Facebook Pixel
Join our Facebook Community

Has Aweber Been Compromised? Reports of Spam Going to Aweber Lists

Posted By Darren Rowse 20th of December 2009 ProBlogger Site News 0 Comments

Updated: this post has been updated – twice.

I don’t want to cause alarm on this but today I’ve had emails from 11 subscribers to two of my different email lists that I administrate at Aweber complaining that they’ve been inundated with pharmaceutical spam. In each case the subscribers have set up email addresses especially for my newsletters which they use for no other purposes.

In each case they’re complaining of getting the same types of emails – up to 20 of them in a few hours.

At first I thought perhaps my account had been compromised – but I began to do some investigating and am beginning to see some others talk about the same problem. For example @planetmike tweeted about a similar problem here.

Screen shot 2009-12-19 at 10.05.54 PM.png

I’m not sure if he’s talking about my newsletters – that’s a possibility.

Further searching in a few webmaster forums turns up similar discussions.

Webmaster World – “Today I got pharma/ED spam to various of those unique addresses. After a little research, I found the common thread: The companies I gave those addresses to use AWeber’s services. (AWeber provides mailing list services to businesses, e.g. sending newsletters to a company’s customers.)”

WarriorForum – “Today I am getting deluged with spam to addresses that are on aWeber lists, including a couple of email addresses that have ONLY been given to aWeber.”

From another user in the WarriorForum – “I’ve been having EXACTLY the same issue.

I have some test e-mail addresses that I ONLY use within AWeber and just today I’ve started receiving lots of spam to them.

These are e-mail addresses across multiple domains including my own and others such as GMail, etc.

These e-mails are only housed within AWeber so I know that the problem is somewhere within their systems.”

AWeber takes our security measures very strongly and employee tested technologies and measures to make sure that our system is not compromised. After receiving your email our team went through an exhaustive list of checks just to make sure that there are no indications that connects this spam message you received to an issue with AWeber. All of our tests have come back secure with no reports of intrusion or compromise.

Also note that after looking at the spam message in question we see that members of our teams have also received this same message to their personal addresses that have never been used in conjunction with AWeber.

We’ll continue to monitor our system. And of course if you have any further questions, please feel free to let me know.

I’m hesitant to make a call that Aweber has been compromised (I know they wouldn’t have played a part in this, they’re reputable and it’d be business suicide for them to be caught at that) – perhaps it’s a problem with some email service provider (although from the emails I’ve received it’s impacting people who subscribe with a variety of email providers) but something does seem to be wrong here.

I’ve got emails into Aweber and will update you with their response.

In the mean time – if you have received this spam and you’re on the ProBlogger newsletter list (as some are reporting) I sincerely apologise and hope we can get to the bottom of it.

PS: I’ve sat on this story for 18 hours hoping to get a response from Aweber but it seems that their support don’t work weekends (I’m actually a bit surprised that they don’t seem to have put any response on their blog or Twitter account as I’m now seeing more and more buzz about it in forums and on Twitter). I’ve since had another 10 or so angry complaints from readers and have seen the same thing happening for another list I have on a separate account which I use to promote the ProBlogger Book with Chris Garrett. That account is completely separate to my Aweber account and I don’t even have access to the password of it meaning that it’s not just my Aweber subscribers who are being hit.

Again – this could be a wider issue than just Aweber – perhaps some spammer is using some kind of system to target a whole lot of random email addresses – but it does seem that perhaps it’s somehow more centred around Aweber. Time will tell.

I don’t like to post this as I really love Aweber as a service (they’ve been brilliant since I switched to them) – but because readers seem to be unsubscribing and blaming me for it I wanted to make sure word was out that there may have been a problem.

I’d love to get comments from anyone who has similar experience with this in the last few days. Are your lists complaining of spam at the moment too? Hopefully in getting people’s experiences we’ll be able to help Aweber get to the bottom of what’s happening.

