aWeber Compromised?

by PCRoger 133 replies
Today I am getting deluged with spam to addresses that are on aWeber lists, including a couple of email addresses that have ONLY been given to aWeber.

Anyone else seeing this?

Can I guess that aWeber was hacked or an employee decided to make some money on the side selling addresses?

Regards,
PCRoger.
#main internet marketing discussion forum #aweber #compromised #spam
  • Profile picture of the author Travelingboy
    Banned
    [DELETED]
    {{ DiscussionBoard.errors[1515647].message }}
    • Profile picture of the author rosetrees
      Maybe the list owners weren't as honest as you'd like?
      {{ DiscussionBoard.errors[1515660].message }}
      • Profile picture of the author mattlaclear
        Originally Posted by rosetrees View Post

        Maybe the list owners weren't as honest as you'd like?
        I agree with Rose on this one. aWeber runs a tight ship. But even if they didn't you would still have to end up trusting some other autorsponder service provider with your info.
        {{ DiscussionBoard.errors[1519378].message }}
        • Profile picture of the author RobJones
          Originally Posted by mattlaclear View Post

          I agree with Rose on this one. aWeber runs a tight ship.
          BULL SH*T!
          Because of the unique anti-spam system I use I can prove with 100% certainty that Aweber's servers must have been hacked.
          Check my thread here:
          http://www.warriorforum.com/main-int...u-so-much.html


          Originally Posted by mattlaclear View Post

          But even if they didn't you would still have to end up trusting some other autorsponder service provider with your info.
          This is like saying:
          "My auto mechanic has seriously damaged my car but never mind; after all, if wouldn't have used this auto mechanic then I would have to use another one."

          Is there any logic in that sentence?
          {{ DiscussionBoard.errors[1519414].message }}
          • Profile picture of the author Paul Myers
            Rob,
            Because of the unique anti-spam system I use I can prove with 100% certainty that Aweber's servers must have been hacked.
            It's possible they were. It's possible some other vector was involved. At this point, we don't know anything except that some addresses which previously never received spam have started to, and it looks like a compromise of Aweber's systems, personnel, or transit.

            Barring a lot more details about your unique anti-spam system, we don't have anything from you that even looks like proof. And there are things that could happen that could have the same result without their having been hacked.
            This is like saying: "My auto mechanic has seriously damaged my car but never mind; after all, if wouldn't have used this auto mechanic then I would have to use another one."
            Actually, it's not. It's more like saying, "My car was vandalized while in the parking lot at this mechanic's shop. That could happen at another shop, too."

            There is one possibility that concerns me a lot. If it turns out to be that, you can forget security at any list host, because it would happen outside their area of control.


            Paul
            Signature
            .
            Stop by Paul's Pub - my little hangout on Facebook.

            {{ DiscussionBoard.errors[1519480].message }}
            • Profile picture of the author RobJones
              Originally Posted by Paul Myers View Post

              At this point, we don't know anything
              I do know.
              And I know this with 100% certainty.
              Always when I opt in to some list I (automatically) generate a unique email address in the format:
              6iq8hmzjc9@domain.com

              So, the alias of that email is a *completely random* 10 character string consisting of characters and numbers randomly mixed together.
              In other words, there is NO WAY spammers could ever generate those emails by trying different character combinations for that domain.
              That's because the number of possible combination is so huge that it would take the spammers many HUNDREDS OF YEARS to send emails to all possible combinations of emails on just that one domain that I'm using.
              So, it's absolutely impossible anyone could ever "guess" my email addresses.
              And for every opt-in I use a brand new unique email address.

              That's how I can tell where I have used which email address.
              I can trace each and every of those automatically generated email addresses to the website where I've originally entered it into an opt-in form.

              And if I suddenly get a flood of spam emails *exclusively* to those of these unique email addresses that were normally used by the Aweber system and by their system only
              (i.e. marketers who were using Aweber to send follow-up or newsletter emails)
              then there ONLY ONE possible explanation for this:
              Aweber's data base has been hacked!

              You can't tell me that some hacker was just using brute force to get passwords of some Aweber accounts.
              That might happen to *some* accounts, yes.
              But that CANNOT happen to ALL accounts.
              I am on MANY lists and ALL of the corresponding email addresses got compromised.
              There is *no way* ALL of the smart marketers would use weak passwords for their Aweber accounts.
              And besides:
              We already have one user here in this thread (Shaun OReilly) who is using an automatically generated random 12-character password for his Aweber account.
              There is absolutely no way to hack such password by using a brute force attack.
              That would take many THOUSANDS of years.

              Conclusion:
              There is only ONE way how this could happen.
              The ONLY way this could happen is if someone would get the emails directly from Aweber's data base.
              That's it.
              Anything else is *technically impossible*.
              {{ DiscussionBoard.errors[1519773].message }}
            • Profile picture of the author gpower2
              Just another thing to worry about.

              So far, so good, I haven't had any issues yet.
              Signature
              {{ DiscussionBoard.errors[1539698].message }}
              • Profile picture of the author Paul Myers
                LB,
                Additionally, aweber asserts that no personal data like addresses or credit card numbers were taken but then go on to say that they're not sure how many email addresses were affected? How can they know one without the other?
                There are a number of ways they could know that.

                First, consider the encryption issue itself. Decryption on the fly takes CPU cycles. I don't know what the multiplier is, but it's likely a lot more than simply reading the addresses and sending the mail. Encrypting those addresses would add significantly, I would think, to the iron needed to deliver the service. Which means higher costs.

                Decrypting the credit card numbers once a month to handle billing is a much lighter process. If we assume you're sending only one email per week, and the average list has 1000 addresses on it, it's 1/4000th the CPU usage.

                I'd wager real American cash money those CC numbers are stored encrypted. And probably not even in the same database(s).

                As far as how they can know it's only email addresses, but not be sure how many or which ones, that's not hard to imagine. The process of hunting down an exploit like this will usually show you what they got, or at least what they could have gotten, access to.

                If it were a database exploit, the question becomes: how fast is the dump, how many db's are involved, how long did they have access, and what's the actual transfer rate?

                If it were a log file grab or external problem like a router exploit, it would be a matter of figuring out which lists were mailed over the period they had access. Without knowing exactly how long that was, there's no way to assess it with any precision.

