Campaign Monitor attacked by hackers, some accounts compromised

By Mathew Patterson

August 11, 2009

203 Comments

This is horrible news to have to release, but unfortunately Campaign Monitor has been attacked by one or more hackers, and some of your accounts have been compromised. This has been a deliberate, planned and complex intrusion and we are still in the process of handling the hacks and the impact.

Our own team, as well as external security experts, database experts and hosting providers have been working around the clock since we became aware of what was happening. At this stage, we are still investigating exactly what happened and how, but we wanted to let you know everything we know as soon as possible.

On behalf of the whole Campaign Monitor team I want to say we are completely aware of the enormous disaster this is for anyone impacted, and their clients, and we are doing everything in our power to detect and prevent any further intrusions. Yesterday's outage was related to some security changes we made as part of this process.

The following is the information we've been able to gather to this point, and what we are doing about it. If we have detected that your account was specifically accessed, we've also contacted you directly via your main account email. For obvious reasons, we can't reveal too much about the details of how this happened.

When did this occur?

The main attack took place over this weekend, for a few hours on Saturday and Sunday and continuing into this week.

We have up until now been gathering information so that we can contact you with accurate details, and also making sure we were stopping ongoing problems. We did not want to give you incomplete or misleading information. Right now we are still finding out more, but it is important you are all aware of the situation.

How did they get access?

We are still actively working to get full detail on this, but essentially one of our servers was compromised, and that gave the hacker enough access to be able to get into a few customer accounts. We now know more, but don't want to publish any details as you can understand.

What did they do with that access?

In several cases, the hacker imported their own lists, and managed to send spam to those lists and in some cases the lists already in the account.

We are still investigating the details in this area to determine the exact actions taken in each case. This is a time consuming process unfortunately. We understand you will be worried about your own, and your client's data, and we are concentrating on that area to find out what was touched. Again, we have directly contacted customers where we definitely know subscriber lists were accessed.

Has this been fixed?

We're still making further changes, but we have locked down immediately all of our systems to an absolute minimum level of access. We've also put in place a variety of extra manual and automated checks so we can detect and prevent further deliberate hacks and spam attempts. In these situations, we can know for sure that we've closed specific methods, but not if another attack is coming.

As well as our internal staff we have server and security specialists working with us to detect any other methods that may be used and defend against them. We also have a professional security audit in progress by an independent firm.

What happens from here?

In the short term, we will just be working long hours as we monitor, track and investigate this. As we know more, we will keep you up to date.

Ongoing, we'll be making whatever security changes are needed to make Campaign Monitor even harder to access, based on what we have learned and the outcome of the security audit and training.

One major issue arising will be temporary blacklistings because of the spam that did get out before we could catch it, and as they pop up our team will be working on getting them lifted.

All the evidence points to this being a highly intense, deliberate and planned attack intended to gain access to Campaign Monitor data and to send spam emails. We are committed to stopping this ever being able to happen again, and again apologize for the major let down.

We have emailed all account owners with this same information and we will continue to let you know any other relevant details.

FAQs from the comments

Have you contacted the people who had their account accessed?
Yes, we have emailed them individually. If we uncover any further accounts, we'll be contact them too.

Was my password compromised and should I change it?
Unless we have emailed you individually (as above) then we do not believe your password was compromised. However, if you choose you can change your password in your account settings. See some tips for creating a good password.

Should I still send my large campaign?
We do expect that there will be blacklisting from the spam that got out, and it can take a while for blacklist operators to remove addresses. So if you can hold off on large sends, that will reduce your risk of bounced emails. So far deliverability is fine, but we'd like to give you and your clients fair warning.

What about credit card information?
We do in some cases store credit cards on our servers. However, they are always stored in encrypted form, and the application never displays them in clear text. We have no indication or evidence to date that credit cards even in their encrypted forms were accessed at all.

Posted in:

203 Comments

  1. pete.j
    August 11, 2009 9:55pm

    Are you guys editing the comments? There was a comment earlier about the risk of law suits if corporate clients’ lists are put at risk (which I assumed this was referring to the privacy act) - but now that comment is gone. Are you seriously deleting comments you don’t like on such a serious matter?

  2. Jon Henshaw
    August 11, 2009 10:04pm

    I’ll still use your service. You guys rock! Good luck cleaning up the mess they made, and here’s to better security in the future ;)

  3. Steve
    August 11, 2009 10:15pm

    Any news on when we will be able to send emails again?

