Update on the hacking issue

Published August 12, 2009 by Mathew Patterson

First off, the Campaign Monitor team wants to thank the overwhelming number of people who expressed sympathy and support after we announced yesterday that our service had been attacked and some accounts compromised. While we accept full responsibility for the situation, we really appreciate your encouragement after what has been a very long last few days.

Some of you quite rightly were upset that this could ever happen, which is completely understandable, and this follow up post is to give you an idea of how we are going to move on from here. At the bottom of yesterday's blog post I have added a few answers to questions that came up in the comments, so definitely have a read of that.

As we continue to work with our security consultants and database consultants, we expect to identify some changes that could defend against future attacks. Although it may seem a bit like proverbially shutting the barn gate, we are committed to always protecting your data and that process will be ongoing.

So over the next few days and weeks as we focus primarily on security, some highly requested features may be held back a little. The first change which will directly impact you guys is that we'll be asking you all to change your passwords.

This is not because we think they are compromised, but during our investigation it became clear that a lot of account passwords were not as strong as they could be. Our systems being completely locked down won't help if your password is easily guessed. You can login and change your password yourself now, but at some time in the next week we'll be getting everyone to update to a stronger password. Look out for a blog post when that is about to happen.

As soon as we have any more information about the initial attack, the actual actions of the hacker or any changes that might impact your usage of Campaign Monitor, we will pass it on.

22 Comments

Posted in: Observations & Answers

22 Comments

Dean
August 12, 2009 5:59pm

I’ve just changed my account password but do I need to change my clients passwords as well?
Mathew Patterson
August 12, 2009 6:41pm

Dean, it is a good idea for your clients to have strong passwords too, that is also something we will be looking at shortly.
Peter
August 12, 2009 7:55pm

Assuming our client accounts already have strong passwords (10-12 alphanumeric characters, random) is there a need to change? The less disruption to their accounts the better.
Keith Jay
August 12, 2009 8:13pm

Please support, please fix my account so I can actually login - been waiting for a response all night!
Mathew Patterson
August 12, 2009 8:50pm

@Keith We are working as fast as we can, but as you can imagine we are very busy. Sorry for any delay.
Keith
August 12, 2009 9:28pm

@Mathew - Sorry for being impatient - I appreciate your help. I should say that it was my fault for loosing the password in the first place!

Many thanks indeed for sorting it and good luck with fixing the current problems.
George
August 12, 2009 10:18pm

What’s needed in CM is a better login/user system, where optimally passwords aren’t stored in plain text as they are now (not sure if you guys hash them or what, but you obviously have a way of presenting the plain text version).

A client should be able to change their own password and have a forgotten password function, and passwords should not be stored so that they can be presented in plain text.

Or maybe just implement OpenID so that clients can log in with that?
Joe C
August 13, 2009 2:13am

George,

I’m with you. That was my first thought when reading through these postings. It’s unacceptable that the service stores passwords in plain text. It’s bad design and wouldn’t pass many security audits for larger companies.

Eliminate the show password function, hash the passwords and implement a reset password feature.
Michael Sky
August 13, 2009 8:27am

Mathew: I have a large time-sensitive mailing to do.

Do you have a reading at this point on how bad the spam-bouncing is?

Would waiting one day make a huge difference?

thanks, Michael
Sonia S.
August 13, 2009 11:03am

When is it safe to enter credit card information and send a campaign?

Can you email everyone an annoucement, or should I just keep checking here?

Thank you for all your efforts to make this work as fast as possible.

sonia
Mathew Patterson
August 13, 2009 11:39am

@Joe and George

We don’t store the passwords in plain text actually, but obviously at this point there were flaws in our system and we are working on changes in this area right now.

@Michael and Sonia

It is safe to re-add your card details right now, and we are still sending email. The risk is of blocks and blacklistings which we are working on, but there is currently a higher rate of undeliverable email overall.

We’ll keep you up to date as things change.
Kregg
August 13, 2009 1:28pm

CM Team many thanks for taking the proper steps in communication on whats going on. I feel I have an obligation to clients that have sent campaigns in the past couple days to discount there fees or refund totally...because I was unable to notify them of the high bouce rates or was able to provide an alternative to sending their campaigns that needed to be delivers. Any thoughts or has CM given any thought to this?

Thanks
Mathew Patterson
August 13, 2009 3:35pm

@Kregg If you contact us at support, we can take a look and help you out
Larry
August 14, 2009 12:24am

Let me guess it was a windows box that got hacked? Thats too bad. Good response and you biggest mistake (if my guess is correct) is relying on the largest software company in the world building a reliable product with built in security.
Louis W
August 14, 2009 3:01am

Was this a backend or front end hack?

How do you know that there are some accounts with weak passwords if you are not storing the passwords in a irreversible encoding?
Alexandra
August 14, 2009 7:38am

When will it be safe to send a campaign and avoiding the high bounce rate? I needed to send one out today but I can wait until Monday the latest. otherwise I need to figure out a different way of sending it. Could anyone say for sure that I will be able to send my campaign monday, no problem?
Mathew Patterson
August 14, 2009 11:05am

@Alexandra We’ll be updating about this today, but most of the blacklistings are now removed, but some smaller ones remain. We can’t guarantee it, but by monday most problems should be resolved.

@Louis We can’t give too much detail, and we were not storing them as plain text, but we will be requiring new passwords from later today. Watch the blog for an update.
Sonia S.
August 15, 2009 6:16am

I sent a large mail out yesterday and got a 0.87% bounce rate which is very comparable to our past campaigns of the same size.

So I would say it’s back to normal (it seems).
John
August 17, 2009 2:41pm

I’m impressed by the openness, although it’s totally consistent with CMs normal corporate behaviour and excellent customer service. The hack is still a big shock and inconvenience however CMs honest handling of the situation has helped a lot.
Benj Ash
August 17, 2009 7:07pm

Really unfortunate that you guys have been tragetted this way. I used campaign monitor for years now and its easily the best service on the market.

Just keep us informed of any changes to operations! and we’ll back you guys all the way.
Lauren
August 17, 2009 7:09pm

Any news on whether you have been blacklisted and whether any blacklistings have been lifted?
Mathew Patterson
August 21, 2009 9:34am

@Lauren - most people are sending their campaigns without any trouble now, as the few blacklistings we did have are gone. There may be smaller individual domains to follow up with still, and we’ll keep looking.

Blog