Campaign Monitor attacked by hackers, some accounts compromised

This is horrible news to have to release, but unfortunately Campaign Monitor has been attacked by one or more hackers, and some of your accounts have been compromised. This has been a deliberate, planned and complex intrusion and we are still in the process of handling the hacks and the impact.

Our own team, as well as external security experts, database experts and hosting providers have been working around the clock since we became aware of what was happening. At this stage, we are still investigating exactly what happened and how, but we wanted to let you know everything we know as soon as possible.

On behalf of the whole Campaign Monitor team I want to say we are completely aware of the enormous disaster this is for anyone impacted, and their clients, and we are doing everything in our power to detect and prevent any further intrusions. Yesterday’s outage was related to some security changes we made as part of this process.

The following is the information we’ve been able to gather to this point, and what we are doing about it. If we have detected that your account was specifically accessed, we’ve also contacted you directly via your main account email. For obvious reasons, we can’t reveal too much about the details of how this happened.

When did this occur?

The main attack took place over this weekend, for a few hours on Saturday and Sunday and continuing into this week.

We have up until now been gathering information so that we can contact you with accurate details, and also making sure we were stopping ongoing problems. We did not want to give you incomplete or misleading information. Right now we are still finding out more, but it is important you are all aware of the situation.

How did they get access?

We are still actively working to get full detail on this, but essentially one of our servers was compromised, and that gave the hacker enough access to be able to get into a few customer accounts. We now know more, but don’t want to publish any details as you can understand.

What did they do with that access?

In several cases, the hacker imported their own lists, and managed to send spam to those lists and in some cases the lists already in the account.

We are still investigating the details in this area to determine the exact actions taken in each case. This is a time consuming process unfortunately. We understand you will be worried about your own, and your client’s data, and we are concentrating on that area to find out what was touched. Again, we have directly contacted customers where we definitely know subscriber lists were accessed.

Has this been fixed?

We’re still making further changes, but we have locked down immediately all of our systems to an absolute minimum level of access. We’ve also put in place a variety of extra manual and automated checks so we can detect and prevent further deliberate hacks and spam attempts. In these situations, we can know for sure that we’ve closed specific methods, but not if another attack is coming.

As well as our internal staff we have server and security specialists working with us to detect any other methods that may be used and defend against them. We also have a professional security audit in progress by an independent firm.

What happens from here?

In the short term, we will just be working long hours as we monitor, track and investigate this. As we know more, we will keep you up to date.

Ongoing, we’ll be making whatever security changes are needed to make Campaign Monitor even harder to access, based on what we have learned and the outcome of the security audit and training.

One major issue arising will be temporary blacklistings because of the spam that did get out before we could catch it, and as they pop up our team will be working on getting them lifted.

All the evidence points to this being a highly intense, deliberate and planned attack intended to gain access to Campaign Monitor data and to send spam emails. We are committed to stopping this ever being able to happen again, and again apologize for the major let down.

We have emailed all account owners with this same information and we will continue to let you know any other relevant details.

FAQs from the comments

Have you contacted the people who had their account accessed?
Yes, we have emailed them individually. If we uncover any further accounts, we’ll be contact them too.

Was my password compromised and should I change it?
Unless we have emailed you individually (as above) then we do not believe your password was compromised. However, if you choose you can change your password in your account settings. See some tips for creating a good password.

Should I still send my large campaign?
We do expect that there will be blacklisting from the spam that got out, and it can take a while for blacklist operators to remove addresses. So if you can hold off on large sends, that will reduce your risk of bounced emails. So far deliverability is fine, but we’d like to give you and your clients fair warning.

What about credit card information?
We do in some cases store credit cards on our servers. However, they are always stored in encrypted form, and the application never displays them in clear text. We have no indication or evidence to date that credit cards even in their encrypted forms were accessed at all.

Posted by Mathew Patterson

203 Comments

  • Dave Calleja
    11th August

    Thanks for the info guys, as it stands should we hold of on large sends?

  • Douglas Neiner
    11th August

    Guys, I am really sorry for you this happened. Thanks for informing us, and please keep us updated as you said. That sounds like an app developer’s absolute worst nightmare… I shudder to think of this happening to one of my sites. Wish you the best in fixing it… and I sincerely hope you catch the hackers that gained access… that would be uber-cool. We can have a major Twitter bashing of them ;)

  • Christy Kilgore
    11th August

    It sucks that this happened, but no one can accuse your team of not making a best effort to fix it. Thanks for your hard work.

  • Mathew Patterson
    11th August

    Thanks for the support guys and girls.

    @Dave if you can hold off on very large sends, it might be sensible because we may see some temporary blacklistings coming up in the next couple of days.

  • Brad
    11th August

    Yes! Much appreciation for the update, guys. Thank you… and hang in there.

  • James (from a CM client)
    11th August

    Bad news for you and your clients, but thank you for your honesty - people really do recognise and appreciate it and it will minimise the fallout. Please keep up the transparency.

  • Dave Calleja
    11th August

    Thanks Matt, good luck getting it all sorted out.

  • Craig
    11th August

    Hope you didn’t pull a Twitter and have a server password of ‘password’.

    :P

  • Mathew Patterson
    11th August

    @craig - Definitely not the issue here!

  • Mark Park
    11th August

    Well handled. Thanks for being straight up about it.

  • Maxine Sherrin
    11th August

    Your blog post should be used as a textbook example of openness and honesty and delivering difficult news. All the best at a difficult time.

  • TK
    11th August

    Will you be notifying the account holders, whose accounts were breached?

  • Ashul Shah
    11th August

    Thanks for the heads-up - really appreciate your honesty and transparency.

  • Damien Buckley
    11th August

    Absolute confidence in you guys to sort this out - go get em’

  • OE Design
    11th August

    Thanks for the update. This stuff happens and we all learn from our mistakes I guess. You guys rock and look forward to getting things up and running again! keep up the good work! We appreciate your efforts!

  • Mathew Patterson
    11th August

    @TK Yes, we’ve already done so (I mentioned that in the post too). If we discover more, we’ll contact them too.

    @Maxine, Markand others - we appreciate your support, it means a lot.