Update: Within half an hour of posting this Aweber got in touch. They’re not ready to make a public statement on this but are happy for me to pass on that they’re aware of it and are “doing extensive investigations into any possible issues.”

From what I can tell they’re collecting lots of data – perhaps if you have any specific data from those in your lists including header information of spam emails it could be worth emailing Aweber to let them know of your problem and any data that you have. I’d suspect that specific information would be helpful to them.

Update 2: Aweber have now made a statement about the compromise of data from their system. You can read my initial reactions to that here.

About Darren Rowse
Darren Rowse is the founder and editor of ProBlogger Blog Tips and Digital Photography School. Learn more about him here and connect with him on Twitter, Facebook and LinkedIn.
Comments
  1. I’m having this same issue! A subscriber complained about it. He’s using an email address that is solely for my list.

    I’m also getting the same spam to my email address that I only use for list emails (including other lists that are run by Aweber.) Please keep us posted on this.

    -Erica

  2. Hey Darren,

    I am subscribed to your mailing lists and have not received any spam from them at all. If there is some kind of breach I think it might be very small.

    Hopefully that helps ease your concerns a little.

    Cheers,
    Kris

  3. I have noticed an increase in this type of spam today and could not figure out why… It seems like Aweber could be the reason. If Aweber has been compromised I wonder to what extent. This could really be a big blow to Aweber or any email service, hopefully it’s fixed with no additional harm done!

  4. Eesh.

    I hope this is not a problem with their system, and it is strange that they are not getting back to you about it. Might need to cut them some slack on the response time because the east coast of the USA has been literally shut down because of the storm (but ever heard or VPN??).

    I (as with many other who follow you) have used them and trust that they will not give “canned” answers like that. I hope they respond ASAP and will monitor this on my site(s) too.

    Thanks for getting the word out!

    – mike vizdos

  5. I’m subscribed to both here and DPS at the same address and my (normally fairly inactive) spam folder has caught 10 pharmaceutical spams over the last few days (and one other type that I would assume isn’t related). Hope this is fixed up soon for you and other Adweber users :)

  6. Haha, I just signed up to Aweber but I have no client email addresses yet so hopefully it will all get sorted out.

    thanks for the post and info! sorry to hear about this for you, we all know you are trustworthy!

  7. I am subscribed to various newsletters, and I’ve noticed quite a bit more spam than usual, lately. Perhaps it’s because of the same issue you’re having.

  8. Funny you mention this! I’ve in the last few days seen three mails land in my main inbox for pharma related offers. It’s been quite a while since I’ve seen spam bypass my filter.

    Are the complaints coming from Australian residents only? My provider is bigpond, perhaps it’s there? I’ve just set up a brand new email to subscribe to your newsletter and will watch for spam.

    I use AWeber too and love them, I haven’t received any complaints from subscribers yet.

  9. I have seen no complaints from my list of 10k people on Aweber list in 3 different accounts till now but lets see if its the case with some geography or complete Aweber lists.

  10. No complaints of spam to my own AWeber list, and no extra spam received today, in spite of being subscribed to yours. As you say, AWeber’s a reputable outfit, and Bucks County, PA, where AWeber is located, is under a whole lot of snow today. Not much work getting done, except by folks with plows.

  11. I’ve received an increase in pharmacy spam on one of my accounts, but another email of mine on the same list has received none.

  12. My lists have not complained, but I’ve personally received hundreds of spam emails in the last couple of days, ALL to email addresses used solely for subscribing to Aweber-powered mailing lists. I’m not receiving them to randomly generated email addresses (bob@, david@, support@, etc.) but specifically to email addresses I’ve submitted to mailing lists via Aweber’s subscription forms.

    It’s coming to so many addresses, on so many different marketer’s email lists, that my only conclusion is that Aweber has indeed been compromised, and spammers have gotten ahold of some unkown amount of email addresses from the Aweber system.

  13. what a surpise! Thank god, until now, I don’t receive any complaints from my subscribers. If I got any complaints I” redirect them to your post for further explaination.

