Close
Close

Aweber Makes a Statement About Their Data Being Compromised

As a quick update to my post over the weekend about Aweber’s system being compromised and spam emails being sent out to those that subscribe to Aweber lists – Aweber have today released a statement acknowledging the problem and talking about what they have done as a result of it.

A quick summary:

  • They’re putting it down to vulnerabilities in two third party software systems that they use.
  • They’re saying that the hack was limited to areas where subscriber email addresses were stored.
  • They believe that the attack was done but an ‘overseas organised group’.
  • They state that no other information was taken including information about customers accounts or affiliates accounts.
  • They say that Aweber’s system was not used in the spamming and as a result deliverability rates have not been impacted
  • They’ve closed the vulnerabilities.

Of course the reality is that while Aweber customers own details and information have not been compromised (this is a relief) – our lists have. While there’s nothing that Aweber can do about this now – the reality is that we as their customers do have to live with the knowledge that our readers, those who trust us with their details, are now getting spammed and that this spam could continue indefinitely.

While I understand Aweber’s statement, feel sorry that they went through this, am happy that it’s not as bad as it could have been and know this stuff happens – I do have some mixed feelings on this:

  • Firstly I’ve got over 333,000 subscribers who have potentially been receiving spam in the last few days. This makes me feel ill and embarrassed. I’ve fielded many many emails in the last few days from angry and confused readers. While not all will realize why they’re being spammed now some who have set up specific addresses for my newsletters have – and they’re now angry and have a damaged view of my brand (and some have unsubscribed*). If you’re one of these subscribers – I’m truly sorry – I wish there were something that I could do except suggest you mark the spam as spam and/or resubscribe with a new email address.
  • Secondly I’ve been actively recommending Aweber for a year or two here on ProBlogger. I personally want to apologise to my readers who have acted on that recommendation who have been impacted by this. While by no means is it my fault that there was this flaw in Aweber’s system I acknowledge that my genuine recommendation has led to these implications.

I think Aweber has an amazing service. They’ve become an integral part of my own business, have always given me amazing service and I will continue to use them. However I guess I wanted to also acknowledge to others hurt by this that I’m sorry for my part in it (indirect or not).

While Aweber does not apologise in their statement (I guess the lawyers might have had a part in that) I certainly want to express my sorrow for this event to those of you impacted by it.

Update: Aweber have since updated their statement to express that they’re sorry.

There is no perfect system. Over the years my own sites have been hacked (as have many many successful businesses). It is just a pity that this particular instance has impacted so many people.

* as I’m about to hit publish on this I thought I’d check out how many of my subscribers have in fact unsubscribed over the last few days. What I found in the reports section was very odd – for the last 3 days Aweber is reporting that not a single person has unsubscribed from my lists. The blue part of the chart is the unsubscribers – you’ll see in the last three days it is not there at all).

This is bizarre – in the last month of the stats there has not been a single day that I’ve not had someone unsubscribe – in fact I can’t remember a day that there wasn’t at least 10 for much longer than that (it’s just a natural part of having a list of the size that I do) – to have 3 days in a row with no unsubscribers is very very odd. Hopefully it’s just a glitch!

Screen shot 2009-12-22 at 9.55.46 AM.png

About Darren Rowse

Darren Rowse is the founder and editor of ProBlogger Blog Tips and Digital Photography School. Learn more about him here and connect with him on Twitter, Facebook, Google+ and LinkedIn.

Problogger.net runs on the Genesis Framework

Genesis Framework

The Genesis Framework empowers you to quickly and easily build incredible websites with WordPress. Genesis provides the secure and search-engine-optimized foundation that takes WordPress to places you never thought it could go.

Check out the incredible features and the selection of designs. It's that simple - start using Genesis now!

Comments

  1. hilary says:

    Your link to this in twitter appears to be broken?

