Campaign Monitor attacked by hackers, some accounts compromised
This is horrible news to have to release, but unfortunately Campaign Monitor has been attacked by one or more hackers, and some of your accounts have been compromised. This has been a deliberate, planned and complex intrusion and we are still in the process of handling the hacks and the impact.
Our own team, as well as external security experts, database experts and hosting providers have been working around the clock since we became aware of what was happening. At this stage, we are still investigating exactly what happened and how, but we wanted to let you know everything we know as soon as possible.
On behalf of the whole Campaign Monitor team I want to say we are completely aware of the enormous disaster this is for anyone impacted, and their clients, and we are doing everything in our power to detect and prevent any further intrusions. Yesterday's outage was related to some security changes we made as part of this process.
The following is the information we've been able to gather to this point, and what we are doing about it. If we have detected that your account was specifically accessed, we've also contacted you directly via your main account email. For obvious reasons, we can't reveal too much about the details of how this happened.
When did this occur?
The main attack took place over this weekend, for a few hours on Saturday and Sunday and continuing into this week.
We have up until now been gathering information so that we can contact you with accurate details, and also making sure we were stopping ongoing problems. We did not want to give you incomplete or misleading information. Right now we are still finding out more, but it is important you are all aware of the situation.
How did they get access?
We are still actively working to get full detail on this, but essentially one of our servers was compromised, and that gave the hacker enough access to be able to get into a few customer accounts. We now know more, but don't want to publish any details as you can understand.
What did they do with that access?
In several cases, the hacker imported their own lists, and managed to send spam to those lists and in some cases the lists already in the account.
We are still investigating the details in this area to determine the exact actions taken in each case. This is a time consuming process unfortunately. We understand you will be worried about your own, and your client's data, and we are concentrating on that area to find out what was touched. Again, we have directly contacted customers where we definitely know subscriber lists were accessed.
Has this been fixed?
We're still making further changes, but we have locked down immediately all of our systems to an absolute minimum level of access. We've also put in place a variety of extra manual and automated checks so we can detect and prevent further deliberate hacks and spam attempts. In these situations, we can know for sure that we've closed specific methods, but not if another attack is coming.
As well as our internal staff we have server and security specialists working with us to detect any other methods that may be used and defend against them. We also have a professional security audit in progress by an independent firm.
What happens from here?
In the short term, we will just be working long hours as we monitor, track and investigate this. As we know more, we will keep you up to date.
Ongoing, we'll be making whatever security changes are needed to make Campaign Monitor even harder to access, based on what we have learned and the outcome of the security audit and training.
One major issue arising will be temporary blacklistings because of the spam that did get out before we could catch it, and as they pop up our team will be working on getting them lifted.
All the evidence points to this being a highly intense, deliberate and planned attack intended to gain access to Campaign Monitor data and to send spam emails. We are committed to stopping this ever being able to happen again, and again apologize for the major let down.
We have emailed all account owners with this same information and we will continue to let you know any other relevant details.
FAQs from the comments
Have you contacted the people who had their account accessed?
Yes, we have emailed them individually. If we uncover any further accounts, we'll be contact them too.
Was my password compromised and should I change it?
Unless we have emailed you individually (as above) then we do not believe your password was compromised. However, if you choose you can change your password in your account settings. See some tips for creating a good password.
Should I still send my large campaign?
We do expect that there will be blacklisting from the spam that got out, and it can take a while for blacklist operators to remove addresses. So if you can hold off on large sends, that will reduce your risk of bounced emails. So far deliverability is fine, but we'd like to give you and your clients fair warning.
What about credit card information?
We do in some cases store credit cards on our servers. However, they are always stored in encrypted form, and the application never displays them in clear text. We have no indication or evidence to date that credit cards even in their encrypted forms were accessed at all.
Posted in: Observations & Answers
Comments for this entry are closed.
Browse the Blog
- Behind the Scenes (28)
- Interviews & Buzz (132)
- New Features & Updates (229)
- Observations & Answers (210)
- Release Notes (1)
- Tips & Resources (477)
Explore the Email Gallery
- All designs
- One column (368)
- Two column (221)
- Three column (33)
- Announcement (126)
- Newsletter (445)
- Invitation (37)
@HunterOwens And sorry again! This one has been frustrating for everyone, but obviously for affected customers the most!
Follow us on Twitter-
CSS support in email
Designing for email can be tricky. Save your sanity with our complete CSS guide.
-
Email design guide
Straight to the point advice on creating beautiful emails that work.
-
Not just good looks
Track every aspect of your campaigns like opens, clicks, forwards, sales and more.
About • Our Book • Contact • API • Anti-spam Policy • Terms of Use • Privacy Policy
Follow us on Twitter 
Become a fan on FacebookProud founders of the Email Standards Project and supporters of the design community.
