As the dust settles from last week’s attacks on Campaign Monitor, I wanted to keep you all informed as to what’s been happening on our end these past few days.
Before I get into that though, I wanted to express a genuine, heartfelt thanks to everyone for the phenomenal support we’ve received in the last 6 days. If you’ve been a customer for long, you’ll know we’re all about honesty and transparency. Announcing to the world that we’d been the victim of a deliberate hacking attack wasn’t pleasant news to publish, but nothing could have prepared us for the response that followed.
The countless words of support, encouragement and understanding left as comments on the blog, public and private messages over Twitter and personal emails to many members of our team have been nothing short of amazing. I can tell you that the sprits of the team as we worked harder than ever to resolve this incident were fueled by your kind thoughts. I personally can’t thank you all enough.
With that said, here’s what we’ve learned and what’s been done since we made the terrible discovery last week.
Why were we attacked?
All the evidence we have to date indicates this attack was done by a professional spammer who wanted access to Campaign Monitor’s sending infrastructure to send spam to their own database of subscribers. As you probably know, we have a great sending reputation and relationships with major ISP’s which we’ve built up by following best practice over the last five years.
The attacker was attempting to piggyback on this great reputation by delivering their own spam related emails from our network of mail servers. As well as sending spam to their own imported lists, the attacker also managed to send a small number of campaigns to the lists of some of our customers before they were identified and shut down.
We have since learned that another popular email provider was targeted by the same spammer, indicating a well planned and deliberate attempt to leech off the reputation of large email senders. And you thought we hated spammers before!
What we’ve done in response
As soon as we learned the seriousness of the attack, we took a number of decisive steps. Here are some of the more notable things we’ve done:
* Immediately engage an external security firm to assist in identifying the threat and do everything possible to keep the attacker from gaining further access to our software. This involved significant changes across the board to both our software and network configuration.
* Get in touch with any customers that had been directly impacted by the attacker with full disclosure about what we did and didn’t know at that time.
* Contact the police who have started an ongoing investigation into the attacks.
* Undertake a comprehensive security audit of our current infrastructure, which is still ongoing and will wrap up in a few days.
* While we didn’t store any credit card details in our database in plain text, we did store some customer payment details in encrypted form. We have since provided all credit card details in question to Visa, MasterCard and American Express so they can be placed on a watch-list to ensure any fraudulent transactions don’t take place. While early feedback indicates this won’t be an issue, we want to be clear that we’re taking every precaution necessary on your behalf.
Is your account OK to use?
Absolutely. As part of the initial spam sent out by the attacker, we did run into some deliverability issues and landed on a few blacklists. Because of the isolated nature of this incident, we’ve had no problem resolving any of these issues quickly, in most cases immediately. My thanks goes out to many of you in the email industry for being so helpful and responsive as we sorted through these issues.
Looking at our load the last few days, it’s been refreshing to see us get back to our usual volumes. While we’ve made a host of security changes across the application and our network, everything is now business as usual. Feel free to import your subscribers, send campaigns and jump into your reports.
While we’ve avoided any additional attacks since the problem was identified, we’ve got lots more updates in the pipeline. Most of these you won’t even notice, but there may be one or two more visible changes which we’ll keep you in the loop about as they come up.
The coming weeks will be completely focused on ensuring an incident like this can’t happen again. Once we’re 100% comfortable (and our security consultants have ticked every box), we’ll get back to the stack of exciting new features and updates we already had planned for Campaign Monitor. Rest assured, A/B testing will arrive soon, and we’ve got some even bigger announcements we’ll be announcing shortly after that you’re going to love.
I also want to take this opportunity to publicly thank the Campaign Monitor team for their incredible work over the last week. What most people don’t know is that myself and Ben, the other co-founder were away on leave in remote Indonesia when this attack occurred. With no internet or phone access, the team had no way of contacting us about the attacks, and bore the full responsibility of responding to the attacks for the first 3 days until we made it back to civilization. I can’t tell you how proud we are of the way they rallied together to work day and night and do everything in their powers to keep your data safe.
The truth is, they couldn’t have done this without the constant support you have given us this past week. Thanks again for sticking with us, we’ll be in touch with more updates soon.