                It's a function of time.

                robognome,
                This would also explain why my getresponse and infusionsoft email aliases where also obtained by the spammers.
                So far, you're the only one I've seen claim this. A single instance can be explained too many ways to assume it's another major hack.

                If it turns out they did also get into Infusionsoft and GetResponse, we'll know soon enough.


                Paul
                Signature
                .
                Stop by Paul's Pub - my little hangout on Facebook.

                {{ DiscussionBoard.errors[1541073].message }}
                • Profile picture of the author robognome
                  Originally Posted by Paul Myers View Post

                  robognome,So far, you're the only one I've seen claim this. A single instance can be explained too many ways to assume it's another major hack.
                  It could be coincidence, but one helluva one since the spam was identical to what I had received through my aweber aliases, and they started on the same day. And it certainly wasn't just a brute force "name dictionary" attack against my domains - I checked for that.

                  It also would be hard to detect for 99% of the subscribers since normal people don't get all anal retentive about email aliases and subscriptions like I do, so they would just see more of the same spam.

                  But there may be some wrinkle that I haven't thought of, or he just managed randomly pull the email addresses from thin air.

                  If that is the case then I suppose I could draw some satisfaction in knowing that if this particular spammer had invested his luck and a couple of bucks in lottery tickets instead of spamming me, he would likely be a multimillionaire now instead of laying low and hoping he didn't leave too many "fingerprints" behind.

                  I know, that is a fairly weak source of satisfaction, but it'll do in a pinch.
                  {{ DiscussionBoard.errors[1541545].message }}
  • Profile picture of the author Johnathan
    If you believe this is the case -- use a separate e-mail for signing up to lists, something like \"aweber_yourname@wherever.com\"
    Signature
    Make money from writing, find out how now.
    {{ DiscussionBoard.errors[1515675].message }}
  • Profile picture of the author Shaun OReilly
    Originally Posted by PCRoger View Post

    Today I am getting deluged with spam to addresses that are on aWeber lists, including a couple of email addresses that have ONLY been given to aWeber.

    Anyone else seeing this?

    Can I guess that aWeber was hacked or an employee decided to make some money on the side selling addresses?

    Regards,
    PCRoger.
    I've been having EXACTLY the same issue.

    I have some test e-mail addresses that I ONLY use within AWeber
    and just today I've started receiving lots of spam to them.

    These are e-mail addresses across multiple domains including my
    own and others such as GMail, etc.

    These e-mails are only housed within AWeber so I know that
    the problem is somewhere within their systems.

    I contacted support and they've passed it on to an administrator
    and of course they've suggested it's my computer but my systems
    are robust.

    Sadly, it seems that I'm not the only one.

    Dedicated to your success,

    *Shaun O'Reilly
    Signature

    .

    {{ DiscussionBoard.errors[1515689].message }}
    • Profile picture of the author psresearch
      Originally Posted by Shaun OReilly View Post

      I've been having EXACTLY the same issue.

      I have some test e-mail addresses that I ONLY use within AWeber
      and just today I've started receiving lots of spam to them.

      These are e-mail addresses across multiple domains including my
      own and others such as GMail, etc.

      These e-mails are only housed within AWeber so I know that
      the problem is somewhere within their systems.

      I contacted support and they've passed it on to an administrator
      and of course they've suggested it's my computer but my systems
      are robust.

      Sadly, it seems that I'm not the only one.

      Dedicated to your success,

      *Shaun O'Reilly
      Sounds like good ol' aweber "support". Awesome service, but I've never been impressed with support.
      {{ DiscussionBoard.errors[1515738].message }}
  • Profile picture of the author KristiDaniels
    Looks the same to me. I'm glad I don't use Aweber anymore.

    The staff is awesome. But their deliverability and their options always left a lot to be desired.

    Now if they have been hacked, their deliverability will be almost nil. Merry Christmas to all Warriors still stuck on Aweber!
    {{ DiscussionBoard.errors[1515703].message }}
  • Profile picture of the author KarlWarren
    Experiment...

    Set up a brand new email address and give it to NOBODY... I guarantee you get spam.
    Without a doubt. Especially if it is @gmail, @yahoo or @yoursite.com

    Why automatically point blame?
    Signature
    eCoverNinja - Sales Page Graphics & Layout Specialist
    {{ DiscussionBoard.errors[1515748].message }}
    • Profile picture of the author Shaun OReilly
      Originally Posted by KarlWarren View Post

      Experiment...

      Set up a brand new email address and give it to NOBODY... I guarantee you get spam.
      Without a doubt. Especially if it is @gmail, @yahoo or @yoursite.com

      Why automatically point blame?
      This isn't about blaming AWeber or anyone else.

      These are e-mail address that are ONLY housed within my
      AWeber account and not used anywhere else. They've been
      spamless for over a year
      and then suddenly today they're
      getting spam.

      I backtracked from all of the e-mail addresses and found the
      one common thing: they're all housed within AWeber.

      If it were just me, I'd think again. But others are reporting
      the same thing as happening today for them too.

      The common link? AWeber.

      That's not blame. It's deduction.

      I could be wrong but I don't think so.

      More importantly, I'm concerned for the e-mail addresses
      of my valued subscribers and customers too as I've entrusted
      them with AWeber for years.

      Dedicated to your success,

      *Shaun O'Reilly
      Signature

      .

      {{ DiscussionBoard.errors[1515772].message }}
      • Profile picture of the author KarlWarren
        Originally Posted by Shaun OReilly View Post

        These are e-mail address that are ONLY housed within my AWeber account and not used anywhere else. They've been spamless for over a year and then suddenly today they're getting spam.
        Thanks for the clarification - under the same circumstances, I would come to the same conclusion. I do hope Aweber hasn't been compromised - whether from within, or an outside source.
        Signature
        eCoverNinja - Sales Page Graphics & Layout Specialist
        {{ DiscussionBoard.errors[1515803].message }}
    • Profile picture of the author Trader54
      Originally Posted by KarlWarren View Post

      Experiment...

      Set up a brand new email address and give it to NOBODY... I guarantee you get spam.
      Without a doubt. Especially if it is @gmail, @yahoo or @yoursite.com

      Why automatically point blame?
      I have had the same experience, add hotmail to that list to. I opened a hotmail account
      and within a week was receiving spam and had not given out the address or used it in any way.
      {{ DiscussionBoard.errors[1515778].message }}
      • Profile picture of the author Dan C. Rinnert
        I have an eMail address I have so far used only with Aweber and it is still spam-free.

