Last week, this site reported that a vendor used by Breach Security was investigating a possible security breach involving contact names and email addresses used for marketing purposes. Now it appears that at least two email marketing vendors have recently reported breaches where the target may have been the database of names and email addresses. A Breach Security spokesperson confirmed that one of the vendors named below was the vendor involved in their customers receiving spam.
AWeber posted a notice on December 21, 2009 that it had been a victim of an “intentional attack to mine email addresses.” According to the company:
We use a variety of pieces of software to run different parts of our service and provide support to customers. Some of these are tools we have developed ourselves; others are third-party ones that we license from other companies.
By exploiting and combining vulnerabilities in two separate third-party software systems, the perpetrators managed to gain access to a part of our system where subscriber email addresses are stored.
We have received reports of some of those email addresses receiving spam messages.
The AWeber company blog suggests that the breach was the work of an individual who was “either directly or indirectly a part of an overseas organized group.”
More recently, iContact also reported a breach of its database with subscriber email addresses. Although they describe their security measures, they do not indicate how the compromise occurred, only that they are continuing to investigate, are reviewing their security, and have contacted the FBI for assistance.
Both breaches reportedly only targeted email databases and both occurred within approximately one month of each other. Are email marketers suddenly being successfully targeted by cybercriminals/spammers or is this a coincidence?
Note: Thanks to Cotse.net for letting its customers know about the AWeber and iContact breaches.