203 Comments
Dave Calleja
August 11, 2009 1:38pm
Thanks for the info guys, as it stands should we hold of on large sends?
Douglas Neiner
August 11, 2009 1:39pm
Guys, I am really sorry for you this happened. Thanks for informing us, and please keep us updated as you said. That sounds like an app developer’s absolute worst nightmare… I shudder to think of this happening to one of my sites. Wish you the best in fixing it… and I sincerely hope you catch the hackers that gained access… that would be uber-cool. We can have a major Twitter bashing of them ;)
Christy Kilgore
August 11, 2009 1:41pm
It sucks that this happened, but no one can accuse your team of not making a best effort to fix it. Thanks for your hard work.
Mathew Patterson
August 11, 2009 1:53pm
Thanks for the support guys and girls.
@Dave if you can hold off on very large sends, it might be sensible because we may see some temporary blacklistings coming up in the next couple of days.
Brad
August 11, 2009 2:00pm
Yes! Much appreciation for the update, guys. Thank you… and hang in there.
James (from a CM client)
August 11, 2009 2:00pm
Bad news for you and your clients, but thank you for your honesty - people really do recognise and appreciate it and it will minimise the fallout. Please keep up the transparency.
Dave Calleja
August 11, 2009 2:12pm
Thanks Matt, good luck getting it all sorted out.
Craig
August 11, 2009 2:12pm
Hope you didn’t pull a Twitter and have a server password of ‘password’.
:P
Mathew Patterson
August 11, 2009 2:26pm
@craig - Definitely not the issue here!
Mark Park
August 11, 2009 3:25pm
Well handled. Thanks for being straight up about it.
Maxine Sherrin
August 11, 2009 3:25pm
Your blog post should be used as a textbook example of openness and honesty and delivering difficult news. All the best at a difficult time.
TK
August 11, 2009 3:27pm
Will you be notifying the account holders, whose accounts were breached?
Ashul Shah
August 11, 2009 3:27pm
Thanks for the heads-up - really appreciate your honesty and transparency.
Damien Buckley
August 11, 2009 3:28pm
Absolute confidence in you guys to sort this out - go get em’
OE Design
August 11, 2009 3:28pm
Thanks for the update. This stuff happens and we all learn from our mistakes I guess. You guys rock and look forward to getting things up and running again! keep up the good work! We appreciate your efforts!
Mathew Patterson
August 11, 2009 3:28pm
@TK Yes, we’ve already done so (I mentioned that in the post too). If we discover more, we’ll contact them too.
@Maxine, Markand others - we appreciate your support, it means a lot.
Doug
August 11, 2009 3:31pm
string em up by the bollix
Ron
August 11, 2009 3:33pm
I must say I am very impressed with your transparency. Even bad news such as this does nothing but further showcase your customer relations skills. Every software has potential of such intrusion. What matters is the action you take when faced with such situations. Best of luck with the cleanup.
Vignesh Ganesan
August 11, 2009 3:33pm
Thanks for the info guys.
In continuation of the fine example set by Campaign Monitor, should we also be looking at sending out “sorry for the inconvenience, account was hacked” emails to our clients’ subscribers? Of course, once more information is available. Was just wondering what standard practise/etiquette was on such matters…
Thanks,
Vignesh.
Scott Jacques
August 11, 2009 3:36pm
Maybe I missed it (looking for actions for us to take) but is there any reason we should admin or client passwords? Thx
Scott Jacques
August 11, 2009 3:38pm
Sorry meant to say “Reset or update admin or client passwords”.
Zac
August 11, 2009 3:38pm
I guess the old saying comes to mind: it’s not the problems you face, but how you handle them.
You guys are handling this situation (one we all dread) perfectly: transparent, honest and focused on the resolution.
We’re behind you during this difficult period.
Adam
August 11, 2009 3:39pm
What a horrible thing to happen. Well done on the response.
Re: Holding off on large sends - what about small sends (~500)? Should we still hold off?
James Beattie
August 11, 2009 3:43pm
We appreciate your honesty and transparency, but this still dents our confidence in your product.
wheelyweb
August 11, 2009 3:43pm
Have you already contacted all suspected breached accounts?
Evren İnanç
August 11, 2009 3:45pm
Sorry to hear, s..t happens.
Afraid to ask but anything related to our credit cards compormised?
Adria Richards, ButYoureAGirl.com
August 11, 2009 3:46pm
Campaign Monitor folks,
your transparency on the issues is soooooo appreciated. Thank you for being open and honest about this incident vs trying to hid it.
Julia
August 11, 2009 3:48pm
Off with their heads!