        How hard are the eMail addresses to guess? If you're using something such as nameATdomain.dom or wordATdomain.dom, a dictionary attack may be able to reach those addresses.

        I have had eMail addresses that are used only internally (meaning they are not posted on any websites and are not used to send eMail) that have gotten hit by spam in the past.
        Signature

        Dan's content is irregularly read by handfuls of people. Join the elite few by reading his blog: dcrBlogs.com, following him on Twitter: dcrTweets.com or reading his fiction: dcrWrites.com but NOT by Clicking Here!

        Dan also writes content for hire, but you can't afford him anyway.
        {{ DiscussionBoard.errors[1515844].message }}
    • Profile picture of the author PCRoger
      Originally Posted by KarlWarren View Post

      Experiment...

      Set up a brand new email address and give it to NOBODY... I guarantee you get spam.
      Without a doubt. Especially if it is @gmail, @yahoo or @yoursite.com

      Why automatically point blame?
      This is not automatic blame. This just started today. Every address was created solely for a list signup. One address was given ONLY to aweber for my account there.

      20 or so addresses, all starting today, coincidence? I don't think so.

      If you create a brand new email address on a domain you own, you will NOT automatically start receiving spam.

      Roger.
      Signature
      Track your affiliate sales back to the ARTICLE or WEBSITE that generated the sale. CBSaleTracker

      I was making money in days with the 4 Day Money Making Blueprint

      {{ DiscussionBoard.errors[1515966].message }}
    • Profile picture of the author johnng
      Originally Posted by KarlWarren View Post

      Experiment...

      Set up a brand new email address and give it to NOBODY... I guarantee you get spam.
      Without a doubt. Especially if it is @gmail, @yahoo or @yoursite.com

      Why automatically point blame?
      Hi KarlWarren,
      I don't have an answer, but I do not agree with your statement. I have several Gmail accounts which I do give out, except one that I hold for reserve. I have not received a single Emails to that address except the one I sent to it myself. I have that account for over 1 year and it has not been compromised yet. So your statement about Gmail account is not 100% accurate.
      Signature
      {{ DiscussionBoard.errors[1519623].message }}
  • Profile picture of the author 52.ct
    Originally Posted by PCRoger View Post

    Today I am getting deluged with spam to addresses that are on aWeber lists, including a couple of email addresses that have ONLY been given to aWeber.

    Anyone else seeing this?

    Can I guess that aWeber was hacked or an employee decided to make some money on the side selling addresses?

    Regards,
    PCRoger.
    I to have been getting spammed to death with porn a pharm email. I already use separate emails for everything. Some of those email address were used with Aweber.
    {{ DiscussionBoard.errors[1515812].message }}
  • Profile picture of the author KirkMcD
    I'm having the same problem. Emails I've used to test my autoresopnders are getting a lot of spam today. They are totally made up, unique, and posted no where, so they weren't guessed.
    {{ DiscussionBoard.errors[1515924].message }}
    • Profile picture of the author oliverwinston
      I just fired off an email to Aweber to see why this is happening.

      Should be interesting to see what they say.
      Signature
      Beta Testers Needed- Get $47 Product Free
      The Worlds Largest Article Marketing Network
      Get One Way Backlinks To Your Website- Post Your Article To 51,280+ Websites
      {{ DiscussionBoard.errors[1515932].message }}
      • Profile picture of the author PCRoger
        Originally Posted by oliverwinston View Post

        I just fired off an email to Aweber to see why this is happening.

        Should be interesting to see what they say.
        They responded to me asking for copies of the emails with headers. I just now sent them a few.

        Roger.
        Signature
        Track your affiliate sales back to the ARTICLE or WEBSITE that generated the sale. CBSaleTracker

        I was making money in days with the 4 Day Money Making Blueprint

        {{ DiscussionBoard.errors[1515972].message }}
        • Profile picture of the author 52.ct
          Originally Posted by PCRoger View Post

          They responded to me asking for copies of the emails with headers. I just now sent them a few.

          Roger.
          Will you relay Aweber's response on this thread?
          {{ DiscussionBoard.errors[1515993].message }}
  • Profile picture of the author AceOfShirts
    Yeah, same thing happened to me today.

    It's kind of a relief that it is happening to other people also. I set up a lot of email forwarders in my cpanel. I was thinking somebody hacked my cpanel and got all of the email account names and email forwarding names, and probably did more damage I hadn't found yet.

    I vote for aweber,

    Dennis Graves
    Signature
    If You ACTUALLY Want To Make Money As A JVZOO Affiliate You NEED This! --> CLICK HERE <--
    SAVE BIG! SECRET LIFETIME SUBSCRIPTIONS To TOP "Monthly Fee" Internet Marketing Tools => DEALS
    {{ DiscussionBoard.errors[1515927].message }}
    • Profile picture of the author Shaun OReilly
      Originally Posted by dnsg View Post

      I was thinking somebody hacked my cpanel and got all of the email account names and email forwarding names, and probably did more damage I hadn't found yet.
      Initially I thought the same too as a lot of the spam is going to
      forwarding e-mail addresses within my cpanel.

      But...

      The spam is also going to e-mail addresses within GMail etc, -
      where none existed before today. And they're unique e-mail
      addresses too by using the '+' sign to identify the source.

      E.g. name+uniquesource@googlemail.com

      Zero spam for a year, and now flooded today.

      All housed within AWeber only.

      Dedicated to your success,

      *Shaun O'Reilly
      Signature

      .

      {{ DiscussionBoard.errors[1515951].message }}
      • Profile picture of the author kmckillop
        Originally Posted by Shaun OReilly View Post

        Initially I thought the same too as a lot of the spam is going to
        forwarding e-mail addresses within my cpanel.

        But...

        The spam is also going to e-mail addresses within GMail etc, -
        where none existed before today. And they're unique e-mail
        addresses too by using the '+' sign to identify the source.

        Zero spam for a year, and now flooded today.

        All housed within AWeber only.

        Dedicated to your success,

        *Shaun O'Reilly
        What do you mean housed in AWeber only? Those addresses are on a list, and someone (another human) owns that list.
        {{ DiscussionBoard.errors[1521479].message }}
        • Profile picture of the author craigc1980
          Heres what i think happened

          Aweber was not a victim of a brute force attack

          But was a victim of a new script that some hacker/cracker put on a non domained website.

