We're seeing reports at OtherInbox of spam emails sent to email lists that are hosted at iContact. Our users give each website a different email address so it's easy to see when they get abused. I received an email with the subject "Pharmacy Best Product Vicodin.Viagra!!!!!" to an email address that was only given to Shoeboxed.com (a great service that I love).
Other users are reporting emails to other companies that have no affiliation to Shoeboxed - but the one common thread seems to be that they all use iContact. Another list that is hosted at iContact and seems to be stolen is eApps.com. We know of at least 8 different companies affected by this so far.
Marek Isalski did a great job documenting the breach here.
There may be another explanation, so we've reached out to iContact on Twitter and are watching their blog for more info but so far they have not responded. Understandably, they are probably doing their own research before they make any announcements. (update: iContact has updated their blog acknowledging the issue but with few other details.)
Is your list hosted at iContact? Do you have any unique seeds on it? If so, leave a message in the comments and tell me if you received this same spam email.
Hi there,
Glad to read about this starting to get exposure. Just a small thing: maz/maznu is my alias, but Marek Isalski is my proper name =)
Take care,
Maz
Posted by: Marek "Maznu" Isalski | January 27, 2010 at 11:20 AM
It looks like Laura Atkins was right on top of this too... she blogged about it here yesterday http://blog.wordtothewise.com/2010/01/esps-leaking-email-addresses/
Posted by: Joshua Baer | January 27, 2010 at 11:37 AM
Done a bit more research, which is inconclusive, at http://blog.maz.nu/post/357792275/icontact-update
It would appear that one of the addresses that iContact.com have on file for me hasn't been compromised... or maybe I'm still waiting for the spam to be sent to it?
Posted by: Marek "Maznu" Isalski | January 28, 2010 at 06:13 AM
I'm starting to get reports from my site members about spam coming to their email address used to sign-up on my site. NOW it's starting to make sense since i use iContact for my newsletter.
Damn it.
Posted by: Matt | January 28, 2010 at 02:00 PM
We're digging into this over at Sneakemail because of many user complaints and because of suspiciously increased traffic.
http://sneakemail.com/bulk_cracked
Posted by: Kevin | January 29, 2010 at 11:21 PM
we have lot's of unique email address used to subscribe to different lists, more then 20 used for lists hosted by icontact.
All of those address are now receiving spam
Posted by: Massimo Fubini | January 30, 2010 at 04:01 PM
iContact has updated their blog acknowledging the breach. They don't allow comments, so I guess people just comment here instead!
http://www.icontact.com/blog?blog=6&paged=2
Posted by: Joshua Baer | February 01, 2010 at 10:37 AM