silence from others whose lists I am on.
Posted by: Tony Bright | January 05, 2010 at 11:41 AM
Good job i have only 148 subscribers and not 14000?
Very worrying though
Posted by: craig | January 05, 2010 at 04:13 PM
Just heard about this in a forum the other day myself and as a longtime paying customer I find it unacceptable that they wouldn't be proactive enough to contact their clients directly. I asked if maybe I missed the email or of they didn't notify clients directly - their response was that it was posted on the blog and in their control panel when you log in - but news this bad should've been emailed at the least - a phone call wouldn't be out of the question...at least if they want to preserve any remaining good will.
Unfortunately I'll have a hard time trusting them going forward so they'll probably lose my business, and I'll think twice about signing up for lists that use Aweber as their provider. Funny, I used to only signup for lists that were managed by aweber because I thought my email would be safest with a reliable service like them, now I'll be avoiding them.
Steve
Posted by: steve solem | January 12, 2010 at 07:46 PM
I just received an email from Aweber notifying me of the breach. That is how I got to this page. Too little too late?
Posted by: ATG | January 13, 2010 at 01:04 AM
Campaign Monitor got hacked in August, now AWeber in December.
Maybe spammers found it cheaper and more effective to hack ESPs
rather than harvest and steal minor amounts of emails from user's contacts with malware. One shot and millions of valid email addresses
are at their hands...
Maybe iContact, Constant Contact and GetResponse are next targets?
Posted by: Krzysztof Jarecki | January 13, 2010 at 04:33 AM
Krzysztof: looks like you made a good guess there. http://blog.deliverability.com/2010/01/is-your-list-hosted-at-icontact-it-may-have-been-stolen.html :-)
Posted by: Marek "Maznu" Isalski | January 28, 2010 at 05:31 AM
Security is areal problem as we never even know what hits us till we land flat on our faces.
Posted by: Cheap Computers Canada | April 14, 2010 at 06:20 AM
The thing that really gets me about this is that no-one is taking any responsibility. What happens if our customers complain because they find out about this - who do they have a right to complain to? Is it us because we chose where to hold their data?
Very iffy stuff.
Posted by: Assertiveness Courses | May 17, 2010 at 06:58 AM
This is very shocking news and cant imagine it that data can be leaked . I think proper measures should have been taken by the company during the marketing campaign. Thanks for sharing this news.
Posted by: cheap computers canada | July 05, 2010 at 07:26 AM
I have to say that it is certainly surprising how unnoticed this incident went. It should serve as a warning to other companies to ensure they take the necessary precautions to prevent another incident like this from happening.
Posted by: affiliate marketing ebook | July 27, 2010 at 05:40 PM