          Other wise known as a private secured server most likely in another country.

          The fact that everyone plus myself is getting these emails is due to someone getting root access to the aweber site.

          What im really shocked is that the hacker/cracker didnt even shut the site down and display that the site got owned.

          Very fishy..

          Most hacker/crackers are proud of their work and usually their would of been some type of sign that aweber got owned

          Hackers like to show off their work.

          The only other conclusion is that it was an inside job and maybe someone that works for aweber possibly quit or got fired and is now selling these leads.

          Considering these pharmacy emails are not coming from a remote server but being redirected from a direct desktop software indicates they dont want to get caught.

          The ip addresses are spoofed and even some of the other ones i have found are bouncing off over 100 different servers so on that note whoever did this is using it mainly to make money or leading up to infecting people with some type of trojan.

          So please be careful when opening them.

          You dont have to even open them all you have to do is click on the subject line and it can infect your computer remotely with spyware popups and other type of maleware.

          I will investigate this some more and keep you updated on anything else i can find out.

          Has anyone contacted aweber about this?

          They still havent got back to me.

          When i called them they knew nothing about this

          Craig
          {{ DiscussionBoard.errors[1521515].message }}
  • Profile picture of the author Chris Simpson
    Exactly the same happened to me today. I always use thesitedomain at mydomain.com when I give an email address to anyone and it was those addresses that got spammed. Like others have said in this thread, the only one thing those email addresses all had in common were that they were subscribed to aweber lists.

    It's also not just limited to my domain. I also have some gmail addresses that I've mainly used for testing my own lists and those got spammed as well.
    {{ DiscussionBoard.errors[1516031].message }}
  • Profile picture of the author PCRoger
    Sure will.

    Roger.
    Signature
    Track your affiliate sales back to the ARTICLE or WEBSITE that generated the sale. CBSaleTracker

    I was making money in days with the 4 Day Money Making Blueprint

    {{ DiscussionBoard.errors[1516033].message }}
    • Profile picture of the author ExRat
      Hi,

      I read this thread yesterday. Then this morning, I got deluged with spam on email addresses that I created specifically for use only with twitter and have only used to create accounts with twitter - although the twitter accounts are not actually active (IE I haven't tweeted.)

      Twitter - which was allegedly hacked by Iranians, or someone pretending to be Iranian, the other day.

      Anyone else?
      Signature


      Roger Davis

      {{ DiscussionBoard.errors[1517345].message }}
      • Profile picture of the author Paul Myers
        Hmmm...

        Brute-force password hacking? Using weak passwords can create this problem.

        Were the spams sent via Aweber, or to tagged addresses, but through other systems?


        Paul
        Signature
        .
        Stop by Paul's Pub - my little hangout on Facebook.

        {{ DiscussionBoard.errors[1517472].message }}
        • Profile picture of the author Shaun OReilly
          Originally Posted by Paul Myers View Post

          Hmmm...

          Brute-force password hacking? Using weak passwords can create this problem.

          Were the spams sent via Aweber, or to tagged addresses, but through other systems?


          Paul
          I use 12 character long passwords generated by RoboForm
          that include special characters as well as letters and digits
          so they're robust.

          In my case, the spams were not sent via AWeber but instead
          were sent to e-mail addresses that have been totally spam
          free for over a year and were only housed within my AWeber
          account. I didn't get this spam to any of my other e-mail
          addresses that I use outside of AWeber.

          Dedicated to your success,

          *Shaun O'Reilly

          P.S. Here's the full header for an example spam message I've
          received. I've taken out my unique test e-mail address and
          replaced it with name@domain.com too:

          Delivered-To: name@domain.com Received: by 10.86.92.11 with SMTP id p11cs101890fgb; Fri, 18 Dec 2009 10:24:15 -0800 (PST)
          Received: by 10.213.103.83 with SMTP id j19mr2048776ebo.30.1261160654637; Fri, 18 Dec 2009 10:24:14 -0800 (PST)Return-Path: <offer@touchshall.com>Received: from NTemporal ([190.254.16.129])
          by mx.google.com with SMTP id 5si5567996eyh.24.2009.12.18.10.24.13; Fri, 18 Dec 2009 10:24:14 -0800 (PST)Received-SPF: neutral (google.com: 190.254.16.129 is neither permitted nor denied by domain of offer@touchshall.com) client-ip=190.254.16.129;
          Authentication-Results: mx.google.com; spf=neutral (google.com: 190.254.16.129 is neither permitted nor denied by domain of offer@touchshall.com) smtp.mail=offer@touchshall.com
          Received: (qmail 20173 by uid 300); Fri, 18 Dec 2009 13:29:01 -0500Message-Id: <20091218062901.20175.qmail@NTemporal>From: <offer@touchshall.com>To: <name@domain.com>
          Subject: Pharmacy Offer pack !!!Date: Fri, 18 Dec 2009 13:29:01 -0500Message-Id: 34b201ca800f$4900a8c0@NTemporalMIME-Version: 1.0Content-Type: text/html; charset="iso-8859-1"Content-Transfer-Encoding: 7bit
          <a href="http://24262135.touchshall.com/index2.html"><img src="http://30482495.touchshall.com/support.jpg?name=name@domain.com"></img></a>
          Spam subject lines specific to this include: Pharmacy Offer pack !!! , Amway Best Sex !!!! ,
          Best Drug Store !!! , nice love pill best sex !!! , Holidays Specials - Price #Pharmacy !!!

          From the following e-mail addresses: offer@touchshall.com, support@pageocean.com,
          durg@yulerepeat.com, boss2@serverbestid74s5.com

          P.P.S. Here's the reply I got from AWeber support:

          AWeber takes our security measures very strongly and employee tested technologies and
          measures to make sure that our system is not compromised. After receiving your email
          our team went through an exhaustive list of checks just to make sure that there are no
          indications that connects this spam message you received to an issue with AWeber. All
          of our tests have come back secure with no reports of intrusion or compromise.

          Also note that after looking at the spam message in question we see that members of our
          teams have also received this same message to their personal addresses that have never
          been used in conjunction with AWeber.

          We'll continue to monitor our system. And of course if you have any further questions,
          please feel free to let me know.
          The words 'sand' and 'bury' immediately spring to mind.
          Signature

          .