  • Doug
    11th August

    string em up by the bollix

  • Ron
    11th August

    I must say I am very impressed with your transparency. Even bad news such as this does nothing but further showcase your customer relations skills. Every software has potential of such intrusion. What matters is the action you take when faced with such situations. Best of luck with the cleanup.

  • Vignesh Ganesan
    11th August

    Thanks for the info guys.

    In continuation of the fine example set by Campaign Monitor, should we also be looking at sending out “sorry for the inconvenience, account was hacked” emails to our clients’ subscribers? Of course, once more information is available. Was just wondering what standard practise/etiquette was on such matters…

    Thanks,
    Vignesh.

  • Scott Jacques
    11th August

    Maybe I missed it (looking for actions for us to take) but is there any reason we should admin or client passwords?  Thx

  • Scott Jacques
    11th August

    Sorry meant to say “Reset or update admin or client passwords”.

  • Zac
    11th August

    I guess the old saying comes to mind: it’s not the problems you face, but how you handle them.

    You guys are handling this situation (one we all dread) perfectly: transparent, honest and focused on the resolution.

    We’re behind you during this difficult period.

  • Adam
    11th August

    What a horrible thing to happen. Well done on the response.

    Re: Holding off on large sends - what about small sends (~500)? Should we still hold off?

  • James Beattie
    11th August

    We appreciate your honesty and transparency, but this still dents our confidence in your product.

  • wheelyweb
    11th August

    Have you already contacted all suspected breached accounts?

  • Evren Ä°nanç
    11th August

    Sorry to hear, s..t happens.

    Afraid to ask but anything related to our credit cards compormised?

  • Adria Richards, ButYoureAGirl.com
    11th August

    Campaign Monitor folks,

    your transparency on the issues is soooooo appreciated.  Thank you for being open and honest about this incident vs trying to hid it.

  • Julia
    11th August

    Off with their heads!

    Regarding waiting to send larger campaigns, any idea how long we should wait for the blacklisting to be sorted out? I’ve got another campaign that’s supposed to go this week.

    Thanks and good luck. You guys are the best!

  • Julia
    11th August

    Just to clarify: I was referring to the hackers’ heads.

    ;-]

  • Jamie Appleseed
    11th August

    @Evren, Campaign Monitor is with all likelihood using a provider like Authorize.net, meaning they don’t store the credit card information themselves (or only 4 digits of it), so hackers won’t be able to get hold of this information. It’s only if CM is storing the credit card information themselves we should be worried.

    I wrote CM letting them know that it might be a good idea to write about this explicitly, as credit card details are a major concern, and it’s mostly people who’ve looked into implementing online payment solutions know how this technically work (storing cc information off-site).

    But yeah, Mathew, or someone else, can probably confirm this or explain in further details.

  • mark
    11th August

    Thanks Matt,
    We all spend far too much time fending off evil instead of improving…have you notified our cients under our account?


    Mark

  • Nick Lazar
    11th August

    I have complete confidence that you will lock this down & get your service back on track. You have, by far, the best emarketing offering & customer service out there!

    Hope you catch the tossers that broke in.

    Nick.

  • Andrew Howard
    11th August

    Keep your chin up and thanks for keeping us informed

  • touhey
    11th August

    w/Evren, what about Credit Card information?

  • Ray Grieselhuber
    11th August

    @James understandable but not really fair. There is always a way for someone to get in if they really want to. It’s part of the price we pay for the convenience of services like Campaign Monitor. I wouldn’t say this about a service that wasn’t run by the obvious top notch people here.

    At the end of the day, there is only so much you can do and there is always someone out there with more time and resources on their hands.

  • Craig Mannino
    11th August

    thanks for the honesty!  as said above should we change any admin passwords or our clients passwords that have access?

  • StuartN
    11th August

    Are our credit card details safe?

  • Zos
    11th August

    To echo the sentiments, we really appreciate the openness and speed of your communication. Thanks and all the best.

  • innercircle
    11th August

    Have credit card details been breached?
    How do we know if our confidential mailing list has been accessed?
    How do we know if they have used our account?

  • Ed
    11th August

    Your service and honesty is why you have us all as customers. Things go wrong from time to time, it is how you handle it that matters. Good work guys.

  • DW Ferrell
    11th August

    Over the last 2 weeks we’ve had several of our client’s FTP accounts hacked, and the only thread is that they are using Campaignmonitor for email list signups and blasts. Is it possible that these issues are related?

  • Mike
    11th August

    Last time i set the root password to… “password”

  • Chris Adkins
    11th August

    Thanks for your honesty.

    I’ve been using CM for over 3 years at various companies and you guys have always been top notch for customer service.

    Chemical Castration for all spammers!

    Good luck with everything

  • Mathew Patterson
    11th August

    @DW Ferrell - There isn’t anything at all in a Campaign Monitor account that would help with hacking FTP servers, so that would be unrelated.

  • Sam
    11th August

    If my client’s subscriber lists have been stolen, then to be honest I’m not sweating it too much. Let’s face it, everyone gets a tone of spam and a few more messages won’t really kill anyone.

    However I’d like to know the answers to the same 3 questions that innercircle posted:

    - Have credit card details been breached?
    - How do we know if our confidential mailing list has been accessed?
    - How do we know if they have used our account?

  • David Roessli
    11th August

    Thanks for the info and transparency.

    Best of luck sorting it all out - I know how it feels..

  • Mathew Patterson
    11th August

    @Sam I’ve added answers to the post, but we will let you know if there is any indication your account was accessed

  • Jellyfish458
    11th August

    Textbook management of an issue.

    We are all intelligent people and understand that any site is a potential target.

    By updating us with relevant and detailed (where allowed) information you have treated us with a level of respect as well.

    I know of other campaign sites that just shut down ALL information until it is sorted.

    Your openness only fills me with confidence.

    Thank you for your confidence is us being able to respond to this issue intelligently.

    As for the hackers, the glass rod treatment I think!

  • TwoSocks
    11th August

    As already stated, I appreciate the openness!

  • Lao Watson-Smith
    11th August

    Bad news for you and some of your customers, but I would just like to say a big thankyou for being so open and frank about it. Your trasparency and excellent communication on this issue is to be commended, and it in fact re-inforces my own confidence in your company. Kudo’s, guys!