    By the way, I didn’t receive any spam email from your aweber email or others aweber.

  14. AmateurBlogger says: 12/20/2009 at 2:35 pm

    I have several dozen unique test accounts in my Aweber system, designed to test whether broadcasts and autoresponders are set up properly.

    Sadly, all of those email addresses (only used with Aweber) have been spammed.

    Losing faith in Aweber, between this and their meaning of “deliverability” [your emails can not appear in your subscribers’ inbox – being delivered to spam, or not delivered at all, and Aweber will still count this as “deliverability”]

  15. It’s to AWeber’s credit they take weekends off! They’re a well run company. More people should take weekends off. The world would be a better place.

    That being said, yeah, it would suck if they got compromised.

  16. I’ve seen a plethora of spam emails on several of my email lists, and this is totally unacceptable. I hope Aweber can get to the bottom of this, if it is indeed a breach of their services.

    Some of the emails have rather graphic pictures on them too. Not cool. Is this even worth the spammers’ effort? Seriously.

  17. Well, i just signed up for Aweber just 1 day back, and now this happens. I hope Aweber guys can track this out soon otherwise it will put a lot of bad credibilty to their wervice which till now is very reputed.

  18. RobJones says: 12/20/2009 at 3:09 pm

    Re “I’d suspect that specific information would be helpful to them.”

    Nope. That won’t help them at all.
    I can prove with 100% certainty that the spammers got the emails *directly* from Aweber’s data base:
    http://www.warriorforum.com/main-internet-marketing-discussion-forum/157493-thank-you-aweber-exposing-all-my-email-addresses-spammers-thank-you-so-much.html

  19. I’ve been getting those emails as well and I didn’t have a clue where they were coming from. Now I now. Thanks.

  20. Darren,

    Same thing here. Email address only used for my newsletter and got pharma spam. I sent an inquiry to Aweber, but haven’t heard back yet.

  21. same thing here sorry I quit your newsletter .. I hate to download spam on my blackberry…. grrr…

    aweber had a lot of problems lately.. from links doesn’t work to many downtime….anyway …

  22. It’s one of the reasons why it’s always a good idea to subscribe to your own lists.

  23. Christopher says: 12/20/2009 at 6:07 pm

    It seems Aweber has been having a lot of problems, more and more email security companies are doing global blocks against Aweber. Many of the email security companies are flagging all aweber email as spam regardless of who’s list it is and what the content is about. This is creating a lot of problems for Aweber and its customers as deliverability has declined significantly lately.

  24. Hi Darren,

    I recently unsubscribed from your list not because of spam but because I was getting duplicate emails for the same posts. It happened twice so I had a pretty good idea that it was a glitch created by whatever automated service you are using. This also happened for another site (I can only assume they use Aweber also).

    Don’t we all want to get rid of spammers, hackers, cyber thieves? I have no clue what motivates them I just hope they get hacked one day too.

    I get your updates from Twitter so I realize that it was redundant to subscribe to you by email anyway.

    @Ileane

  25. To not make any public statement about this, when so many people have complained, is shoddy business practice. Yes, they should investigate, but even a simple post on their site would help.

    And I am very surprised to see a company that’s supposedly so big and widely used only have “standard” (EST) email support hours. Honestly, this isn’t the 19th century any more.

  26. I just checked my spam folder and yes, I am also getting a lot of pharma spam sent to special email addresses used when signing up to Aweber lists (eg blah+listname@mydomain).

    Its multiple lists that have no relationship to each other, so either Aweber’s backend email database has been compromised, all those Aweber customer’s passwords have been compromised, or some other clever harvesting of addresses has gone on.

    I just hope I don’t lose subscribers over this. I’ve worked hard to get them.

  27. I got similar emails from subscribers Darren.

    In fact I was going to post the same “Was Aweber Compromised” post, but I saw you already did it so I’ll watch it over here.

  28. Interesting. Maybe it’s not Aweber at all. Maybe somehow Gmail got attacked? Or possibly a bunch of email addresses were sniffed at an Australian ISP? What are the common factors in the people who got spammed?