Regarding waiting to send larger campaigns, any idea how long we should wait for the blacklisting to be sorted out? I’ve got another campaign that’s supposed to go this week.
Thanks and good luck. You guys are the best!
Julia
August 11, 2009 3:49pm
Just to clarify: I was referring to the hackers’ heads.
;-]
Jamie Appleseed
August 11, 2009 3:51pm
@Evren, Campaign Monitor is with all likelihood using a provider like Authorize.net, meaning they don’t store the credit card information themselves (or only 4 digits of it), so hackers won’t be able to get hold of this information. It’s only if CM is storing the credit card information themselves we should be worried.
I wrote CM letting them know that it might be a good idea to write about this explicitly, as credit card details are a major concern, and it’s mostly people who’ve looked into implementing online payment solutions know how this technically work (storing cc information off-site).
But yeah, Mathew, or someone else, can probably confirm this or explain in further details.
mark
August 11, 2009 3:51pm
Thanks Matt,
We all spend far too much time fending off evil instead of improving…have you notified our cients under our account?
Mark
Nick Lazar
August 11, 2009 3:51pm
I have complete confidence that you will lock this down & get your service back on track. You have, by far, the best emarketing offering & customer service out there!
Hope you catch the tossers that broke in.
Nick.
Andrew Howard
August 11, 2009 3:52pm
Keep your chin up and thanks for keeping us informed
touhey
August 11, 2009 3:54pm
w/Evren, what about Credit Card information?
Ray Grieselhuber
August 11, 2009 3:56pm
@James understandable but not really fair. There is always a way for someone to get in if they really want to. It’s part of the price we pay for the convenience of services like Campaign Monitor. I wouldn’t say this about a service that wasn’t run by the obvious top notch people here.
At the end of the day, there is only so much you can do and there is always someone out there with more time and resources on their hands.
Craig Mannino
August 11, 2009 3:56pm
thanks for the honesty! as said above should we change any admin passwords or our clients passwords that have access?
StuartN
August 11, 2009 3:57pm
Are our credit card details safe?
Zos
August 11, 2009 4:01pm
To echo the sentiments, we really appreciate the openness and speed of your communication. Thanks and all the best.
innercircle
August 11, 2009 4:07pm
Have credit card details been breached?
How do we know if our confidential mailing list has been accessed?
How do we know if they have used our account?
Ed
August 11, 2009 4:08pm
Your service and honesty is why you have us all as customers. Things go wrong from time to time, it is how you handle it that matters. Good work guys.
DW Ferrell
August 11, 2009 4:09pm
Over the last 2 weeks we’ve had several of our client’s FTP accounts hacked, and the only thread is that they are using Campaignmonitor for email list signups and blasts. Is it possible that these issues are related?
Mike
August 11, 2009 4:13pm
Last time i set the root password to… “password”
Chris Adkins
August 11, 2009 4:13pm
Thanks for your honesty.
I’ve been using CM for over 3 years at various companies and you guys have always been top notch for customer service.
Chemical Castration for all spammers!
Good luck with everything
Mathew Patterson
August 11, 2009 4:16pm
@DW Ferrell - There isn’t anything at all in a Campaign Monitor account that would help with hacking FTP servers, so that would be unrelated.
Sam
August 11, 2009 4:17pm
If my client’s subscriber lists have been stolen, then to be honest I’m not sweating it too much. Let’s face it, everyone gets a tone of spam and a few more messages won’t really kill anyone.
However I’d like to know the answers to the same 3 questions that innercircle posted:
- Have credit card details been breached?
- How do we know if our confidential mailing list has been accessed?
- How do we know if they have used our account?
David Roessli
August 11, 2009 4:18pm
Thanks for the info and transparency.
Best of luck sorting it all out - I know how it feels..
Mathew Patterson
August 11, 2009 4:20pm
@Sam I’ve added answers to the post, but we will let you know if there is any indication your account was accessed
Jellyfish458
August 11, 2009 4:31pm
Textbook management of an issue.
We are all intelligent people and understand that any site is a potential target.
By updating us with relevant and detailed (where allowed) information you have treated us with a level of respect as well.
I know of other campaign sites that just shut down ALL information until it is sorted.
Your openness only fills me with confidence.
Thank you for your confidence is us being able to respond to this issue intelligently.
As for the hackers, the glass rod treatment I think!
TwoSocks
August 11, 2009 4:35pm
As already stated, I appreciate the openness!
Lao Watson-Smith
August 11, 2009 4:49pm
Bad news for you and some of your customers, but I would just like to say a big thankyou for being so open and frank about it. Your trasparency and excellent communication on this issue is to be commended, and it in fact re-inforces my own confidence in your company. Kudo’s, guys!