  • Paul
    11th August

    Hi guys,

    If they hacked your system that the credit card details stored on… Did they also get access to the code, that encrypts, the credit cards?

    ie: We input our cards, code on your site then ‘encrypts’ said credit card details.

    When it comes time to take payments, the encrypted numbers are unencrypted..

    - Paul

  • Ninethirty Creative
    11th August

    We have an email which is due out at 10.00am BST. It is going out to 10,000 recipients, Can you give some indication as to when this can be sent as we need to give our client a possible timeframe.

    Sorry that the intrusion has happened and hope you resolve the matter soon.

    Regards

    Ninethirty Creative

  • Sutida
    11th August

    Thank you

  • Susie
    11th August

    Sorry to hear this has happened. You’re handling it in the best way possible though by being so up front about everything. Good luck with sorting it out.

  • Andy B
    11th August

    I appreciated your honesty. I hope you get it all fixed soon.

    >Chemical Castration for all spammers!

    Off with their goolies!

  • Christopher Guillou
    11th August

    Yet again a fine example of crisis management and communication.
    Thanks for the great service and business inspiration.

    Chris

  • Maddy
    11th August

    Sorry to hear your news, what a nightmare.
    One of my clients couldn’t send a campaign yesterday because they were getting a message credit card details not stored.  Was this something CM implemented because of the hack?

  • d
    11th August

    so where does that leaves us? shall we cancel our credit cards?

  • Jack
    11th August

    Thanks for letting us know so quickly, as they say the measure of a company is not how it performs when things go well, but how it handles problems.

  • Mathew Patterson
    11th August

    @Paul We do not have any evidence suggesting credit cards or the decryption element were touched, but of course we are aware of that risk and it will be completely investigated.

  • Danny Foo
    11th August

    Though worrisome but completely appreciate the honesty and openness on how CM is approaching the matter.

    Good luck people. And, do hope the infiltrators would be prosecuted later.

  • Ed
    11th August

    sorry this has happened you. a few questions

    - would the hackers have had to pay to send a campaign?
    - If a card is stored on your system, will it have been charged?
    - Would *not* saving a card on your system have deterred a hacker from using that account?

    thanks for your responses so far

  • Stefan Seiz
    11th August

    Can you reveal if the used Platform/OS had any influence in this case? Meaning, could the hack have happened e.g. if you used UNIX instead of Windows .NET etc?

  • a
    11th August

    Refreshing to see such brutal honesty… had this happened to someone like Microsoft they’d be spinning lies left, right and centre.

    Thanks for the warning and good luck with sorting it out. I’ll certainly continue to use Campaign Monitor - as Jellyfish458 put it “Your openness only fills me with confidence”.

  • Michrome Mailing Lists
    11th August

    Will this affect the chances of my campaigns being marked as spam?  I have noticed an email campaign I sent this morning has a lower read rate than I’d usually expect and Google Mail marked the usual “Your Campaign Has Been Delivered” email as spam.

    Thanks.

  • Mathew Patterson
    11th August

    @Ed No, credit card or no card was unrelated to which accounts were accessed.

  • ra5hid
    11th August

    Thanks for the update. I’m glad to hear that the credit card information was not nabbed or accessible. Appreciate the heads-up.

  • Tim
    11th August

    Mail Chimp is dead.

  • Richard Field (Head of Creative)
    11th August

    Bad news -

    Well handled and a very informative blog.

    Down with the hackers!

    R :-

  • Ed
    11th August

    @mathew, thanks for the reply. Despite this I can say that I will continue to use CM. Any good company can have their services affected in one way or another - but you can tell a great company by the way they respond to those problems.

  • Grant Mills
    11th August

    Thanks for the update guys - having dealt with a number of hackers in my career managing websites and online systems, I know how truly frustrating an attack like this can be. Well done for handling it so well and keeping us all in the picture.

    Best of luck sorting it out
    Grant Mills
    MailGloo - email marketing that sticks

  • Mike Vasey
    11th August

    As they say, S#@*T HAPPENS!
    Disappointing as it is, a real measure of a company is not what happened but how they react when it does.
    Your response was prompt, informative and professional.
    Impressive, most impressive.
    Watching further news with interest.

  • IT Dept
    11th August

    Funny that, as we have an email off yourselves stating our account had be stopped due to spam..I’ve a feeling our account may of been affected a few weeks ago.. Any ideas?

  • Urban River
    11th August

    Good luck sorting it out!

  • IdeaMan
    11th August

    I agree with Stefan - perhaps CM should consider building on something other than a mircosoft platform.

  • raam
    11th August

    Nicely handled, appreciate the honesty.

  • Peter
    11th August

    Is there any possibility of passwords having been compromised?

  • IdeaMan
    11th August

    For the record, I must stay my CM experience on all fronts up to this point have been fantastic. Excellent job, guys—thanks for the info, and keep up the great work. Undoubtedly, this experience will only make CM stronger.

  • Yalcin
    11th August

    What information should we pass onto our clients about their accounts? e.g. blacklisting, account changes etc..

  • Peter
    11th August

    Thanks for your honesty and openness.

    To protect us legally in the future, can you advise on terms and conditions which we should be implement and show in case any of our clients accounts and email lists are compromised now or in the future?

    Do your own terms and conditions state that you’re not held responsible if spammers/hackers gain access to the accounts?

  • IdeaMan
    11th August

    *say, that is

    :)

  • Léon van Deursen
    11th August

    Your honesty is impressive and greatly respected. It is therefore that my confidence in your company has not been damaged at all. I do hope they catch the *******.

    Good luck guys!

  • John
    11th August

    Thanks for the update Mathew.
    Good honest explanation always helps, keep it up.
    Please lets us know if any action is required on account passwords.

  • Tobie Langel
    11th August

    Can you confirm that you weren’t storing customer passwords in clear?

  • Tom Bathgate
    11th August

    Thanks for the honest and open post. I am huge Campaign Monitor fan and find it such a great tool for myself and my clients.

    Keep up the good work in the fight against these hackers!