    Kind Regards

    Steve

    Ninethirty Creative

  4. ~Love'J~
    August 11, 2009 10:19pm

    really greatfull for ur transparency ~ makes me a proud customer

    sending u all ~LOVE~

  5. Jeanniey
    August 11, 2009 10:25pm

    The eec supports you and your efforts. Thanks for taking such a proactive approach to this. Keep up the good fight.

  6. Dave
    August 11, 2009 10:28pm

    Could you define “large campaign” (e.g. over 1,000 subscribers, over 100,000 subscribers)

  7. Diana Potter
    August 11, 2009 10:33pm

    Campaign Monitor team member

    Hey @Steve,

    Unfortunately not, we’re not seeing any great numbers of bounces yet but it’s quite likely that we’ll see some blacklistings from this and we’ll deal with them as quickly as possible. You could send now but we do recommend holding off on large sends if you can, just because of that likelihood. We’ll be sure to keep this post updated with information whenever we have it.

  8. Gareth S Price
    August 11, 2009 10:43pm

    Sorry to hear you got hacked… thanks for the transparency - very reassuring. I will definitely continue to do business with Campaign Monitor in the future.

  9. Craig
    August 11, 2009 10:46pm

    As I blogged this morning, this is a textbook example for companies on how to address a crisis with honesty and transparency. Thank you for excellent work under lousy circumstances.

  10. Chris
    August 11, 2009 11:08pm

    I changed my password a couple of hours ago, and now I cannot access my account with either new or old password. I could ten minutes ago, but not now. Am I being hacked or is this a result of your work to fix things? Chris

  11. Thomas Eorgan
    August 11, 2009 11:08pm

    Thanks for being so open and transparent—but I would expect no less from Campaign Monitor’s awesome customer service.  As a long time customer, we appreciate the effort you’re making to create a safer environment for our data, and we look forward to continuing to use your terrific service!

  12. Diana Potter
    August 11, 2009 11:21pm

    Campaign Monitor team member

    @Chris have you tried emailing support? We can take a look at it for you.

  13. Meredith Self
    August 11, 2009 11:24pm

    Great big thank you for such open, honest, direct communication of what is happening. Just want you to know I appreciate it, and your efforts to protect our data and keep us informed.

    just one more reason to love your company.

  14. Chris
    August 11, 2009 11:31pm

    @ Diana Potter - I have just emailed support. Thanks.

  15. Eliffio
    August 11, 2009 11:33pm

    So sorry this hapenned, but it´s totally unpredictable. Even NASA was hacked, so I totally understand.

    Best of lucks guys. You are still my fav emailing app ;-)

  16. Eric
    August 11, 2009 11:38pm

    Ugh.  Tough break, guys.  You’re a great company, you provide a great service, and you’ve handled this situation with humility and transparency.  Well done!

    Keep on keeping on.

  17. Darcy
    August 11, 2009 11:43pm

    Like a lot of people here, I really appreciate your honesty about the issue. Because of it, I trust that you’ll get it all figured out. Good luck.

  18. Deanna Hall
    August 11, 2009 11:59pm

    Wow!  Isn’t it funny how forgiving folks are when you just tell the truth?  Isn’t it amazing that we are all sending you kudo’s rather than ripping you a new one, all because you simply told the truth?  Might it also be that the kinds of people that are involved in causes understand that there are greater problems in our world than what is going on here and that we hang on to the belief that all things eventually work for good?  Thanks guys!!  We appreciate you working so hard for us!

  19. Alex
    August 12, 2009 12:02am

    Thanks for being honest and direct.

  20. Amy
    August 12, 2009 12:08am

    Is anybody notifying their subscribers on this? Should we be doing so?

  21. Derrick Miller
    August 12, 2009 12:11am

    Please let us know ASAP whether there is a chance that our credit card information was exposed.  It’s about 100,000x easier for me to cancel our card and get a new one issued, than it is to try to recover stolen funds after the fact.

    Note: My saved credit card info disappeared, and a client’s campaign failed with the error “Card Number has not been set.(-100)”.

    Like others, I appreciate your transparency.  Please just keep that up and let us know more about the credit cards.

  22. Amy
    August 12, 2009 12:11am

    Ha…sorry, I guess we can’t anyways right now, since we can’t send out any large emails…
    Thanks to the Campaign Monitor crew who have been very open and honest on this issue.

  23. holder10
    August 12, 2009 12:18am

    Should we get notificated via e-mail about this?
    Because I didn´t get a mail…

  24. Matthew
    August 12, 2009 12:19am

    My credit card details gone from the “Billing” section - I take it this is not suspicious?  Certainly no untoward entries in the Card Statement yet.