    Name
    ISP
    Email ISP
    Gmail user
    Aweber user
    Aweber subscriber
    State
    Have posted a comment to a blog and left a domain name
    Domain name registrar

    Who knows?

  29. Brian Kevin Johnston says: 12/20/2009 at 11:41 pm

    If anyone has interest in another service… we use infusionsoft and love it…. I trust all gets worked out, as I know aweber is a respected service.. Best, Brian-

  30. Ouch, hopefully they get this sorted out. I’ve been with aweber for over 2 years I think and never had a problem. I’m actually not getting more spam than usual ;).

  31. I don’t want to be that big anway.

    My spamarrest account has a specific and private email address used only be me. In the past two weeks, that address is used by dingbats selling what I don’t want.

    Ray

  32. Yep same here, about 30 in the past few days, have aweber released a statement yet?

  33. If you decide to move to a new company can you post that. I have used aweber for years, but I’m not against switching if it means better service and security. I just did a data back-up of my lists just in case. Thanks for the update.

  34. Thanks Darren for this post, it helps somewhat to answer my questions of why did I start getting this stuff coming to one of my personal email addresses that has never been posted to a website. I use it only for special clients and it forwards to my Blackberry.

    A couple days ago I started getting several messages to it in my Outlook and my BB. I may have used it for 1 or 2 mailing lists. One list I know that I did was on Constant Contact and not Aweber. I ended up adding my email address to my Spam Arrest account to end the junk.

    I’ll be watching for your updates on this.

    Henry

  35. Well, luckily I am not affected, and as I don’t have a list yet, I am not getting any angry reports :).

    However, this made me worried about giving away my e-mail address, because if Aweber can get compromised, then there is some serious hole out there, making spammers able to use it.

  36. I think it is highly unlikely that this has anything to do with Aweber, You can open up an email account on any domain and eventually you will start getting this type of spam. These guys have harvesting programs which create and verify usernames on any domain. I have been getting these type of emails quite a bit lately on many different emails which have nothing to do with Aweber or you. I just set up filters. Here is what you should really worry about, getting this type of spam on your mobile phone! Coming soon! Watch out!

  37. I need to chime in as well. I’ve noticed the — past few weeks — strange emails signing up for my lists. Then many of these addresses either do not opt in, or unsubscribe within a day or two.

    However, I logged into my Aweber account just yesterday and noticed 35-40 signups from healthcare/ED addresses…all in the past 24 hours.

    This is extremely disappointing. I have been an Aweber user for nearly 5 years with no problems until now.

  38. I checked and haven’t gotten any spam at the address I use for the ProBlogger newsletter. Do you have multiple sub lists within Aweber that you could narrow it down to find a common thread from your users that have gotten it and those that haven’t? Maybe that would help a bit, unless those of us that haven’t received spam yet are just waiting in a queue somewhere. Stuff happens, it’s unfortunate but I think people should just take the precaution and update their compromised email addresses and leave it at that. Anything could have happened – I’m sure an irate employee at Aweber could have grabbed a bunch of lists and sold them for some major $$$. I think it’s too fishy to think that somehow all of these untouchable email addresses all the sudden got magically infiltrated.

  39. Glad to hear I am not alone ;-) I am receiving since a few days 30-50 spam emails via “unique” email addresses. First I was afraid that my own email account was compromised, but I could rule that one out. Hope Aweber gets this sorted out quickly, SY

  40. I get spam to email addresses only used for email lists like Aweber. Could not figure out how anyone got hold of those addresses but if they picked them up from Aweber there’s an explanation.

  41. Thing is, that those mails even made it through my Gmail Spam filter which is usually very tight.

  42. Hey Darren, Thanks for the post. I am getting all kinds of these emails and was wondering what in the world was going on. I appreciate you keeping us informed and hopefully this will be resolved soon.