  2. JoseOrestes says:

    a shame, when I thought start using it, I appreciate the sincerity of this blog and its author always

  3. Alison says:

    Thanks for bringing this to my attention and printing the follow up statement. I too hold my lists with aweber and this is certainly a worrying event.
    Re. the unsubscribe issue – made me smile as my first thought was to wonder whether the spammers have been giving your list content they enjoyed? ! ;)

  4. ThompsonPaul says:

    Yea, to say “deliverability rates have not been impacted” is pretty disingenuous, bordering on insulting. What they mean is their deliverability rate is OK, even though that of individual clients has clearly been harmed.

    I dearly hope the lack of unsubscriber info is an accidental byproduct of whatever happened, and not an intentional effort to hide the true potential damage to individual clients.

    You demonstrate your usual class by clearly reminding that this kind of crap can happen within any complex system & doesn’t necessarily mean carelessness on their part.

    Paul

  5. Lawyers will be a massively part in all this, It would be interesting to see which third party apps were used to do the hack.

    Don’t beat yourself up about it Darren, You’re a guy of integrity we know that. It’s not your fault as you said and I use aweber, everything is vunrable nothing is 100%, but it is still the only solution to use.

    Good post

  6. Allan Ward says:

    Thanks for the update Darren.

    I haven’t got a dedicated email address for all the lists I subscribe to, but I had noticed an increase in spam to the two email addresses I use for blogging.

    It’s a concern that Aweber was able to be hacked in this manner and this private data was accessed and used. Like you, I’m concerned that my brand may be tarnished by the spam going out to people on my lists.

    We assume that a company like Aweber would have the appropriate security measures in place to prevent this. It’s nice to know they’ve fixed the problem, but it’s too late in this instance. Are there other vulnerabilities in Aweber that could also be exploited?

    And lets not assume the problem is just with Aweber. They’re an easy target because of their popularity, but I’m sure their competitors are busy reviewing their security to prevent this happening to them.

  7. Pat says:

    Thanks for the update Darren and your constant eye on the situation. As I mentioned in your last post about it, I spoke with them over the phone and they told me exactly what you have written. Definitely not a good thing, but at least they’re on it now and have made public about the situation.

  8. Eric B. says:

    That’s no good to hear. I hope this all gets sorted out soon.

  9. I don’t think it’s odd that you’re seeing a very low unsubscribe as a result. I am staying as a loyal subscriber, and I suspect I’m far from alone in choosing to stay.

    You demonstrate honesty, compassion and transparency, living up to the rules of blogging that you recommend to your readers.

    Sure, spam is inconvenient, no matter what the source, but life goes on, and a little bit of spam is hardly enough of a reason to make me reach for the unsubscribe link.

  10. I think this could happen to any company, so I wouldn’t get upset because it happens once. If it keeps happening over and over again is when I would start to get concerned and possibly move.

    The unsubscribes could be because of the holidays? People are not at their computers as much and probably not seeing your e-mails, which means that they don’t have the chance to unsubscribe. Just a wild guess.

  11. rick says:

    This is yet just another reminder about how fragile e-businesses can be…What a shame..I think Aweber is a great service. I can only imagine what kind of financial impact this has had on them.

  12. I’m too worried about it, it is what it is.

    It happens and we just have to make sure we do what we can.

  13. Greg Ellison says:

    I am glade that they found the problem and resolved it. Hopefully this won’t happen again. Greg Ellison

  14. I think you’ve done a great job of discussing and exposing this issue, Darren. Thanks!

    What I don’t get is why people on the Web are rushing to defend Aweber and compliment them for their “open,” “honest” and “prompt” response… when, in reality, their initial response to those who tried to point out the problem was denial, denial, denial.

    Doesn’t anyone remember “After receiving your email our team went through an exhaustive list of checks just to make sure that there are no indications that connects this spam message you received to an issue with AWeber. All of our tests have come back secure with no reports of intrusion or compromise.” ???

    I figured, “Hey, maybe there’s an explanation for that” and didn’t want to start talking about this on my podcast without giving them a fair shake… so I used the e-mail comment form that they tout on their “apology blog post” to ask them for their position on their initial denial.

