This is horrible news to have to release, but unfortunately Campaign Monitor has been attacked by one or more hackers, and some of your accounts have been compromised. This has been a deliberate, planned and complex intrusion and we are still in the process of handling the hacks and the impact.
Our own team, as well as external security experts, database experts and hosting providers have been working around the clock since we became aware of what was happening. At this stage, we are still investigating exactly what happened and how, but we wanted to let you know everything we know as soon as possible.
On behalf of the whole Campaign Monitor team I want to say we are completely aware of the enormous disaster this is for anyone impacted, and their clients, and we are doing everything in our power to detect and prevent any further intrusions. Yesterday’s outage was related to some security changes we made as part of this process.
The following is the information we’ve been able to gather to this point, and what we are doing about it. If we have detected that your account was specifically accessed, we’ve also contacted you directly via your main account email. For obvious reasons, we can’t reveal too much about the details of how this happened.
When did this occur?
The main attack took place over this weekend, for a few hours on Saturday and Sunday and continuing into this week.
We have up until now been gathering information so that we can contact you with accurate details, and also making sure we were stopping ongoing problems. We did not want to give you incomplete or misleading information. Right now we are still finding out more, but it is important you are all aware of the situation.
How did they get access?
We are still actively working to get full detail on this, but essentially one of our servers was compromised, and that gave the hacker enough access to be able to get into a few customer accounts. We now know more, but don’t want to publish any details as you can understand.
What did they do with that access?
In several cases, the hacker imported their own lists, and managed to send spam to those lists and in some cases the lists already in the account.
We are still investigating the details in this area to determine the exact actions taken in each case. This is a time consuming process unfortunately. We understand you will be worried about your own, and your client’s data, and we are concentrating on that area to find out what was touched. Again, we have directly contacted customers where we definitely know subscriber lists were accessed.
Has this been fixed?
We’re still making further changes, but we have locked down immediately all of our systems to an absolute minimum level of access. We’ve also put in place a variety of extra manual and automated checks so we can detect and prevent further deliberate hacks and spam attempts. In these situations, we can know for sure that we’ve closed specific methods, but not if another attack is coming.
As well as our internal staff we have server and security specialists working with us to detect any other methods that may be used and defend against them. We also have a professional security audit in progress by an independent firm.
What happens from here?
In the short term, we will just be working long hours as we monitor, track and investigate this. As we know more, we will keep you up to date.
Ongoing, we’ll be making whatever security changes are needed to make Campaign Monitor even harder to access, based on what we have learned and the outcome of the security audit and training.
One major issue arising will be temporary blacklistings because of the spam that did get out before we could catch it, and as they pop up our team will be working on getting them lifted.
All the evidence points to this being a highly intense, deliberate and planned attack intended to gain access to Campaign Monitor data and to send spam emails. We are committed to stopping this ever being able to happen again, and again apologize for the major let down.
We have emailed all account owners with this same information and we will continue to let you know any other relevant details.
FAQs from the comments
Have you contacted the people who had their account accessed?
Yes, we have emailed them individually. If we uncover any further accounts, we’ll be contact them too.
Was my password compromised and should I change it?
Unless we have emailed you individually (as above) then we do not believe your password was compromised. However, if you choose you can change your password in your account settings.
Should I still send my large campaign?
We do expect that there will be blacklisting from the spam that got out, and it can take a while for blacklist operators to remove addresses. So if you can hold off on large sends, that will reduce your risk of bounced emails. So far deliverability is fine, but we’d like to give you and your clients fair warning.
What about credit card information?
We do in some cases store credit cards on our servers. However, they are always stored in encrypted form, and the application never displays them in clear text. We have no indication or evidence to date that credit cards even in their encrypted forms were accessed at all.