  43. Hi Darren,

    many thanks for your informative post. However, I’m have not received any spam from you. I think it might be a very small problem.

    Nick

  44. I think the most worrying aspect of this little incident is that it took a post on one of the most trafficked blogs to get them to respond at all. I can forgive the odd mistake here and there, we’re all human. What I can’t forgive is an unwillingness to put things right and to keep people informed. If this had happened to smaller customers of theirs, would there have been any response at all? I wonder…

  45. I’m getting these messages on multiple accounts. It’s not ProBlogger. HTH!

    ea/

  46. @Simon, the city where Aweber has its offices has been hit by a tremendous snowstorm, there is *nothing* happening there right now.

    I’m one of their “smaller customers” and I can tell you with 100% certainty that they would have taken this just as seriously from me. It’s going to be a tricky problem for them to figure out, and I don’t blame them a bit for taking their time to understand the problem before responding to it.

    No one takes spam as seriously as Aweber, I’m very concerned for them (and for my lists!), but if it is a problem on their end, I know it could have happened to anyone.

  47. I’ve not noticed any specific increase in SPAM lately and I subscribe to several Aweber mailing lists. I suspect the option you came up with that, “perhaps some spammer is using some kind of system to target a whole lot of random email addresses”. This does happen because I’ve seen CC lists with my name coming up alphabetically with other names as if the list was randomly generated.

    Still, I’m glad Aweber are looking into it and that you’re also taking a potential mailing list breech very seriously.

  48. Its not spammers just getting lucky and guessing email addresses.

    If I received the spam on paul@mydomain I would agree with you, but I’m receiving spam at special addresses such as paul+testingxyzlist@mydomain that I had used only to test my own autoresponder series.

    Similarly I’m getting spam on paul+roadmap@mydomain which I used to sign up for one of Yaro Starak’s free reports.

    I’m certain those aren’t just lucky guesses by spammers hitting up common names.

  49. There’s no doubt there’s been an Aweber-specific breach. As part hobby, part job (web-analytics work), I’ve kept my eye on “get rich quick” websites for years and always give a unique e-mail address based off my own domain (in case this very thing happens).

    Yesterday, I received some pharmacy spam from “[email protected]” to seven Aweber accounts (out of the dozens of Aweber-based subscriptions I’ve had over the years), some of which are lists I still subscribe to and some of which I unsubscribed from months ago. Two are so old that they pre-date my use of Gmail for my personal domain mail so they’re not even in my archive.

    The Aweber situation isn’t a “coincidence” and it’s not “isolated,” but it’s not a breach of every Aweber subscription at all times, either.

    One unlikely possibility that leaves Aweber completely out of the loop is that there was a popular tool or site out there that was handling form submissions and then handing them to Aweber’s API — giving us a sort of retroactive “man in the middle” attack. That is, if a web site used a tool with an intermediary database that was storing e-mail addresses that were entered and passed to Aweber and -that- database became exposed, the symptoms we’re seeing now would be the same.

    But, to be blunt, I think it’s far more likely that someone got a hold of a chunk of Aweber’s database itself.

    In the unlikely event anyone cares, here’s a quick log I made as I was poking through the “monster4” SPAM I received, with company names edited to protect the innocent:

    siteflip_____ – Aweber – Original signup date: March 20, 2008 15:30 EDT
    smallreports_____ – Aweber – Original signup date before Oct 12, 2007
    teleseminar_____ – Aweber – Original signup date before Jun 13, 2007
    theaff_____ – Aweber – Original Signup date: September 6, 2008 17:50 EDT
    _____cd – no record in Gmail
    _____free – Aweber – Original Signup date: June 10, 2008 22:38 EDT
    trade_____ – no record in Gmail

  50. Really timely news for me as I’ve just put together a Rock Music an to responder sequence on Aweber. So I have just made sure I’m not tracking the click-throughs, until this issues resolved. Much appreciated info.

A Practical Podcast… to Help You Build a Better Blog

The ProBlogger Podcast

A Practical Podcast…

Close
Open