    So what happened? When I hit “Submit” I got:

    Error:
    We were unable to process your request.
    Please try again, or contact us via live support or phone

    Trying again didn’t help, and it’s not my job to call a support tech and sit on hold for a response I’m not going to be able to quote anyway. (And since it was the “live support tool” that caused the compromise, who knows whether/how that works right now…)

    This is Customer Service 101… and Aweber is getting an ‘F’ in it. Don’t tell your customers to buzz off when they (accurately) report that you’ve been hacked, don’t sit on the issue for three days, and don’t force your written follow-up communication through a comment form that’s broken.

    Right? What am I missing?

  15. Paul says:

    I’m still trying to work out how to feel about all this. On the one hand all of the spam I received to my own email addresses got caught by spam filters, so in effect the actual impact was nil.

    However I feel bad for people who subscribed to my lists who just use one regular address for everything, and who may have received a deluge of spam. Hopefully that is few if any.

    I also kind of hope that some people who do use unique, special addresses for each list they opt-in to will just shrug and say “This is why I use unique, special addresses in the first place” and not be bothered too much.

    I’m going to keep using Aweber for now but the shine has definitely come off them a little. I pay them money and work hard to build my lists. Its going to take some time to rebuild my previously high view of them.

  16. M.A. Romero says:

    This is a shame.

    I’ve been dithering over the weekend on moving my small (7,000+) list to Aweber based on the review I had read here a couple weeks ago but hesitated after seeing the link was an affiliate link. Yesterday I started to sign up but backed off to rethink it a little. Now this news will make me wait a little,

    On the Aweber site I cannot sign up for my size of list as it insists on making me sign up for 500 subscribers for $1. first month and I find this a bit confusing.

    Also last night on their website I was looking for options and trying to search the knowledge base and it was non-functional. It just kept forcing me back to the $1. sign up page.

    Some comments I’ve seen are negative about the new form generator users are apparently now forced to use and which produces bloated sign up form pages.

    What are the recommended alternatives to Aweber?

  17. Paul says:

    @M.A. Romero – most if not all of their site was redirecting to the landing page the last 24 hours or so. I can only assume that was while they crawled through their other web content looking for any other security issues.

    Looks like the signup form is geared towards new subscribers. I’d bet you could just signup that way and then work with them to import your list. Or contact their sales team about importing the list up front.

    If you’re looking for alternatives then I hear good things about Mailchimp as well.

  18. George says:

    Wow, that is really troubling. I use and recommend Aweber too. I think they should provide credit to all customers who were affected.

  19. Avinash says:

    I cancelled by Aweber account just yesterday, the reason not 100% due to this spam ficaso, but yes it did play a part in that decision. I am fully aware that anything cant be perfect but getting spam thru someone reputable as problogger doesnt go down well even though there was no fault of yours.

    Mine is a small blog which atleast right now cant even afford Aweber in one way and also cant risk its subscribers base if aweber is compromised.

  20. James Pruitt says:

    It just goes to show that no matter how good your security is, someone will see it as a challenge and find a way to get what they want. It is sad that people have to take advantage of people, and these people blame the customers for not trusting us.
    Thank you for keeping us up to date with what is going on. You ROCK

  21. Manshu says:

    Thanks for the post for Darren, things like this only increase my trust in you because you are taking responsibility for stuff that you had absolutely no control over.

  22. Jim Logan says:

    I too am a long time Aweber subscriber. I’ve personally recommended their service for years and am sure I will recommend then years from now. They’re very good at what they do.

    The scum in this story are the people who hijacked their data. I too have had my site ‘stolen.’

    Let’s not make this into something it isn’t. It’s not the end of the world. Let’s not act like it.

    The US government is hacked almost daily. In the grand scheme of things, this (Aweber’s incident) is nothing.

    The real issue is scumbags around the world who get off doing things like this. No system is 100% safe or secure. Reality.

    Final reality is Aweber is a company who doesn’t hide, shed responsibility or fail to take action. I’ll stay with them to the end. They’ve proven they’re a real company.

  23. It seems aweber is not reporting the unsubscribes correctly.

  24. Unfortunately this spam still arrive to my account, I really appreciate that you gave an explanation, these all mails are really spam from a drugstore or something like that, the only thing I can do is to eliminate them whe they arrive, there is not an opion to unsubscrite, it is really spam.