  • Steve
    11th August

    Thanks for the open, honest and quick information.
    I’ve every confidence in CM to fix any errors, resolve the situation to the very best of your ability and to learn from it in the future.
    This will not affect our views and use of CM.

    Also I’m sure you can catch those responsible.

    All the best, Steve

  • Mathew Patterson
    12th August

    Regarding passwords, we were not storing those in clear text, and again we’ve contacted directly people whose accounts were accessed.

  • Paul Masri
    12th August

    Thank you for alerting us by email also. It’s easier to deliver bad news once you’ve solved a problem but I’m glad you took the brave step of letting us know as soon as possible, even while you’re fixing it. As other comments have said - this is a textbook way of dealing with a difficult situation. May the caffeine gods bless you!

  • Nicolas
    12th August

    On question concerning Domain Keys :
    In some instances, you guys store the public key but also the private key of our domains.
    With that information, the hackers could - even after the attack is over - continue to send emails appearing to come legitimately from our domains, signed with domain keys.
    Therefore resulting in blacklisting of our own domains.

    Should we change our private key ?

  • Anil
    12th August

    I cannot login to all 3 CM accounts that we have. Please help, I have put up a Support Request.

  • Richard Maynard
    12th August

    It’s great to see such openness.  This must be very difficult news to break.  There are some really gifted people out there that should turn their efforts to something more productive than causing destruction by hacking into others’ systems.  I’d be very surprised if you track down who did this - but I hope you do!  Good luck.

  • Mathew Patterson
    12th August

    @Nicolas While we don’t have any evidence that it was touched, if you have the ability to easily change them you could be certain to be safe.

  • Daniel
    12th August

    good luck in solving the issues and thanks for letting us know about the problem

  • Rob
    12th August

    Thanks for the heads up. Nicely handled, more companies could learn from this. Like any business it’s a headache people can do without. This only increases my confidence in the team at Campaign Monitor.

  • April Sadowski
    12th August

    It’s not your fault! I appreciate the fact that we received email notifying us of this which is more than we got when Twitter went down last week (it happens to the best of them!), Unfortunately there is only so much you can do to prepare yourself for something like this until it happens, then you can find ways to close the holes that you didn’t know you had.

    You gave us all detailed information so we aren’t in the dark. I like that. It shows you care. Keep it up!

  • James Walker
    12th August

    Hi guys…
    Well handled with the communication!
    I just had to re-enter my credit card details to send a newsletter… have you wiped out all the saved info?
    Thanks

  • JeffW
    12th August

    A significant part of my firm’s business is in PR/Crisis Communications, and I wanted to let you know that your candor, proactive communication and understanding, compassionate tone are all right on target—and much-appreciated. Now, solve the problem…catch the offenders…put new safeguards in place…and most definitely keep the communication coming.

  • Jay
    12th August

    I agree with a lot of the commentors in that, it is unfortunate this happened but being forthright about it is what will keep people coming back.

  • DJ Waldow
    12th August

    Mat, Dave, CM Team and clients:

    As a peer in the industry, I’m terribly sorry that this has happened. It’s something we all worry about. As other have said, I’m impressed with your openness and transparency. You guys always run a top of the line operation. I wish you nothing but the best as you work towards recovery. In reading through the comments, it is clear your clients trust and respect you.

    Please let me know if there is anything we can do to help.

    DJ Waldow
    Director of Community at Blue Sky Factory
    @djwaldow

  • Mara
    12th August

    Gracias por la explicación, comprendemos que nadie está excento a este tipo de ataques.- Lo mas importante es el esfuerzo que realizan y la comunicación con nosotros, sus clientes.

  • pete.j
    12th August

    Are you guys editing the comments? There was a comment earlier about the risk of law suits if corporate clients’ lists are put at risk (which I assumed this was referring to the privacy act) - but now that comment is gone. Are you seriously deleting comments you don’t like on such a serious matter?

  • Jon Henshaw
    12th August

    I’ll still use your service. You guys rock! Good luck cleaning up the mess they made, and here’s to better security in the future ;)

  • Steve
    12th August

    Any news on when we will be able to send emails again?

    Kind Regards

    Steve

    Ninethirty Creative

  • ~Love'J~
    12th August

    really greatfull for ur transparency ~ makes me a proud customer

    sending u all ~LOVE~

  • Jeanniey
    12th August

    The eec supports you and your efforts. Thanks for taking such a proactive approach to this. Keep up the good fight.

  • Dave
    12th August

    Could you define “large campaign” (e.g. over 1,000 subscribers, over 100,000 subscribers)

  • Diana Potter
    12th August

    Hey @Steve,

    Unfortunately not, we’re not seeing any great numbers of bounces yet but it’s quite likely that we’ll see some blacklistings from this and we’ll deal with them as quickly as possible. You could send now but we do recommend holding off on large sends if you can, just because of that likelihood. We’ll be sure to keep this post updated with information whenever we have it.

  • Gareth S Price
    12th August

    Sorry to hear you got hacked… thanks for the transparency - very reassuring. I will definitely continue to do business with Campaign Monitor in the future.

  • Craig
    12th August

    As I blogged this morning, this is a textbook example for companies on how to address a crisis with honesty and transparency. Thank you for excellent work under lousy circumstances.

  • Chris
    12th August

    I changed my password a couple of hours ago, and now I cannot access my account with either new or old password. I could ten minutes ago, but not now. Am I being hacked or is this a result of your work to fix things? Chris

  • Thomas Eorgan
    12th August

    Thanks for being so open and transparent—but I would expect no less from Campaign Monitor’s awesome customer service.  As a long time customer, we appreciate the effort you’re making to create a safer environment for our data, and we look forward to continuing to use your terrific service!

  • Diana Potter
    12th August

    @Chris have you tried emailing support? We can take a look at it for you.

  • Meredith Self
    12th August

    Great big thank you for such open, honest, direct communication of what is happening. Just want you to know I appreciate it, and your efforts to protect our data and keep us informed.

    just one more reason to love your company.

  • Chris
    12th August

    @ Diana Potter - I have just emailed support. Thanks.

  • Eliffio
    12th August

    So sorry this hapenned, but it´s totally unpredictable. Even NASA was hacked, so I totally understand.

