Have you ever heard of Aweber?
No? Chances are that you received email from them without knowing it.
You see, from large corporations to small bloggers, lots of guys like to maintain a mailing list. Subscribers typically sign up through a “double opt-in” (where you have to click a confirmation link in the first email to make sure you really want it) and then receive special offers, newsletters etc. Normally, that’s all legit, no spam involved at all.
But maintaining such a mailing list is not trivial. Not only do you have to set up the double opt-in process, but also a reliable way for people to unsubscribe or change their email address, delete emails that bounce repeatedly and deal with CAN-SPAM compliance. You need servers that can reliably deliver thousands of emails without getting blocked and maybe even a tracking systems to find out who read your messages and who clicked on the links in them.
It can be a lot of hassle and that’s where AWeber comes in. AWeber is a so-called Email Service Provider, or ESP – a company that manages mailing lists for others. According to their website, “over 80,000 businesses trust us to deliver their email marketing campaigns.” See now how likely it is that newsletter from your car dealer actually came from AWeber?
You read the headline, so you already know what’s coming next. AWeber lost its database to hackers. And not just any database, the most valuable, the most sought-after, the holy grail of its databases – the subscriber list. To give you an idea of the magnitude of this breach, lets assume that each of the 80,000 AWeber customers has on average 500 subscribers on their list, which seems reasonable as that is the lowest of their 6 service levels, the highest one covering over 25,000 subscribers. That would mean 40 million confirmed real email addresses are now in the wild!
Yes, your email address that you entrusted to a few of your favorite sites is now, along with millions of others, in the hands of spammers if even one of those sites happened to use AWeber. And they know what your interests are from the type of mailing lists you were subscribed to! If you haven’t already, you can expect all sorts of sleazy come-ons to fill your inbox soon.
What’s the most outrageous about it though, is that this is already the second time in less than a year that AWeber screwed up. When in Dec 2009, the same thing happened once already, AWeber promised:
We have taken extra steps beyond fixing the problem to ensure that such a breach cannot occur again.
Yet, here we are, 10 months later having a déjà vu. Let’s be clear just how hollow AWeber’s reassurance was: “On Saturday, October 16th, an unknown person gained unauthorized access … We became aware of the incident on Monday”. What they are saying is that the hackers had the whole weekend to copy data as they pleased, undisturbed as no AWeber tech would be monitoring things until Monday.
Let me get this straight, you’re hosting sensitive data for tens of thousands of businesses and millions of end users, your systems have been broken into before and you admit “On a daily basis, a few thousand attempts are made to attack AWeber.” Yet, you have no 24-hour watch, no one on call, no functioning intrusion detection system in place and on Friday night, you just go home to enjoy the weekend?
It doesn’t end there, I find AWeber’s handling of the aftermath appalling:
- The first time around, they tried to cover up the whole affair and only admitted to it after being called out by some of their customers who had to discover back then already “it seems that their support don’t work weekends”.
- After the first breach, they didn’t even apologize and added the lame “We’re Sorry” only later after pressure from the blogosphere. The new incident now comes with a We’re Sorry right away, but then as now, they only apologize to their direct customers, not a word to the ones who now have to deal with a deluge of spam in their email – the list subscribers. AWeber leaves it up to their customers to deal with that PR nightmare. See Darren Rowse at the last link:
I’ve got over 333,000 subscribers who have potentially been receiving spam in the last few days. This makes me feel ill and embarrassed. I’ve fielded many many emails in the last few days from angry and confused readers. While not all will realize why they’re being spammed now some … have a damaged view of my brand (and some have unsubscribed).
- Interestingly, the blog posts admitting the two breaches have comments turned off. Seems like AWeber prefers not to face the reality of some very disappointed customers and angry subscribers.
- Boldly listing all the things that did not get accessed to downplay the severity of what did is disingenuous. Especially when you’re scraping the bottom of the barrel to come up with more stuff. You know what? The hackers/spammers probably didn’t care about affiliates’ tax ID in the first place. Even a customer credit card can be canceled, but you can’t cancel the damage to that customer’s business reputation. Neither can you ever get all the private email addressees back that are now going to be freely traded among criminals.
You don’t hear much about this whole mess because AWeber has an affiliate program and many pro bloggers in the marketing space, who would normally write about such things, make a good chunk of dough pushing this service. Of course they don’t want to bite the hand that feeds them. But if you run a mailing list, look into some alternatives to AWeber, your business reputation will thank you. Here are five that I heard good things about:
If you’re geek enough to try and manage the list completely on your own, there is a good free open-source solution: phpList.
And if you are a subscriber and use the anti-spam system explained on my homepage, you can simply turn off the affected email addresses and move on. If you don’t use such a system, I’m really sorry for you. Maybe it’s about time to start, it’s not that hard.
PS: I contacted AWeber to comment for this story but have not received a reply.