Campaign Monitor attacked by hackers, some accounts compromised

By Mathew Patterson

August 11, 2009

203 Comments

This is horrible news to have to release, but unfortunately Campaign Monitor has been attacked by one or more hackers, and some of your accounts have been compromised. This has been a deliberate, planned and complex intrusion and we are still in the process of handling the hacks and the impact.

Our own team, as well as external security experts, database experts and hosting providers have been working around the clock since we became aware of what was happening. At this stage, we are still investigating exactly what happened and how, but we wanted to let you know everything we know as soon as possible.

On behalf of the whole Campaign Monitor team I want to say we are completely aware of the enormous disaster this is for anyone impacted, and their clients, and we are doing everything in our power to detect and prevent any further intrusions. Yesterday's outage was related to some security changes we made as part of this process.

The following is the information we've been able to gather to this point, and what we are doing about it. If we have detected that your account was specifically accessed, we've also contacted you directly via your main account email. For obvious reasons, we can't reveal too much about the details of how this happened.

When did this occur?

The main attack took place over this weekend, for a few hours on Saturday and Sunday and continuing into this week.

We have up until now been gathering information so that we can contact you with accurate details, and also making sure we were stopping ongoing problems. We did not want to give you incomplete or misleading information. Right now we are still finding out more, but it is important you are all aware of the situation.

How did they get access?

We are still actively working to get full detail on this, but essentially one of our servers was compromised, and that gave the hacker enough access to be able to get into a few customer accounts. We now know more, but don't want to publish any details as you can understand.

What did they do with that access?

In several cases, the hacker imported their own lists, and managed to send spam to those lists and in some cases the lists already in the account.

We are still investigating the details in this area to determine the exact actions taken in each case. This is a time consuming process unfortunately. We understand you will be worried about your own, and your client's data, and we are concentrating on that area to find out what was touched. Again, we have directly contacted customers where we definitely know subscriber lists were accessed.

Has this been fixed?

We're still making further changes, but we have locked down immediately all of our systems to an absolute minimum level of access. We've also put in place a variety of extra manual and automated checks so we can detect and prevent further deliberate hacks and spam attempts. In these situations, we can know for sure that we've closed specific methods, but not if another attack is coming.

As well as our internal staff we have server and security specialists working with us to detect any other methods that may be used and defend against them. We also have a professional security audit in progress by an independent firm.

What happens from here?

In the short term, we will just be working long hours as we monitor, track and investigate this. As we know more, we will keep you up to date.

Ongoing, we'll be making whatever security changes are needed to make Campaign Monitor even harder to access, based on what we have learned and the outcome of the security audit and training.

One major issue arising will be temporary blacklistings because of the spam that did get out before we could catch it, and as they pop up our team will be working on getting them lifted.

All the evidence points to this being a highly intense, deliberate and planned attack intended to gain access to Campaign Monitor data and to send spam emails. We are committed to stopping this ever being able to happen again, and again apologize for the major let down.

We have emailed all account owners with this same information and we will continue to let you know any other relevant details.

FAQs from the comments

Have you contacted the people who had their account accessed?
Yes, we have emailed them individually. If we uncover any further accounts, we'll be contact them too.

Was my password compromised and should I change it?
Unless we have emailed you individually (as above) then we do not believe your password was compromised. However, if you choose you can change your password in your account settings. See some tips for creating a good password.

Should I still send my large campaign?
We do expect that there will be blacklisting from the spam that got out, and it can take a while for blacklist operators to remove addresses. So if you can hold off on large sends, that will reduce your risk of bounced emails. So far deliverability is fine, but we'd like to give you and your clients fair warning.

What about credit card information?
We do in some cases store credit cards on our servers. However, they are always stored in encrypted form, and the application never displays them in clear text. We have no indication or evidence to date that credit cards even in their encrypted forms were accessed at all.

Posted in:

203 Comments

  1. Paul
    August 11, 2009 5:02pm

    Hi guys,

    If they hacked your system that the credit card details stored on… Did they also get access to the code, that encrypts, the credit cards?

    ie: We input our cards, code on your site then ‘encrypts’ said credit card details.

    When it comes time to take payments, the encrypted numbers are unencrypted..
    - Paul

  2. Ninethirty Creative
    August 11, 2009 5:06pm

    We have an email which is due out at 10.00am BST. It is going out to 10,000 recipients, Can you give some indication as to when this can be sent as we need to give our client a possible timeframe.

    Sorry that the intrusion has happened and hope you resolve the matter soon.

    Regards

    Ninethirty Creative

  3. Sutida
    August 11, 2009 5:18pm

    Thank you

  4. Susie
    August 11, 2009 5:22pm

    Sorry to hear this has happened. You’re handling it in the best way possible though by being so up front about everything. Good luck with sorting it out.

  5. Andy B
    August 11, 2009 5:23pm

    I appreciated your honesty. I hope you get it all fixed soon.

    >Chemical Castration for all spammers!

    Off with their goolies!

  6. Christopher Guillou
    August 11, 2009 5:24pm

    Yet again a fine example of crisis management and communication.
    Thanks for the great service and business inspiration.