    Best of lucks guys. You are still my fav emailing app ;-)

  • Eric
    12th August

    Ugh.  Tough break, guys.  You’re a great company, you provide a great service, and you’ve handled this situation with humility and transparency.  Well done!

    Keep on keeping on.

  • Darcy
    12th August

    Like a lot of people here, I really appreciate your honesty about the issue. Because of it, I trust that you’ll get it all figured out. Good luck.

  • Deanna Hall
    12th August

    Wow!  Isn’t it funny how forgiving folks are when you just tell the truth?  Isn’t it amazing that we are all sending you kudo’s rather than ripping you a new one, all because you simply told the truth?  Might it also be that the kinds of people that are involved in causes understand that there are greater problems in our world than what is going on here and that we hang on to the belief that all things eventually work for good?  Thanks guys!!  We appreciate you working so hard for us!

  • Alex
    12th August

    Thanks for being honest and direct.

  • Amy
    12th August

    Is anybody notifying their subscribers on this? Should we be doing so?

  • Derrick Miller
    12th August

    Please let us know ASAP whether there is a chance that our credit card information was exposed.  It’s about 100,000x easier for me to cancel our card and get a new one issued, than it is to try to recover stolen funds after the fact.

    Note: My saved credit card info disappeared, and a client’s campaign failed with the error “Card Number has not been set.(-100)”.

    Like others, I appreciate your transparency.  Please just keep that up and let us know more about the credit cards.

  • Amy
    12th August

    Ha…sorry, I guess we can’t anyways right now, since we can’t send out any large emails…
    Thanks to the Campaign Monitor crew who have been very open and honest on this issue.

  • holder10
    12th August

    Should we get notificated via e-mail about this?
    Because I didn´t get a mail…

  • Matthew
    12th August

    My credit card details gone from the “Billing” section - I take it this is not suspicious?  Certainly no untoward entries in the Card Statement yet.

  • Adam Hadley
    12th August

    Most of the comments here say the same thing, “thanks for being up-front and open about what happened.” It matters. Your transparency about this issue far outweighs any negative thoughts I have that it happened in the first place.

  • Will Brown
    12th August

    The openness and candor is refreshing!  I am not going anywhere!
    Our Business stays.  This can happen to the best of shops!

  • Diana Potter
    12th August

    Hey @Derrick Miller and @Matthew as stated in the FAQ section above there is absolutely no evidence that so much as the encrypted forms of any credit card information was accessed. The deletion of the stored details was indeed us and it was part of a security update pushed yesterday, you’re safe to add them back. If we find absolutely any evidence to the contrary we’ll notify everyone immediately but that’s something we’ve paid particular attention to.

    @holder10 we sent out a general notification to all account owners (it would have gone to the email address associated with your account) just letting everyone know about the situation and pointing them to this blog post. If you didn’t get that you might want to check your filters. To the small number of accounts that were accessed we contacted everyone individually about the situation, if you didn’t receive an email like that then your account wasn’t accessed.

  • QG
    12th August

    @Amy, it seems to me that whether you go out to your subscribers with a heads-up likely depends on several factors, including:

    - Whether CM has notified you that you’re account was affected
    - The nature of your relationship with your clients
    - The nature of your clients’ relationship with their subscribers

    A CM customer who hasn’t been notified and who uses CM directly to send a monthly newsletter to a small list of past clients, for example, is going to be in a *much* different place than a customer who has been notified and who uses CM to communicate with tens or hundreds of thousands of active, paying customers.

  • holder10
    12th August

    I can´t find a general notification in my filter as well :(

  • Robyn
    12th August

    I noticed last week that our campaign had a pretty high bounce rate and several ISPs were blocking our campaign. Several of our subscribers showed a status of bounced due to SPAM. I don’t want to lose them and want them to keep getting our campaigns. Is this a result of what happened? Also, what should I do so I can keep sending to them? I understand that once a subscriber is has a hard bounce, they are removed permanently. How would I determine if they marked it as SPAM or the ISP blocked them due to SPAM? Hope this makes sense, but do not want to lose people due to ISP blacklists.

  • Anon
    12th August

    @Diana, so you’re stating that there is ‘no evidence’ at this point in time regarding accessing sensitive information but then say that if your company find any ‘absolute’ evidence then they’ll update users of the site? Make up your mind… It would be sensible to have users cancel their exisiting credit card/s - otherwise you’ll probably end up losing customers if they have their credit cards compromised.

    P.S. When you eventually find out where this attack originated from within your network I’d sack off whoever provides that ‘service’.

  • JCG
    12th August

    I am currently unable to access my account. Does this have anything to do with the attack? Are there any expected delays today while you guys address this? Thanks!

  • Diana Potter
    12th August

    @Anon Right now there is definitely no evidence that any credit card information was accessed in any way. We’re still digging in right now but it’s incredibly unlikely at this point that anything more would be uncovered in that area. I do apologize if I made it sound like it was a possibility. I just want to make it clear that we will be keeping this post updated with any new information and we would email everyone is anything sensitive was uncovered. The credit card information we do store on our servers is kept in a very encrypted form and there is no evidence that any credit card information was accessed.

  • Michael Story
    12th August

    So sorry this happened guys. I have been through two incidents of this type of intrusion from the technical end and I know it’s a tough lesson to learn. You are doing the right thing in being direct and to the point with your customers as this will ensure the best retention and loyalty. Up the authentication process and grill your dev staff and log files as both incidents I’ve investigated turned out to be inside jobs.

    Keep us posted.

    Michael

  • Laurent
    12th August

    Thanks for the transparency of the information.

    we’ll follow your recommandations for password modifications and co.
    Feel free to post on webhostingtalk if your tech team need some tips and advices.

    best regards,
    Laurent

  • mgurgel
    12th August

    Indeed they are terrible news, but you are doing a great job in managing this crisis. Keep it up!

  • PF
    12th August

    Hello, I (or my customers) am unable to access my account…
    Can you pl let us know when the accounts can be accessed again?

  • RM Cotton
    12th August

    Thank you for your upfront and fast response to this terrible incident.  I love Campaign Monitor!