          {{ DiscussionBoard.errors[1517513].message }}
          • Profile picture of the author Paul Myers
            Shaun,

            Not YOUR password. The password of the Aweber account you subscribed to. If a spammer guessed/hacked/brute-forced that, they'd have those addresses.

            Yes, it could possibly be a security issue. It could also be as simple as a few account holders with lame passwords.


            Paul
            Signature
            .
            Stop by Paul's Pub - my little hangout on Facebook.

            {{ DiscussionBoard.errors[1517529].message }}
            • Profile picture of the author Shaun OReilly
              Originally Posted by Paul Myers View Post

              Shaun,

              Not YOUR password. The password of the Aweber account you subscribed to. If a spammer guessed/hacked/brute-forced that, they'd have those addresses.

              Yes, it could possibly be a security issue. It could also be as simple as a few account holders with lame passwords.


              Paul
              Hi Paul,

              These are unique test e-mail addresses that I only use within my
              own AWeber account that has the ultra secure password. I use
              them for testing my own web forms and sales processes etc.

              Some are forwarders created within my own cpanel and other
              test e-mail addresses are created on the fly with GMail, etc.
              And my cpanel and GMail passwords are robust too.

              They are not used anywhere else except within my own AWeber
              account with the robust password. That's the worrying part.

              Dedicated to your success,

              *Shaun O'Reilly
              Signature

              .

              {{ DiscussionBoard.errors[1517540].message }}
              • Profile picture of the author Paul Myers
                Shaun,

                I promise... I understand the concept of a tagged address. I think we may be talking across each other.

                Yes, it's possible there's a security leak at Aweber. I find that very unlikely, though, compared to the chance of account passwords being guessed because they're too simple. By that, I don't mean the passwords of the recipients. All you need to send mail to someone is the right address.

                Picture: You subscribe to a list at account abcmmf [@] aweber [.] com, using a unique email address. If someone manages to get the username and password for that account, they can get access to every email address on any lists in that account. They don't need your password to mail them.

                That's only one way this could happen, though. There are other potential vectors for this kind of attack, including hijacking the subscription forms, bot-infected systems, a server hack that reads /etc/aliases, and probably a bunch more.

                Mind you, I am neither assuming nor ruling out anything. Just looking at various possibilities.


                Paul
                Signature
                .
                Stop by Paul's Pub - my little hangout on Facebook.

                {{ DiscussionBoard.errors[1517572].message }}
                • Profile picture of the author Paul Myers
                  (Note to self: Don't discuss technical issues when half asleep.)

                  My apologies, Shaun. I see the miscommunication, and it's my fault. I have similar internal-use addresses on several of my lists. It seems unlikely that a simple brute-force hack would get those.

                  All the other possible explanations are still in play, but my first (and most likely) idea is ... less likely than I thought ... given solid passwords.


                  Paul

                  PS: No spam to any of my control addresses, yet. So, it's not universal.
                  Signature
                  .
                  Stop by Paul's Pub - my little hangout on Facebook.

                  {{ DiscussionBoard.errors[1517611].message }}
                • Profile picture of the author Shaun OReilly
                  Originally Posted by Paul Myers View Post

                  Shaun,

                  I promise... I understand the concept of a tagged address. I think we may be talking across each other.

                  Yes, it's possible there's a security leak at Aweber. I find that very unlikely, though, compared to the chance of account passwords being guessed because they're too simple. By that, I don't mean the passwords of the recipients. All you need to send mail to someone is the right address.

                  Picture: You subscribe to a list at account abcmmf [@] aweber [.] com, using a unique email address. If someone manages to get the username and password for that account, they can get access to every email address on any lists in that account. They don't need your password to mail them.

                  That's only one way this could happen, though. There are other potential vectors for this kind of attack, including hijacking the subscription forms, bot-infected systems, a server hack that reads /etc/aliases, and probably a bunch more.

                  Mind you, I am neither assuming nor ruling out anything. Just looking at various possibilities.


                  Paul
                  Update: I was posting the reply below and saw your latest post.

                  As a former engineer, I have a supra-logical way of rooting
                  out problems, finding causes as well as looking for solutions.
                  I'm not always right and am open to being wrong.

                  Here was my thinking process on this, and do let me know if
                  you find any flaws in the approach or conclusions...

                  I have some e-mail addresses that have been spam-free for
                  over a year. Suddenly, yesterday, many of them begin to
                  receive spam.

                  Hmm... I wonder... what could be the cause of that?

                  Has my computer been compromised? Has something got
                  access to my cookies? Has my cpanel been hacked? Has
                  my GMail been hacked? etc.

                  I write down all of the e-mail addresses that have just started
                  receiving spam and look for commonalities.

                  Because there are a number of unique e-mail addresses in
                  there I take a closer look. Suddenly it dawns on me. Many
                  of these are e-mails I've used to test my own web forms
                  only.

                  Could my AWeber or Infusionsoft accounts have been hacked?
                  Could my cpanel or GMail accounts have been hacked?

                  They all have robust 12-character passwords via RoboForm.

                  None of my unique e-mail addresses within Infusionsoft are
                  receiving spam - so I rule them out.

                  The only unique e-mails that are receiving spam are housed
                  within my own AWeber account and are used nowhere else.
                  I haven't given out these unique e-mails to anyone else -
                  including other AWeber users. They're only used to test my
                  own web forms within my AWeber account.

                  Has my AWeber account been hacked? It's got a 12-character
                  long password that's robust.

                  Maybe my computer has been compromised?

                  Then I pop on the Warrior Forum and sure enough, some other
                  AWeber users have just experienced the same thing (yesterday).

                  That may rule out my computer.

                  My AWeber password is robust - that rules out my account
                  being hacked via my robust password - I hope.

                  Q.E.D. Somehow, somewhere, someone has accessed my e-mail
                  data within AWeber so they then go on and send out spam via
                  their own methods.

                  Like I say, I could be wrong and am open to that. If anyone has
                  other possibilities, I'm all ears.

                  The most important thing is identifying the right cause of the
                  problem. Only then we can look at solving it.

                  Dedicated to your success,

                  *Shaun O'Reilly
                  Signature

                  .

                  {{ DiscussionBoard.errors[1517640].message }}
                  • Profile picture of the author Paul Myers
                    Shaun,

                    Assuming all your data is accurate and complete, that leaves Aweber's servers, or an Aweber-specific attack through your own servers, as the vectors I see.

