Email Subscriber Data Accessed; What We’re Doing About It

Tuesday, October 19, 2010

Over the weekend, AWeber was the target of a deliberate and successful attempt to mine email addresses.

On Saturday, October 16th, an unknown person gained unauthorized access to databases containing email subscriber information.

This incident appears to be part of a broader series of similar successful attacks on a number of email service providers (ESPs).

To learn more about what happened and what we’re doing about it, please read on.

What Information Was Compromised?

A download of subscribers’ email addresses was initiated.

While we can’t tell whether it completed successfully, we have to assume that it did.

It’s also important in a situation like this to take stock of what information was not accessed.

The attackers did not gain access to credit card numbers, customers’ email or postal addresses, affiliates’ tax IDs nor any other contact information about AWeber customers or affiliates.

What Does AWeber Do To Protect Your Data? What About This Incident?

On a daily basis, a few thousand attempts are made to attack AWeber. This sounds like a lot (and it is), but it’s no different at any other sizable web-based application.

We use a combination of in-house and third-party security solutions to scan our network for possible “holes” in security, and to monitor, block and analyze the many attempts made to gain unauthorized access to AWeber. On the whole, these solutions are very good at what they do and this approach serves us well. Unfortunately, both the in-house and third-party solutions failed to detect or stop this particular attack.

We became aware of the incident on Monday, October 18th and immediately began an investigation to identify and close the vulnerability that was exploited. We closed the vulnerability promptly and are now analyzing why neither our in-house or outsourced security solutions identified it before the incident occurred.

We continue to invest significant resources into enhancing our current security and implementing new security measures to combat future attacks. We are also working with other ESPs who have been similarly attacked to share knowledge and better secure the email marketing industry as a whole.

Questions? Please Contact Us.

Those wishing to reach us with specific questions regarding this attack are encouraged to call our Customer Solutions Team, who will immediately address your concerns.

US Phone: 877-AWEBER-1
International Phone: +1 215-825-2196

We’re Sorry

I – and all of us at AWeber – understand that trust is hard to come by online, not only for us, but for you as well.

Your subscribers trust you with their email address, and trust that you will treat that address and their permission to be emailed with the utmost care. While most of them will not notice any changes to their inboxes as a result of this incident, we take that trust, and what has happened, seriously.

We take all the measures we can to protect your account (some of those are discussed above), and I’m sorry that this incident occurred.

Tom KulzerRemorsefully,
Tom Kulzer
CEO & Founder
AWeber Communications