  25. Adam Hadley
    August 12, 2009 12:26am

    Most of the comments here say the same thing, “thanks for being up-front and open about what happened.” It matters. Your transparency about this issue far outweighs any negative thoughts I have that it happened in the first place.

  26. Will Brown
    August 12, 2009 12:48am

    The openness and candor is refreshing!  I am not going anywhere!
    Our Business stays.  This can happen to the best of shops!

  27. Diana Potter
    August 12, 2009 12:49am

    Campaign Monitor team member

    Hey @Derrick Miller and @Matthew as stated in the FAQ section above there is absolutely no evidence that so much as the encrypted forms of any credit card information was accessed. The deletion of the stored details was indeed us and it was part of a security update pushed yesterday, you’re safe to add them back. If we find absolutely any evidence to the contrary we’ll notify everyone immediately but that’s something we’ve paid particular attention to.

    @holder10 we sent out a general notification to all account owners (it would have gone to the email address associated with your account) just letting everyone know about the situation and pointing them to this blog post. If you didn’t get that you might want to check your filters. To the small number of accounts that were accessed we contacted everyone individually about the situation, if you didn’t receive an email like that then your account wasn’t accessed.

  28. QG
    August 12, 2009 12:53am

    @Amy, it seems to me that whether you go out to your subscribers with a heads-up likely depends on several factors, including:

    - Whether CM has notified you that you’re account was affected
    - The nature of your relationship with your clients
    - The nature of your clients’ relationship with their subscribers

    A CM customer who hasn’t been notified and who uses CM directly to send a monthly newsletter to a small list of past clients, for example, is going to be in a *much* different place than a customer who has been notified and who uses CM to communicate with tens or hundreds of thousands of active, paying customers.

  29. holder10
    August 12, 2009 12:57am

    I can´t find a general notification in my filter as well :(

  30. Robyn
    August 12, 2009 1:05am

    I noticed last week that our campaign had a pretty high bounce rate and several ISPs were blocking our campaign. Several of our subscribers showed a status of bounced due to SPAM. I don’t want to lose them and want them to keep getting our campaigns. Is this a result of what happened? Also, what should I do so I can keep sending to them? I understand that once a subscriber is has a hard bounce, they are removed permanently. How would I determine if they marked it as SPAM or the ISP blocked them due to SPAM? Hope this makes sense, but do not want to lose people due to ISP blacklists.

  31. Anon
    August 12, 2009 1:11am

    @Diana, so you’re stating that there is ‘no evidence’ at this point in time regarding accessing sensitive information but then say that if your company find any ‘absolute’ evidence then they’ll update users of the site? Make up your mind… It would be sensible to have users cancel their exisiting credit card/s - otherwise you’ll probably end up losing customers if they have their credit cards compromised.

    P.S. When you eventually find out where this attack originated from within your network I’d sack off whoever provides that ‘service’.

  32. JCG
    August 12, 2009 1:11am

    I am currently unable to access my account. Does this have anything to do with the attack? Are there any expected delays today while you guys address this? Thanks!

  33. Diana Potter
    August 12, 2009 1:17am

    Campaign Monitor team member

    @Anon Right now there is definitely no evidence that any credit card information was accessed in any way. We’re still digging in right now but it’s incredibly unlikely at this point that anything more would be uncovered in that area. I do apologize if I made it sound like it was a possibility. I just want to make it clear that we will be keeping this post updated with any new information and we would email everyone is anything sensitive was uncovered. The credit card information we do store on our servers is kept in a very encrypted form and there is no evidence that any credit card information was accessed.

  34. Michael Story
    August 12, 2009 1:21am

    So sorry this happened guys. I have been through two incidents of this type of intrusion from the technical end and I know it’s a tough lesson to learn. You are doing the right thing in being direct and to the point with your customers as this will ensure the best retention and loyalty. Up the authentication process and grill your dev staff and log files as both incidents I’ve investigated turned out to be inside jobs.

    Keep us posted.

    Michael

  35. Laurent
    August 12, 2009 1:25am

    Thanks for the transparency of the information.

    we’ll follow your recommandations for password modifications and co.
    Feel free to post on webhostingtalk if your tech team need some tips and advices.

    best regards,
    Laurent

  36. mgurgel
    August 12, 2009 1:32am

    Indeed they are terrible news, but you are doing a great job in managing this crisis. Keep it up!