                    I'm not prepared to rule anything out or to assume anything as the cause. Especially given the amount of technology that could be involved, and the various potential personal issues that could be acting as motivators.


                    Paul
                    Signature
                    .
                    Stop by Paul's Pub - my little hangout on Facebook.

                    {{ DiscussionBoard.errors[1517674].message }}
                    • Profile picture of the author Shaun OReilly
                      Originally Posted by Paul Myers View Post

                      Shaun,

                      Assuming all your data is accurate and complete, that leaves Aweber's servers, or an Aweber-specific attack through your own servers, as the vectors I see.

                      I'm not prepared to rule anything out or to assume anything as the cause. Especially given the amount of technology that could be involved, and the various potential personal issues that could be acting as motivators.


                      Paul
                      Hi Paul,

                      Some of the unique e-mail addresses I used for the
                      web forms are with GMail etc so I guess that rules
                      out my own servers.

                      For example, I often test a web form with on-the-fly
                      GMail addresses by using the '+' sign, as in:
                      name+formname@googlemail.com

                      These haven't been used anywere else, and are
                      only housed on AWeber and GMail servers and not
                      my own.

                      Let me also make it clear I've got no axe to grind with
                      AWeber and have found them a thoroughly decent
                      company who provide an excellent autoresponder and
                      typically great customer service.

                      If the source of the problem is identified conclusively,
                      and that's yet to be done, only then can the right
                      corrective action be taken.

                      Dedicated to your success,

                      *Shaun O'Reilly
                      Signature

                      .

                      {{ DiscussionBoard.errors[1517695].message }}
                      • Profile picture of the author Paul Myers
                        Shaun,

                        The Gmail issue is indicative, but not conclusive. See the latter part of my last post for my thinking on that. And, given that I have similar control addresses that haven't ever received any spam at all, there's some variable that hasn't yet been considered.

                        Given your past comments here about Aweber, I hadn't assumed any ill intent on your part, I assure you. No need to explain or justify an honest look for the truth, sir.


                        Paul
                        Signature
                        .
                        Stop by Paul's Pub - my little hangout on Facebook.

                        {{ DiscussionBoard.errors[1517709].message }}
                  • Profile picture of the author 7_8_shortcuts
                    Originally Posted by Shaun OReilly View Post

                    ...Could my AWeber or Infusionsoft accounts have been hacked?
                    Could my cpanel or GMail accounts have been hacked?
                    Hey Shaun,

                    What do you think about Infusionsoft? Do you suspect anything coming from their end also, or do you think it could be AWeber for now? It's because I am thinking of using their service.

                    What is your general experience with them? Are you a happy customer?

                    Thanks
                    Signature
                    [Instant WSO Formatter] WARRIORS: Launch your WSO like a pro! Instant WSO formatting from within Wordpress...??

                    [WP Sales Engine] - Point-and-Click Sales Letters, CPA-, Squeeze-, OTO-, Landing Pages Creator...
                    {{ DiscussionBoard.errors[1535942].message }}
                    • Profile picture of the author Shaun OReilly
                      Originally Posted by 7_8_shortcuts View Post

                      Hey Shaun,

                      What do you think about Infusionsoft? Do you suspect anything coming from their end also, or do you think it could be AWeber for now? It's because I am thinking of using their service.

                      What is your general experience with them? Are you a happy customer?

                      Thanks
                      Hi Metodi,

                      I've moved all of my lists over to Infusionsoft for a large list of
                      reasons - well before this incident with AWeber occurred.

                      I'm 100% certain that none of this spam has originated via my
                      Infusionsoft account. How? Because I have unique addresses
                      within my lists in their database and none of them are receiving
                      any of this spam.

                      One of the reasons I was able to deduce that the problem lay
                      somewhere in AWebers path was because my aweber@domain.com
                      e-mail address was getting spam - along with other e-mail
                      addresses only housed within AWeber.

                      That's not to say that this could not happen to Infusionsoft or
                      any other provider in future. As Doug says, they're all targets
                      and have to have systems in place to defend against a similar
                      attack.

                      I don't want to hijack this thread with a discussion about the
                      advantages and disadvantages of Infusionsoft. I may start
                      a different thread on that sometime as I've had others ask me
                      similar questions too.

                      I'm a happy Infusionsoft customer and would also like to thank
                      and recognize AWeber for the great service they've provided me
                      in all of my dealings with them.

                      If you have any urgent questions, then just PM me OK?

                      Dedicated to your success,

                      *Shaun O'Reilly
                      Signature

                      .

                      {{ DiscussionBoard.errors[1536830].message }}
                      • Profile picture of the author Paul Myers
                        Shaun,

                        Only subscriber addresses were compromised. I'm a bit confused as to why you'd subscribe support@example.com and paypal@example.com to lists? If they weren't subscribed to lists at Aweber, the compromise originated from another source.

                        (Note: When using example addresses, it's best to use example.com, which is intended for that purpose, rather than another domain. Domain.com, for example, is owned by Dotster, and will receive delivery attempts for addresses scraped from such postings.)

                        I'm also surprised that you'd use such obvious usernames, since they're common targets for dictionary attacks. Those, webmaster@, info@, subscriptions@, payments@, orders@, private@, and personal@ are among the first attempted deliveries in many such attacks.

                        As far as empathy, that's a personal and highly subjective call. I wouldn't argue your interpretation of the posted response in that regard. I can tell you, though, that no-one understands the issue more than Tom Kulzer. I've known Tom since before he started Aweber, and this is something he's always been very clear on and very careful of.

                        Suggesting solutions for the general market gets tricky. Yours are useful for folks who know how to assess their needs, certainly, and this crowd is more likely to fall into that group than most.

                        I can tell you that even on my list, which tends to be more savvy and spam-conscious than most, the overwhelming majority of people use their main ISP address or a Yahoo/Hotmail/Gmail address. Any of these will have spam filtering systems in front of them, and they're already getting some amount of spam at those addresses. It's unlikely they'll see much of the spam, if any, so almost any suggested change will be worse than the existing situation.

                        Note that I'm not saying this isn't a problem. Simply that many (most?) people will never be affected by it.

                        For many others, this will be the lesson we all get at some point: Either send everything to one place and develop systems for it, or learn to compartmentalize effectively.

                        The proper response really depends on the market. That's up to each list operator to figure out.