  • BE
    12th August

    So I sent my large campaign out yesterday not knowing this had occured.  Should I be concerned.  I did notice my numbers of bounces increased.  Not dramatically but…Thank you.

  • Diana Potter
    12th August

    Hey @PF and everyone else, our apologies for the momentary outage. It was the result of some updates we’re making. Everything is back up and stable.

  • Diana Potter
    12th August

    Hey @BE, we’re still seeing fairly stable deliverabilty right now but we’re definitely expecting some issues relating to the spam that was sent. If you get in touch with support we can take a look at your reports and the bounces for you.

  • msimpson
    12th August

    Thanks for your openness. I’d like to be transparent with our clients as well, but need some answers before contacting them.

    We have small but highly confidential lists involving the banking industry and others. Can you definitively say that none of our lists or client lists were compromised? I think I got the general email. What is the subject line of the email saying “your account has been compromised”?

    I’ve changed my password. What other steps should I (and our clients) take?

  • Anna Yeaman
    12th August

    Man that’s horrible news…thanks for sending out the email to inform us all what’s going on and the Twitter updates. Wondered why I had to re-enter my credit info last night, though your comments make clear that our bank info is safe.

    Good luck dealing with this, feel bad for you guys as you’ve put so much work into a fantastic app…still totally love Campaign Monitor and the transparency with which you deal with customers.

  • Juan Orellana
    12th August

    Tough situation to deal with for sure. I’d hate to be in your shoes right now. Best of luck to you guys and thanks for your hard work and for being up front with your members.

  • S
    12th August

    Feel really sorry for you guys, you have an excellent service and is obvious you work 100% + in making your company and it’s products the best out there for clients.

    Wishing you the best of luck in resolving this issue.

    S

  • Christine Prefontaine
    12th August

    So sorry that you have to deal with this. You guys rock and I will continue to use your service and recommend you. The way you’ve dealt with this is brilliant. But not a surprise given my previous experience. Chin up!

  • US Immigration Portal
    12th August

    I am sure DOS attacks or any other form of hacking attacks that seem to become more and more common these days, will get even worse. I also believe that during these times of hardship for the world, even in the SPAM-ing and HACK-ing world, things get rougher and hackers’s “sponsors” demand higher results counts :)

    I really appreciate the way you informed us by email and also the full coverage of the whole issue here on the blog. Most certainly this is one of the nicest “faces” of you: transparency with an issue that is rather kept behind closed doors by most providers.

    Well done and keep up the good work. Affected or not, we are your clients and nobody promised us 100% error-free services when we signed up, but I truly can admire the 100% openness with which you treated this whole ordeal.

    Thank you.

  • Bud Hirst
    12th August

    Solid communication guys! New West Marketing has been using Campaign Monitor for years now and will continue to support you with our online marketing efforts for our Cradlepoint wireless networking clients. Fortunately we weren’t affected by the hack (at least not at this point). Hang in there. You’re doing a great job!

    Cradlepoint Technology
    http://shopcradlepoint.com

  • Charlie SHell
    12th August

    I echo the remarks of many of the other postings.  You’ve efficiently handled a very difficult issue and we appreciate the timely communication and progress update.

  • Dave Frank
    12th August

    Were about to go-live with a new offering involving your services. It’s a big deal to us, and so are you people!  Frankly, the depth, breadth, and quality of your services leave me completely undaunted by this moronic stunt. I have no doubt that all concerned will tough-it-out. Please advise if I, we or all concerned can be of any assistance.

  • Charles Forster
    12th August

    Appreciate the honesty and transparency. What a nightmare, I hope you can find these guys and implement further security measures.

  • Britt Priddy Jr
    12th August

    Can you tell where the attacks originated from by IP Address?

  • Natalia
    12th August

    Thanks for the explanation, I’m still a fan of Campaign Monitor :) Keep on working and posting updates on this issue.

  • James
    12th August

    Hi again guys - are you still having API issues?? Getting a few error messages from some of my client’s websites that are trying to auto-subscribe..?!?

  • Amando
    12th August

    How do you know that our data was not compromised?

  • Mack
    12th August

    Great work guys in getting this sorted

  • Snork
    12th August

    My credit card information seems to have disappeared out of the system.

  • Mathew Patterson
    12th August

    @ Amando - we have many different ways of monitoring and tracking what happened, so we can tell which accounts were accessed and what was done.

    @Snork - yes, we did remove card details during some of the updates we made recently. Sorry for the trouble, you will just need to re-add them again.

  • Adam
    12th August

    Hey matthew , i have a question. Is that possible these hackers hacked and got all database include our email list ? what you guys gonna do with it ?

  • Adam
    12th August

    Hey Mathew, i have a question. Is that possible if these hacker hacked and got all our database include all email list ?? What u guys gonna do to handle it ???

  • Issac
    12th August

    @pete.j

    They are deleting comments cause they haven’t fixed the problem yet.

    my comment was deleted as well and will probably be deleted again…

    If hackers find their way in they can’t tell you that nothing hasn’t been accessed - everything is up for grabs…

  • Peter Deterax
    12th August

    Sorry - Am I missing something here?

    This has proven to be a real PR exercise with plenty of Virtual Hugs all round by supporters. Yet lets not lose focus.

    1. Of greatest Concern is that it would appear the Campaign Monitor ARE (or at least WERE) storing Credit Card Details without it being PCI Compliant!
    2. Whether your account was compromised the fact remains that all Clients are impacted by this - unable to login - unable to send campaigns. There has been no indication from CM as to when the dust will settle on this and we can have confidence that it is secure. With the service proving unreliable (it stopped working again this morning between 0100 - 0300 whilst we were in the middle of testing)

    3. The tighter control measures would seem to extend to resetting the Campaign Approval Limits. On Monday 12th August 2009 one of my clients using the service had to get approval to release his campaign of 80! Is this now the normal practice?

    4. That during the period of the “maintenance” and other upgrades the White Label of the CM service was compromised by their own actions - with my CLIENTS being able to identify CM (createsend domain etc) as the supplier and myself as a reseller - compromising my Commercial Position

    5. If it was your account that had been compromised then that means your list of subscribers would have been subjected to SPAM and as a result this would have a flow on effect - including the “victim” in this case potentially being reported to ACMA which as greater repercussions.