  25. cables says:

    wow! thanks for the useful information. I use aweber and love it but I learned some new things from this post.

  26. Nibras Bawa says:

    Hey… not to worry. Aweber or not, i’ll continue to be subscriber and reader of this blog. Aweber is a system so it can let me down badly, but i know Darren Rowse’s conscience will do justice, so i am with you 100%. Appreciate your sincerity darren.

    Merry Christmas to you and your family from Singapore :)

  27. axel g says:

    The email list is an important tool when it comes to keeping in touch with the readership and also a natural way to boost traffic.

    So, using a reliable service is vital…

    Thanks for the update Darren!

  28. Well I’ll still use AWeber.. I have done so in 6 months I think. And will continue. I haven’t noticed any spam mails. Maybe because my list isn’t big enough…

  29. Kris Roxas says:

    Hahaha, well it’s a good thing my email lists haven’t really been big enough to be a huge difference. They might have been sent spam, but at least it wouldn’t be too bad.

    They have fixed their system, right? I kind of hope they did…

    -Kris Roxas

  30. Glad the problem is solved. I think it is great that Aweber finally make their statement officially according the spam problem before.

  31. Fazreen says:

    Thank god it was not happen to my my list. No one of my subscriber complaint on this spam.

    Anyway, nothing is perfect in this world. Hackers are getting smart day by day

    After all this, I still believe AWeber is one of the best autoresponder service so far

  32. I concur with ‘henri at wake up cloud’s response. You don’t discard long-time friends because they made a mistake, especially with something that happened ‘down the line’ where they placed their trust. They too have been hurt by the event.

    I say chalk it up to ‘stuff happens’. Everyone has done the right thing. Transparency reigns, the truth is out and acknowledged and the problem attended to. The aftermath is being dealt with by those affected and will soon be past. This is not the first or last time this happened.

    Thanks Darren

    Alexander Irving

  33. Kyle says:

    Security breaches happen. There is no such thing as a 100% secure system. Period. It’s just a part of life on the interwebs.

  34. Thanks Darren… We use infusionsoft for our business.. (been using for nearly a year) and very happy with the service, product, and team are extraordinary… (Guys like Frank Kern, Bill Glazer, Dan Kennedy, Matt Bacak etc. all use this product..)

    Aweber has helped make ALOT of $ for people, so while I believe they have a PR nightmare at present, they should be forgiven for this mishap…

    Warm holiday greetings to ALL,
    Brian-

  35. Ruth says:

    I am confused. Aweber announced that ONLY email addresses were taken, no other information and that the system to send spam emails was NOT Aweber, but their own software.

    So, how is it possible that your list connects these spam with you, if no identifying info to Aweber, or you would be in the emails??

    Just curious what is going on…

    Thanks, Ruth

  36. Good question, Ruth. A lot of us give unique e-mail addresses to mailing lists, either because we want to sort the incoming mail automatically as it arrives, or because we don’t completely trust the mailing list and want to see if it’s going to SPAM us (and, if it does, we will turn off the address and block the incoming mail from it).

    It’s like the old trick of submitting rebates or such with a different middle initial; if the only people who know me as “Eric Z. Larson” are the folks at Acme Corp. to whom I sent a rebate, and all of a sudden I start getting auto-parts catalogs sent to Eric Z. Larson, then I know that Acme Corp. sold my address to auto-parts companies.

    It’s not an incredibly common practice, sure, but there are enough people out there who know the tricks of unique addressing (especially those of us who own our own domains) that it is indeed possible to see who’s SPAMming (or whose databases have been hacked).

    The latter point is an interesting one; I’ve seen unrelated SPAM (ranging from useless to vile) coming from at least two legitimate (albeit small) companies from whom I’ve purchased products over the years. Obviously, something happened to their database the same way it happened to Aweber. I’ve turned off those addresses and chalk it up to life on the internet… because those companies don’t pretend to be “professionals” in the e-mail business. (But Aweber did claim that very thing, and was far from transparent when this story first broke.)