                        Also, it should be remembered that it's appropriate for Aweber to contact publishers, as customers, but it is not appropriate for them to contact every subscriber of every list belonging to their customers. (It may not even be legal.) That, like the recommendation of options, is the responsibility of the publishers.
                        I'm sure that they'll be hyper-paranoid from here and will have multiple systems in place to make sure that the locks are never off their doors again.
                        This sort of phrasing suggests something other than what actually happened. This wasn't a matter of lax security or carelessness.

                        If you want the kind of picture of their security that you can get from simple observation, consider the value of those lists, and the fact that this is the first such breach in 11 years. Do you think they don't block multiple attacks of various kinds every single day?

                        I doubt that interpretation was your intent, but a lot of people could read it as a suggestion of carelessness.

                        Michael,
                        Each and every person who uses Aweber to manage their list theoretically COULD be sued for breaching the stated privacy policy and anti-spam language of their list by each person who has received spam after agreeing to sign on based upon those disclosures.

                        I have language that states how I hate spam, and their email is safe with me. Etc...
                        In the sense that anyone can be sued for anything at any time, sure. Some of the theoretical suits would be immediately dismissed upon showing of the language involved in the sign-up pages.

                        If you state that you will never trade, rent, sell or otherwise give out subscriber addresses, there's a question of intent. That's mildly iffy, but most likely to work in defense.

                        My privacy policy, hokey-looking as the page itself is, states that I'm not responsible for the actions of third-party services, and explicitly uses autoresponder systems as the example.

                        Anyone who claims, "Your address is 100% safe with us," is either inexperienced, naive or careless. No data that's stored on a functioning hard drive is ever 100% safe.

                        Aside from hacking and cracking, there's the issue of physical security. Shoulder-surfing, employee and contractor access, poor disposal practices and outright theft.

                        Then there are user-enabled security issues. Viruses and trojans, keyloggers, easy-to-guess usernames and weak passwords come to mind immediately.

                        And there are "man in the middle" attacks. Hijacked forms are the most obvious. Router exploits are the scariest, given the difficulty in nailing them down and getting them fixed. Those can happen completely outside the control of the target entities.

                        Quick story: I was once on an email discussion list for which the list owner promised that there was no way anyone could get any subscriber's address other than through their posts. When I read that, I sent one post to the list. Later that day I sent him the addresses of almost 100 of his subscribers, most of whom had never posted or replied to me. What shocked him most was finding his own primary address in the list, rather than the alias he used to subscribe.

                        After he got done screaming at me on the phone for "hacking his system," (clearly wasn't what happened), I told him how to fix it. Then I convinced him to lose the "100% Safe Guarantee."

                        That didn't require any kind of hack, or even what might be called an exploit. Just a legitimate post by a registered member, using a feature that's common to every email client I've ever used except Pine.

                        The Aweber hack was about as far from that kind of thing as it's possible to get, but it illustrates the point: Until you know everything, don't promise everything.


                        Paul
                        Signature
                        .
                        Stop by Paul's Pub - my little hangout on Facebook.

                        {{ DiscussionBoard.errors[1537307].message }}
                        • Profile picture of the author miami
                          This may be a stupid question.

                          As I have gmail for my addresses I wouldn't know if my lists were in this at all - and i have heard nothing from subscribers.

                          But if all subscribers are getting this stuff from your list...

                          What are you doing for them?

                          I haven't seen that here anywhere (unless I missed it?)

                          Thanks

                          Miami

                          ps Good job Shaun!
                          Signature

                          Always looking for PPV and affiliate mentor/masterminds... Let's trade stories!

                          {{ DiscussionBoard.errors[1537344].message }}
  • Profile picture of the author Stephen Root
    Hmm... sounds really suspicious and we use Aweber for multiple businesses. I wonder if it's time to change. Can somebody post the spam message they got so I can check if we got those too. Nowadays there's just so much spam that it all gets filtered.
    {{ DiscussionBoard.errors[1517521].message }}
  • Profile picture of the author tknoppe
    Sadly, spam is a part of our lives and something we have to deal with. I have spam filters in place that catch most of it. While I've not always used unique email addresses for every Aweber list I've signed up for, I do have some email addresses that have been setup within my cpanel, never used anywhere and eventually they too receive spam.

    I don't believe that my cpanel was compromised, but more likely that there are spam software/bots (whatever) that sequence through randomly created email addresses and eventually that automated process will actually deliver a valid email address somewhere and the spam mail gets through.

    While it's certainly possible that Aweber was compromised, it could be equally as plausible that spammers are using some random email generator script.
    Signature

    Traci Knoppe, OBM, Launch & Project Manager
    Your Web Tech Team

    {{ DiscussionBoard.errors[1517934].message }}
    • Profile picture of the author PCRoger
      Originally Posted by tknoppe View Post


      While it's certainly possible that Aweber was compromised, it could be equally as plausible that spammers are using some random email generator script.
      I thought about that, but ruled it out immediately. I have 1 domain in the pack that is a catchall. anything @ thatdomain.com will come through to me. Only the aweber address did.

      Also, hacking someone who had a list at aweber (mentioned somewhere above) would not do it (completely).

      Not only are there 20 addresses I have on 20 different lists (ie, 20 hacks), my unique address that I gave ONLY to aweber to use for my account with aweber and not on any lists also received the same spam message.

      Roger.
      Signature
      Track your affiliate sales back to the ARTICLE or WEBSITE that generated the sale. CBSaleTracker

      I was making money in days with the 4 Day Money Making Blueprint

      {{ DiscussionBoard.errors[1517953].message }}
  • Profile picture of the author DaveDaveDave
    Shaun, I am with you, I have (Friday) received bursts of spam email to approx 15 out of several hundred unique email addresses I have registered with various companies.
    The common factor seems to be aweber (I gave up checking them all as was out of time), also I can't say whether I have other emails handled by aweber that aren't being spammed. I am not an aweber user.
    I have submitted a support request at aweber and suggested I will require compensation for the inconvenience (changing each email).

    I've seen this happen before too, both to me and reported on the web (I can't post links, so search..) "SpamCop Discussion > How do I sue an identifiable Texan spammer illegally using traceable email addresses?"
    [if this is a duplicate post, apologies, but it seems to have disappeared]
    {{ DiscussionBoard.errors[1517956].message }}
  • Profile picture of the author Damien Roche
    So strange. This didn't make any sense as I'd only used aweber once until Shaun detailed some of the addresses these were sent from.