    Chris

  7. Maddy
    August 11, 2009 5:29pm

    Sorry to hear your news, what a nightmare.
    One of my clients couldn’t send a campaign yesterday because they were getting a message credit card details not stored.  Was this something CM implemented because of the hack?

  8. d
    August 11, 2009 5:31pm

    so where does that leaves us? shall we cancel our credit cards?

  9. Jack
    August 11, 2009 5:39pm

    Thanks for letting us know so quickly, as they say the measure of a company is not how it performs when things go well, but how it handles problems.

  10. Mathew Patterson
    August 11, 2009 5:39pm

    @Paul We do not have any evidence suggesting credit cards or the decryption element were touched, but of course we are aware of that risk and it will be completely investigated.

  11. Danny Foo
    August 11, 2009 5:42pm

    Though worrisome but completely appreciate the honesty and openness on how CM is approaching the matter.

    Good luck people. And, do hope the infiltrators would be prosecuted later.

  12. Ed
    August 11, 2009 5:47pm

    sorry this has happened you. a few questions

    - would the hackers have had to pay to send a campaign?
    - If a card is stored on your system, will it have been charged?
    - Would *not* saving a card on your system have deterred a hacker from using that account?

    thanks for your responses so far

  13. Stefan Seiz
    August 11, 2009 5:48pm

    Can you reveal if the used Platform/OS had any influence in this case? Meaning, could the hack have happened e.g. if you used UNIX instead of Windows .NET etc?

  14. a
    August 11, 2009 5:48pm

    Refreshing to see such brutal honesty… had this happened to someone like Microsoft they’d be spinning lies left, right and centre.

    Thanks for the warning and good luck with sorting it out. I’ll certainly continue to use Campaign Monitor - as Jellyfish458 put it “Your openness only fills me with confidence”.

  15. Michrome Mailing Lists
    August 11, 2009 5:51pm

    Will this affect the chances of my campaigns being marked as spam?  I have noticed an email campaign I sent this morning has a lower read rate than I’d usually expect and Google Mail marked the usual “Your Campaign Has Been Delivered” email as spam.

    Thanks.

  16. Mathew Patterson
    August 11, 2009 5:57pm

    @Ed No, credit card or no card was unrelated to which accounts were accessed.

  17. ra5hid
    August 11, 2009 6:04pm

    Thanks for the update. I’m glad to hear that the credit card information was not nabbed or accessible. Appreciate the heads-up.

  18. Tim
    August 11, 2009 6:09pm

    Mail Chimp is dead.

  19. Richard Field (Head of Creative)
    August 11, 2009 6:10pm

    Bad news -

    Well handled and a very informative blog.

    Down with the hackers!

    R :-

  20. Ed
    August 11, 2009 6:11pm

    @mathew, thanks for the reply. Despite this I can say that I will continue to use CM. Any good company can have their services affected in one way or another - but you can tell a great company by the way they respond to those problems.

  21. Grant Mills
    August 11, 2009 6:12pm

    Thanks for the update guys - having dealt with a number of hackers in my career managing websites and online systems, I know how truly frustrating an attack like this can be. Well done for handling it so well and keeping us all in the picture.

    Best of luck sorting it out
    Grant Mills
    MailGloo - email marketing that sticks

  22. Mike Vasey
    August 11, 2009 6:15pm

    As they say, S#@*T HAPPENS!
    Disappointing as it is, a real measure of a company is not what happened but how they react when it does.
    Your response was prompt, informative and professional.
    Impressive, most impressive.
    Watching further news with interest.

  23. IT Dept
    August 11, 2009 6:16pm

    Funny that, as we have an email off yourselves stating our account had be stopped due to spam..I’ve a feeling our account may of been affected a few weeks ago.. Any ideas?

  24. Urban River
    August 11, 2009 6:31pm

    Good luck sorting it out!

  25. IdeaMan
    August 11, 2009 6:32pm

    I agree with Stefan - perhaps CM should consider building on something other than a mircosoft platform.

  26. raam
    August 11, 2009 6:37pm

    Nicely handled, appreciate the honesty.

  27. Peter
    August 11, 2009 6:39pm

    Is there any possibility of passwords having been compromised?

  28. IdeaMan
    August 11, 2009 6:39pm

    For the record, I must stay my CM experience on all fronts up to this point have been fantastic. Excellent job, guys—thanks for the info, and keep up the great work. Undoubtedly, this experience will only make CM stronger.

  29. Yalcin
    August 11, 2009 6:39pm

    What information should we pass onto our clients about their accounts? e.g. blacklisting, account changes etc..

  30. Peter
    August 11, 2009 6:39pm

    Thanks for your honesty and openness.

    To protect us legally in the future, can you advise on terms and conditions which we should be implement and show in case any of our clients accounts and email lists are compromised now or in the future?

    Do your own terms and conditions state that you’re not held responsible if spammers/hackers gain access to the accounts?

  31. IdeaMan
    August 11, 2009 6:40pm

    *say, that is

    :)

  32. Léon van Deursen
    August 11, 2009 6:42pm

    Your honesty is impressive and greatly respected. It is therefore that my confidence in your company has not been damaged at all. I do hope they catch the *******.