    Anyway, I digress. :) That’s how your subscribers make the connection to your list: If they give you an address that they didn’t give to anyone else on the planet, and that address suddenly starts getting SPAMmed, you’re going to get blamed.

  37. Bradley says:

    You’ve always been up front, Darren, and continue to show your honesty.

    Unless we delve into the depths of a product or service (e.g. raw code), our knowledge and experience that lends to our recommendation can never be totally complete. Yes, we feel like we have let down our friends, known and unknown. Friendships and working relationships are based on trust, honesty and knowing that there is no ill intention.

    Each of us still have a responsibility and the ability to go further in research if we truly want to know that a product or service is ‘completely’ secure. But we can’t stand guard on each and every one 24hrs/day.

    Evaluate. Make Changes. Move On.

    Thanks, Darren, for being honest and a good friend even if we don’t personally know each other. I remain SUBSCRIBED!

  38. Handicapper says:

    Well, it is a fact of our modern life: whatever goes into a computer can be extracted — and, not always by the people you trust…

    My concern is that as systems/databases become larger, and store more kinds of info about you, what is the potential harmful effect if it is “compromised!” In this case, not much.

    Some of the “knee-jerk” unsubscribe actions are no lose… they were probably looking for a reason before the spam! As long as the responsible weakness has been identified and corrective action taken, ALL IS WELL again. 8-)

  39. Big company, big responsibility.

  40. Homespunspa says:

    I have been meaning to add aweber’s services to my blog for the last couple of weeks but have been procrastinating. I guess sometimes procrastinating actually pays off :>. When would be a good time to sign up and start my list — should I wait until all of this security stuff has passed or has it all been taken care of already?

  41. I think these days we all have to accept that e-mail addresses get compromised.

    Best to have disposable webmail addresses for newsletters etc, which is what I do.

    I won’t be unsubscribing from Problogger and I won’t be moving my business away from Aweber.

  42. Shaun O'Reilly says:

    I think that AWeber have handled this pretty well, but certainly not excellently.

    Yes – they owned up to the source of the problem. That’s admirable.

    Yes – they posted a detailed blog post going into the specifics about how it happened and what was being done to prevent
    further issues. Great.

    However, where they completely missed the ball was in actually empathizing with the IMPACT this admittedly inadvertant slip-up
    has caused their customers and the subscribers of their customers.

    I got the AWeber announcement within minutes of it being posted on Twitter. The original blog post didn’t even have an
    apology on it at all – no ‘sorry’ (the lame ‘We’re sorry’ was only added later).

    However, in their defence I guess that they had 1001 fires to put out then (and now) at AWeber so they likely weren’t thinking
    fully straight at the time.

    Sorry doesn’t cut it. So what does?

    Empathy.

    Let me dimensionalize the impact this AWeber faux pas has had on me and likely to some of my subscribers as well.

    For years I’ve had a 100% spam-free private e-mail address that is now receiving not just spam, but foul pornographic spam.

    I used to have peace of mind that I could open up my private e-mails and no spam would be present.

    That’s now gone.

    My vital business and previously spam free e-mail addresses of [email protected], [email protected], etc are now receiving
    the same pharam spam.

    Before this issue, I knew that if my iPhone beeped, either an order had just come in or a valued customer required support.

    Now that’s gone too.

    I can’t terminate these vital business e-mails without major disruption in the interim.

    My GMail addresses are also getting spam too.

    Comprende now AWeber?

    Can you see how AWeber’s blog apology of ‘We’re very sorry this occurred and may have affected you.’ is almost completely
    inadequate?

    If there’s a real issue – address it. Don’t shine over it with inane one liners.

    In addition to lacking empathy, AWeber’s response time to the issue was too long. Note that I was not expecting a definitive
    answer within minutes, but I was expecting a Blog or Twitter post on Friday/Saturday saying that they were aware there was
    a problem – somewhere – and they were taking their time to thoroughly investigate the root of the problem to see if they
    were even the source.