    6. If the Victim Company had its subscriber list compromised then those people on the list will lose total confidence in the “Victim” even though it is out of their control. This will impact them commercially and in some cases they may not even recover from this issue.

    7. Can CM guarantee that other Clients have not been a “victim” in this? How can we be sure that the subscriber lists for our clients are in fact safe and not been secured by a 3rd party for use in an external SPAM environment

    8. Is there a reason why SSL is not used within Member Accounts? Checking my account and those of my clients show we are all without any form of security at the Web Interface Level (the most basic)

    9. With all the security, and other specialists it is clear that PR was involved to put a good spin on this and it worked based on the big pat on the back and virtual hugs being thrown around. Loose use of the word Transparency is best replaced by VAGUE. To date the details have been very vague and certainly not comforting.

    But for mine - sorry guys. This smells of too many shortcuts or not enough been done in a proactive manner to protect my interests. You can not expect Clients to gloss over this issue and join you in watering it down. This event is terrible and will undermine the confidence completely in your services. For my company - we are moving all away to a secure environment and will start reviewing other resellers.

  • James David
    12th August

    Wow, the Campaign Monitor user base is unbelievably understanding of a security breach which means that 1) they are naive 2) they are naive!

    This is serious folks. Campaign Monitor should have been focusing more on security instead of continuing to roll out new features!

  • Peter Deterax
    12th August

    Also take into account that CM knew about these issues as from their own Twitter announcements they were applying updates (security) on the 9th August (notice change from minor updates to necessary updates?)

    This indicates that the issue was known on or before the 9th August yet we were not informed of the issue at hand till 11th August

  • Mathew Patterson
    12th August

    @Issac We are not deleting comments - I’m not sure what happened with yours but I can assure you that we are not doing that.

    @Peter and @James

    We appreicate your major concerns, and clearly there were areas we did not do the job we should have done.

    Regarding your specific points Peter, we have given out all the details we can reasonably give about what happened and what was done. We put a variety of different limits and checks in place, and some of them did catch legitimate customers up for a while.

    This is unfortunate, but obviously better than the alternative of missing actual spam.

    We always use SSL for any of the payment pages of course, and you can already login via SSL if you choose to, and that will work.

    We also realise that there will be flow on implications, and we never tried to shirk away from that. As I said in my post, we are fully aware this was a huge let down of our customers, and their clients.

    We did not involve PR people at all, I’m not sure why you think this is obviously the case. We’ve brought those security consultants in for the exact reasons you mentioned, to make sure we cover all angles and never let this happen again.

    I know this sucks horrendously, and that there is definitely things we could and should have done better. Right now though all we can do is be honest about what happened and what we are doing.

  • Mathew Patterson
    12th August

    I should also mention that we will of course keep updating this post as we have more information to give.

  • Frank Lisban
    12th August

    You were entrusted to keep my database safe and I am not happy.

  • urpop
    12th August

    crap security

  • Chris Adkins
    12th August

    @peter and @david

    the reason why people are throwing around ‘virtual hugs’ is not because they are naive. it is because a company is being honest with information they did not have to release in the first place.

    CM could have just contacted the clients affected and work it out with them, leaving everyone else in the dark.

    I would prefer to be informed, and because i was, i am happy to provide a little understanding.

  • Joseph
    12th August

    Hey… So sorry for the attack and please know we’re 100% behind you. Thanks for keeping us up to date and our clients secure.

  • Frank Jerez
    12th August

    Apologies but I have not read the comments above, my only concern is whether our credit card details have been compromised by this attacked??

    I would appreciate a quick response as we may need to cancel our credit cards.

  • Yongho Kim
    12th August

    @Peter Deterax - imagine what would happen if a big player like ConstantContact were in a similar situation? (granted they may have better paid security experts) you would have seen a textbook marketing BS and giving zero details on the incident; only admitting to minimal details after being hard pressed by people blogging about it (since forums may be censured as a result of the turmoil)

    I’ve seen BS like that before from other companies trying to cover up their mess; that’s why I appreciate CM being open about the issue.

    Now as for the security leak itself, that’s another matter. If you read the comments, you will barely find any comments saying “oh forget about the security leak, you are doing fine”. CM was NOT able to prevent the hacking, period. But that’s a given among all. The non-BS way of handling the crisis is what is wowing customers right now.

  • Anon
    12th August

    @ Frank, apparently not but I’d get them replaced anyway for peace of mind.
    The thing that concerns me is that CM have deleted all this encrypted data which contains card details…. yet they are inviting users to enter the same credit card details again… that doesn’t make much sense if it has not been accessed? (according to CM admin)...

    Let’s face it…. no one clearly knows the full gravity of what has happened, the investigation is still ongoing…. so until that’s complete nobody can honestly say for certain a simple password change is going to make everything rosy?

  • Sasank
    12th August

    Have you resolve this issue?need to launch new campaign please do let me know.
    .(JavaScript must be enabled to view this email address)

  • Mathew Patterson
    12th August

    @Sasank Please see http://www.campaignmonitor.com/blog for the latest post. There may be blacklisting issues as mentioned in this post, it is hard to know right now what the impact will be unfortunately.

  • Mark
    12th August

    It is quite clear how accounts were hacked.. The log in form is over clear text ie not encrypted, hence when everyone logs in their usernames passwords are able to be collected. The spammers would have had no trouble then accessing these accounts and lists.. This would also be how CM know who’s accounts have been hacked, based on login auditing.

  • Rank High on Google
    12th August

    I don’t want to flood you with another question while you busy fixing the problem. Hope CM can get over it soon.

  • Mark
    13th August

    Oh and from your Privacy Policy “Campaign Monitor ensures that all subscriber lists, email content and reports remain private and confidential” You cannot ensure this unless the web pages that users maintain these lists and emails are also secured.. Plain text guy’s its just not good enough.. I suppose you had it coming, if the basic 101 on web security is not being implemented.

  • Emma Wixey
    13th August

    Thanks for info guys.  I was one of the lucky ones who didn’t have their account comprimised.  I need to send an email to 75 customers today but my credit card got delined.  I tried using a different card and that got declined too.  Is this to do with you hacking??