    Good luck guys!

  33. John
    August 11, 2009 6:45pm

    Thanks for the update Mathew.
    Good honest explanation always helps, keep it up.
    Please lets us know if any action is required on account passwords.

  34. Tobie Langel
    August 11, 2009 6:52pm

    Can you confirm that you weren’t storing customer passwords in clear?

  35. Tom Bathgate
    August 11, 2009 6:54pm

    Thanks for the honest and open post. I am huge Campaign Monitor fan and find it such a great tool for myself and my clients.

    Keep up the good work in the fight against these hackers!

  36. Steve
    August 11, 2009 6:57pm

    Thanks for the open, honest and quick information.
    I’ve every confidence in CM to fix any errors, resolve the situation to the very best of your ability and to learn from it in the future.
    This will not affect our views and use of CM.

    Also I’m sure you can catch those responsible.

    All the best, Steve

  37. Mathew Patterson
    August 11, 2009 7:06pm

    Regarding passwords, we were not storing those in clear text, and again we’ve contacted directly people whose accounts were accessed.

  38. Paul Masri
    August 11, 2009 7:11pm

    Thank you for alerting us by email also. It’s easier to deliver bad news once you’ve solved a problem but I’m glad you took the brave step of letting us know as soon as possible, even while you’re fixing it. As other comments have said - this is a textbook way of dealing with a difficult situation. May the caffeine gods bless you!

  39. Nicolas
    August 11, 2009 7:19pm

    On question concerning Domain Keys :
    In some instances, you guys store the public key but also the private key of our domains.
    With that information, the hackers could - even after the attack is over - continue to send emails appearing to come legitimately from our domains, signed with domain keys.
    Therefore resulting in blacklisting of our own domains.

    Should we change our private key ?

  40. Anil
    August 11, 2009 7:22pm

    I cannot login to all 3 CM accounts that we have. Please help, I have put up a Support Request.

  41. Richard Maynard
    August 11, 2009 7:30pm

    It’s great to see such openness.  This must be very difficult news to break.  There are some really gifted people out there that should turn their efforts to something more productive than causing destruction by hacking into others’ systems.  I’d be very surprised if you track down who did this - but I hope you do!  Good luck.

  42. Mathew Patterson
    August 11, 2009 7:38pm

    Campaign Monitor team member

    @Nicolas While we don’t have any evidence that it was touched, if you have the ability to easily change them you could be certain to be safe.

  43. Daniel
    August 11, 2009 8:12pm

    good luck in solving the issues and thanks for letting us know about the problem

  44. Rob
    August 11, 2009 8:16pm

    Thanks for the heads up. Nicely handled, more companies could learn from this. Like any business it’s a headache people can do without. This only increases my confidence in the team at Campaign Monitor.

  45. April Sadowski
    August 11, 2009 8:54pm

    It’s not your fault! I appreciate the fact that we received email notifying us of this which is more than we got when Twitter went down last week (it happens to the best of them!), Unfortunately there is only so much you can do to prepare yourself for something like this until it happens, then you can find ways to close the holes that you didn’t know you had.

    You gave us all detailed information so we aren’t in the dark. I like that. It shows you care. Keep it up!

  46. James Walker
    August 11, 2009 9:16pm

    Hi guys…
    Well handled with the communication!
    I just had to re-enter my credit card details to send a newsletter… have you wiped out all the saved info?
    Thanks

  47. JeffW
    August 11, 2009 9:36pm

    A significant part of my firm’s business is in PR/Crisis Communications, and I wanted to let you know that your candor, proactive communication and understanding, compassionate tone are all right on target—and much-appreciated. Now, solve the problem…catch the offenders…put new safeguards in place…and most definitely keep the communication coming.

  48. Jay
    August 11, 2009 9:47pm

    I agree with a lot of the commentors in that, it is unfortunate this happened but being forthright about it is what will keep people coming back.

  49. DJ Waldow
    August 11, 2009 9:53pm

    Mat, Dave, CM Team and clients:

    As a peer in the industry, I’m terribly sorry that this has happened. It’s something we all worry about. As other have said, I’m impressed with your openness and transparency. You guys always run a top of the line operation. I wish you nothing but the best as you work towards recovery. In reading through the comments, it is clear your clients trust and respect you.

    Please let me know if there is anything we can do to help.

    DJ Waldow
    Director of Community at Blue Sky Factory
    @djwaldow

  50. Mara
    August 11, 2009 9:55pm

    Gracias por la explicación, comprendemos que nadie está excento a este tipo de ataques.- Lo mas importante es el esfuerzo que realizan y la comunicación con nosotros, sus clientes.

Comments for this entry are closed.

Browse the Blog

  1. Behind the Scenes (28)
  2. Interviews & Buzz (132)
  3. New Features & Updates (229)
  4. Observations & Answers (210)
  5. Release Notes (1)
  6. Tips & Resources (478)

Explore the Email Gallery

@herron_bird That’s totally awesome - thank you for checking out worldview! :D ^RH

Follow us on Twitter