    Making the correct diagnosis on Monday was great. But not acknowledging a problem existed in the meantime was not a
    good idea from a customer relationship point of view.

    So, more communication so customers don’t feel in the lurch whilst the issue is being investigated and dealt with.

    A simple ‘We’ve heard there could be a problem. We don’t know if we’re even the source. We’ll report back as soon as
    we know.’

    (That’s 140 characters and could fit on a Tweet!).

    Here’s what else AWeber could have done but as yet have not.

    They could have proposed some potential solutions that their customers could implement to deal with the spam that AWeber’s
    inadvertent system lapse has caused.

    Yes the spam horse has bolted but there are ways of dealing with it.

    Admit the problem – yes. But also point to useful solutions for customers too.

    (As a former engineer, I’m decent at problem identification but I’m also obsessed with the more important part of actually
    finding solutions).

    For example, here’s ONE potential solution that I’m testing to clean my own inbox of the pharma spam from this issue…

    (It’s worked with one of my forwarding e-mail addresses so I’ll transfer the others over today).

    GMail seems to be very effective at picking up the spam and consigning it to their spam folder. Luckily, the current spam is
    so blatant that it’s all getting filtered by GMail into spam automatically – so far.

    Therefore, I’ve created a unique GMail account to ‘wash’ the mail.

    Here’s specifically what I’m doing:

    1. Forward E-mails from My Domains to GMail

    I’m forwarding all of my own domain e-mails to the newly created GMail account. This ensures that the current spam gets filtered
    into the GMail spam folder.

    2. Forward E-mails from GMail to Unique Domain E-mail

    I’ve now created a unique e-mail address on my domain and all of the cleaned e-mails are being forwarded from GMail to my
    new e-mail account.

    So, the process is:

    All Email -> Forward to GMail -> Forward to Unique Domain E-mail

    Result: Cleaned up inbox once it gets to my end.

    Sure it’s not ideal because I’m now relying on GMail in the process of getting my own e-mail but it’s working for the blatant spam
    for now. This way, I don’t get to see the filthy spam (unless I go looking into my Gmail ‘washing’ account).

    So, why couldn’t AWeber have suggested something like this?

    Understandably too busy at the moment.

    I began moving my lists over to Infusionsoft back in April and the transfer was fully completed around 2 weeks ago before this
    AWeber issue even came up.

    Ironically, AWeber is probably now one of the safest places to have your list from now on as I’m sure that they’ll be hyper-paranoid from
    here and will have multiple systems in place to make sure that the locks are never off their doors again.

    This could have happened to any third party autoresponder service.

    Remember, that the spammers only have to be lucky ONCE and the service providers have to be luck ALL THE TIME.

    I hope this post is helpful for you.

    Dedicated to your success,

    *Shaun O’Reilly

  43. rob ognome says:

    I have compartmentalized my subscriptions so I know the problem extends beyond just aweber. I have been receiving the exact same spam messages thru email aliases registered with other autoresponder services.

    Infusionsoft being one that I have confirmed.

    I suspect all these service make use of some a common 3rd party product, which is what aweber is blaming for the breach.

  44. M.A. Romero says:

    @Paul Thanks for the insight. We signed up for Aweber but left after three days. Their support was terrible but this may be due to their current state of trying to batten down the hatches.

    You need to manually cut and paste your list and my browser was crashing when we tried to do 500 or more. And you need to type out the same silly message over and over about the list details every time you cut and past.

    We asked about having them do the list upload and got a boilerplate response like a day and a half later about cutting and pasting which we were already trying to do.

    In my view Aweber gives us the sense of being more geared towards folks peddling ebooks, information reports, etc.

    We went with iContact which has a discount ending today and so far great.

    These folks have their own survey built in. Aweber uses a jury-rigged solution patched into another software that is clumsy in my view. Finally Aweber’s security breach and the way they handled it sealed our decision to stay away.

    We checked out GetResponse but their terse support messages which we were able to dig up turned us off.

    MailChimp looks good but the name just does not ring a dignified tone for a well established business ;o)

  45. Kevin says:

    Is it possible for me as a subscriber to go into Aweber and update my email address?