  • Ron M
    13th August

    I encountered errors during attempts to send a campaign on Saturday and the communication was responsive and as soon as CM comprehended what was happening the explanation was forthcoming - I do support the company for being honest and transparent.  It is true that this is a serious issue, and it’s also true that mistakes were uncovered, BUT it is also true that issues are being dealt with out in the open and there is no “sweeping under the rug” - I believe that what some call “virtual hugs” is simply expressions by those who appreciate the rare show of integrity and openness which is rather rare.  While this is a terrible situation, more so for some than others, it will ultimately lead to a better CM - some don’t care and some do.  I can agree with almost any of the above comments on either side of the issue, but my personal preference is to stick around and continue to be in business with someone I can trust, is honest and transparent.

  • Willbedeleted iamsure
    13th August

    So your an email marketing company which got hacked and found themselves blacklisted in spam filtering software. Isn’t this ironic?

  • Catherine
    13th August

    I would like to thank you for the good flow of communication and the transparency. Business needs to continue and as I have programmed campaign for today which were not distributed I was just wondering if they are queued due some long waiting list in the distribution or if the problem remains… thanks to let me know because if the problem persist I need to find the best alternative for my communication.
    Thanks for help and regards.

  • Erin
    13th August

    My account was hacked on Sunday. The hackers sent spam emails to more than 80,000 of our customers. I contacted Campaign Monitor on Monday with questions and they cut and pasted the blog post above into an email and that’s the only correspondence I’ve received since then. I’ve since contacted the company 3 times and haven’t heard back.

    I’m extremely frustrated.

  • Diana Potter
    13th August

    Hi @Erin. We are really sorry about the delay in getting back to you. We’re working very hard on getting your account reopened and getting answers to your questions. We fully understand your frustration and sincerely apologize. I’m replying to your email now and you should be hearing back from our developers later today in reply to your questions.

  • Simon Hutchings
    13th August

    Thanks for the info guys and once again it’s hats off to you all for your response time and customer service - good luck with sorting it all out.

  • Brian Loffler
    13th August

    Hi Mathew,  Back on Feb 19th - in response to a complaint from me that subscriber list uploads were not being done under SSL, and so were a security risk - you replied that “it is likely we will offer full SSL access in the near future”.  I urge you now to implement that as a highest priority.  Your suggestion earlier in this blog that one can login under SSL if one chooses is inadequate.  As soon as login is complete, the service reverts from https to unsecured http.
    I’m a great fan of CampaignMonitor’s service and your openness in this crisis, but please do include full SSL service as part of your current round of security upgrades.  Cheers, Brian

  • Mathew Patterson
    13th August

    @Brian Thanks for the additional feedback. There are actually some technical considerations involved, but our team is aware of the importance obviously. I’ll pass your comments on.

  • Brian Loffler
    13th August

    Hi Mathew,  Are you able to give us an update on the situation re current number of ISPs blacklisting CampaignMonitor sender IPs?  Thanks.  I had been planning to send a large campaign today, but am thinking it’s probably better to delay a week.  What do you advise?  Cheers, Brian

  • Mark
    13th August

    @Mathew, I think you are missing the point from a few of us here.. Why is it only now that your “team is aware of the importance” when you have been advocating “private and confidential” when obviously your service is not.. Yes you were hacked but you left the door open..  Now many of us are thinking twice when uploading our email lists to any third party like CM, and yes you have been very transparent and I applaud you on that, but the site is still insecure and you have not notified your customers of the exact threat.. Should we be still maintaining our lists on your site, since they are not transported privately..

  • Mathew Patterson
    14th August

    Mark,

    We understand your point, and of course you are right to get upset, but right now we can only work as hard as possible on making Campaign Monitor safer and more trustworthy.

  • Clodagh Murphy
    15th August

    I have only just seen this after searching google for contact details of CM.  I need somebody please to URGENTLY attend to my request through the CM Support Form.  I appreciate you are busy with what has happened, but if you could at least ACKNOWLEDGE my request and let me know that it has been noted, my request is possible and will be done.  We can worry about the details after. Thank you

  • Stig Morten Myre
    15th August

    Clodagh, we’re following up via email right now

  • Tony
    15th August

    Is there a comprehensive list of actions a CM customer can take to make sure no one will use any of our accounts to send SPAM? Frankly, wading through these comments is hard.

    Thanks

  • Mathew Patterson
    15th August

    Tony,

    The main thing you can do is to have a secure password, and make sure your clients do the same. We’ve got in place lots of other measures to protect you as much as possible.

    Look out for more updates in the next week.

  • Virtual Gina
    18th August

    seems my email address has been compromised - the one that I use on CM - so now I am getting spam from myself!!!!!!!!!! What should I do?

  • David Greiner
    18th August

    Gina, that would be a totally unrelated issue to this I’m afraid. I’d recommend getting in touch with your email provider about this.

  • Andy
    19th August

    Bit disappointed I found this out second hand from a colleague.  I never received any emails as the main point of contact for our organisation.  I am however impressed at your open and honest approach.

  • Mathew Patterson
    21st August

    Hi Andy,

    We did email every account owner, but perhaps it was filtered or stopped at your mail server?

  • Promotional Products
    22nd August

    Best of luck getting this sorted out! Must be tough to have to put something like this out in public, hopefully your honestly will pay off!

  • tom
    28th August

    I just heard about the horrible news, but hats off to you guys for handling it so well. This should be a case study in crisis communications best practices.

  • John
    9th October

    Has earthlink.net been cleared yet?

  • Travis Bell
    9th October

    Hi John,

    I replied to your other comment as well, figured it wouldn’t hurt to mention it here as well. The Earthlink + Mindspring blocks have been lifted so you should be good to go. If you run into any issues, feel free to email us at support [at] campaignmonitor.com

    Cheers!

  • James Seavers
    15th October

    I appreciate CM’s candid approach to the problem.

    It’s a fact of life for developers that these things happen, even to the best of us!

    Security vunerablities are a fact of life, and it is the way they are dealt with, and affect future decision making that is important.

    I for one will stick with CM, I like the way they do business.

Sign up for free.
Then send campaigns for as little as $9/month

Create an account