  37. PF
    August 12, 2009 1:47am

    Hello, I (or my customers) am unable to access my account…
    Can you pl let us know when the accounts can be accessed again?

  38. RM Cotton
    August 12, 2009 1:54am

    Thank you for your upfront and fast response to this terrible incident.  I love Campaign Monitor!

  39. BE
    August 12, 2009 2:06am

    So I sent my large campaign out yesterday not knowing this had occured.  Should I be concerned.  I did notice my numbers of bounces increased.  Not dramatically but…Thank you.

  40. Diana Potter
    August 12, 2009 2:07am

    Campaign Monitor team member

    Hey @PF and everyone else, our apologies for the momentary outage. It was the result of some updates we’re making. Everything is back up and stable.

  41. Diana Potter
    August 12, 2009 2:08am

    Campaign Monitor team member

    Hey @BE, we’re still seeing fairly stable deliverabilty right now but we’re definitely expecting some issues relating to the spam that was sent. If you get in touch with support we can take a look at your reports and the bounces for you.

  42. msimpson
    August 12, 2009 2:31am

    Thanks for your openness. I’d like to be transparent with our clients as well, but need some answers before contacting them.

    We have small but highly confidential lists involving the banking industry and others. Can you definitively say that none of our lists or client lists were compromised? I think I got the general email. What is the subject line of the email saying “your account has been compromised”?

    I’ve changed my password. What other steps should I (and our clients) take?

  43. Anna Yeaman
    August 12, 2009 2:31am

    Man that’s horrible news…thanks for sending out the email to inform us all what’s going on and the Twitter updates. Wondered why I had to re-enter my credit info last night, though your comments make clear that our bank info is safe.

    Good luck dealing with this, feel bad for you guys as you’ve put so much work into a fantastic app…still totally love Campaign Monitor and the transparency with which you deal with customers.

  44. Juan Orellana
    August 12, 2009 2:48am

    Tough situation to deal with for sure. I’d hate to be in your shoes right now. Best of luck to you guys and thanks for your hard work and for being up front with your members.

  45. S
    August 12, 2009 2:53am

    Feel really sorry for you guys, you have an excellent service and is obvious you work 100% + in making your company and it’s products the best out there for clients.

    Wishing you the best of luck in resolving this issue.

    S

  46. Christine Prefontaine
    August 12, 2009 3:51am

    So sorry that you have to deal with this. You guys rock and I will continue to use your service and recommend you. The way you’ve dealt with this is brilliant. But not a surprise given my previous experience. Chin up!

  47. US Immigration Portal
    August 12, 2009 4:19am

    I am sure DOS attacks or any other form of hacking attacks that seem to become more and more common these days, will get even worse. I also believe that during these times of hardship for the world, even in the SPAM-ing and HACK-ing world, things get rougher and hackers’s “sponsors” demand higher results counts :)

    I really appreciate the way you informed us by email and also the full coverage of the whole issue here on the blog. Most certainly this is one of the nicest “faces” of you: transparency with an issue that is rather kept behind closed doors by most providers.

    Well done and keep up the good work. Affected or not, we are your clients and nobody promised us 100% error-free services when we signed up, but I truly can admire the 100% openness with which you treated this whole ordeal.

    Thank you.

  48. Bud Hirst
    August 12, 2009 4:31am

    Solid communication guys! New West Marketing has been using Campaign Monitor for years now and will continue to support you with our online marketing efforts for our Cradlepoint wireless networking clients. Fortunately we weren’t affected by the hack (at least not at this point). Hang in there. You’re doing a great job!

    Cradlepoint Technology
    http://shopcradlepoint.com

  49. Charlie SHell
    August 12, 2009 4:40am

    I echo the remarks of many of the other postings.  You’ve efficiently handled a very difficult issue and we appreciate the timely communication and progress update.

  50. Dave Frank
    August 12, 2009 5:34am

    Were about to go-live with a new offering involving your services. It’s a big deal to us, and so are you people!  Frankly, the depth, breadth, and quality of your services leave me completely undaunted by this moronic stunt. I have no doubt that all concerned will tough-it-out. Please advise if I, we or all concerned can be of any assistance.

Comments for this entry are closed.

Browse the Blog

  1. Behind the Scenes (28)
  2. Interviews & Buzz (132)
  3. New Features & Updates (229)
  4. Observations & Answers (210)
  5. Release Notes (1)
  6. Tips & Resources (478)

Explore the Email Gallery

@herron_bird That’s totally awesome - thank you for checking out worldview! :D ^RH

Follow us on Twitter