    Happened to my gmail address from exactly the same email addresses. I received about 5 in one day and my account has never received spam in over 2 years.

    Could be aweber as I have had an account with them, but not any more...think they still keep my email on file?

    These psychopathic spammers are relentless.
    Signature
    >> Seasoned Web Developer (CSS, JavaScript, PHP, Ruby) <<
    Available for Fixed Fee Projects and Hourly ($40/hr)
    {{ DiscussionBoard.errors[1518051].message }}
  • Profile picture of the author KristiDaniels
    I show deliverability drops already from Aweber hosted lists. They were at 81.18% deliverability across all test lists. They have dropped to 74.93% deliverability in the last two days since the spam started.

    If the spam isn't due to an Aweber compromise, then why has the trust level of major email ISPs toward Aweber dropped so much?

    The ISPs aren't buying the "we aren't compromised" bury their head in the sand position of Aweber.
    {{ DiscussionBoard.errors[1518383].message }}
    • Profile picture of the author DaveDaveDave
      re "I show deliverability drops already from Aweber hosted lists."
      Maybe there's something I'm missing here, but the spam I'm referring to is not coming from/via aweber, it is simply spam (from dsls generally so botnets presumably) that is addressed to email names that have previously been delivered to by aweber. Thus I don't see how this would affect aweber's normal delivery stats.
      {{ DiscussionBoard.errors[1518678].message }}
  • Profile picture of the author Sir Dancelot
    I am not a customer of aWeber.

    I've signed up for several aWeber lists and unsubscribed many of them.

    I give a unique email address to each list I subscribe to. I have hundreds of these unique addresses, as I give a unique address to any web site that asks for one. I have a unique one here at warriorforum.

    Since yesterday, I've received five spams to five unique email addresses I've only given to aweber users. These spam are all similar to each other.

    I have hundreds of other email addresses that I've given to non-aweber lists and sites and I've not received any spam to those addresses.

    QED

    I also contacted aweber, sent them complete headers and got the same boilerplate response that Shaun reported. I then wrote them to check out this forum.
    {{ DiscussionBoard.errors[1518862].message }}
    • Profile picture of the author kyleb
      I just started receiving those as well to a couple of email addresses I have used to sign up on Aweber lists, but also on some other mailing lists...

      I hope Aweber wasn't hacked! I use them for all my subscribers.

      Kyle
      Signature

      Your goals should be just out of reach, but never out of sight.
      Visit Kyle Allred over at www.KyleBlakeAllred.com I tell it like it is.

      {{ DiscussionBoard.errors[1518970].message }}
  • Profile picture of the author RobJones
    Yes, Aweber got compromised and I can prove it without any doubt.
    See my post here:
    http://www.warriorforum.com/main-int...u-so-much.html


    .
    {{ DiscussionBoard.errors[1519046].message }}
    • Profile picture of the author 52.ct
      If Aweber was hacked and they (Aweber) are burring it; then allot of people int he IM world are going to be f*cked

      Maybe it is a good ideal, for anyone using Aweber, to send a test message to their list. Explain the situation... maybe even reference this thread. That way your list will know that it was not you who sent the spam.

      Also, ask if anyone from your list, if they received spam from an unique email address used specifically for your newsletter,then enter a new and unique email into Aweber.

      If they still receive spam on this new email address then we will know Aweber was compromised.

      I personally have roughly 220-230 different email addresses. About 35 on those have received spam thus far. One third of those email addresses are still active. The rest have been unsubscribed from their respective list.
      {{ DiscussionBoard.errors[1519158].message }}
  • Profile picture of the author RobJones
    Yes, Aweber was hacked and I can prove it with 100% certainty.
    (Everyone can contact me via PM)

    Of course, the spammers aren't sending emails via Aweber's servers. (they, the spammers, are sure not that dumb)
    The spammers have just hacked Aweber's servers, extracted the email addresses from Aweber's data base(s) and are now happily sending tons of spams using their own untraceable spam bots.

    That means:
    From now on ALL the compromised email addresses will ALWAYS receive tons of spam.
    The only way to stop those spam floods would be to stop using those email addresses.
    And that in turn would also mean to stop receiving emails from all those marketers who are using Aweber...
    {{ DiscussionBoard.errors[1519362].message }}
  • Profile picture of the author jasondinner
    WOW!!

    I just checked in my spam folder and found the same "pharmacy" emails Shaun
    said he was getting to his previously "spam free use for aweber only email address"
    and I have the same emails in my spam folder too!!

    Now before I completely made my mind up that Aweber was compromised I looked
    at the email address these D-Bags (spammers) sent their crap to which led me
    to believe that Aweber indeed was compromised.

    You see, when i test opt-in forms, i use my gmail account, but put dots in betweeen the
    user name.

    For example if my gmail address was jasoniscool[a]gmail dot com , i would use

    j.asoniscool , then ja.soniscool, jason.is.cool, etc.

    Aweber forms are the only places I submit those variations of my email addresses to.

    Guess what!!?!?!?!?!?!?!

    The email addresses these spammers sent their spam to was to those email address variations.

    If they did indeed get hacked, hopefully they are working towards correcting the
    situation and preventing it from ever happening again.

    Maybe they will come in here and clear things up for us, or admit it.(doubtful - lol)

    Cheers
    Jason

    P.S. - Other than that, I have found Aweber to be the best provider of these types of
    services in their price range.

    Obviously they are not the end-all-be-all, but they are good for most marketers.

    When I am making $3K per day or before that, I will definitely be looking for other
    providers.
    Signature

    "Human thoughts have the tendency to transform themselves into their physical equivalent." Earl Nightingale

    Super Affiliates Hang Out Here

    {{ DiscussionBoard.errors[1519529].message }}
    • Profile picture of the author blkfin
      No Doubt something has happened at aweber. I am getting the same messages as everyone else from my mailing list email addresses. i.e. newslettername@MYDOMAIN.com.
      Signature

      "Win Anyway"

      {{ DiscussionBoard.errors[1519585].message }}
    • Profile picture of the author johnng
      Originally Posted by jasondinner View Post

      WOW!!

      I just checked in my spam folder and found the same "pharmacy" emails Shaun
      said he was getting to his previously "spam free use for aweber only email address"
      and I have the same emails in my spam folder too!!

      Now before I completely made my mind up that Aweber was compromised I looked
      at the email address these D-Bags (spammers) sent their crap to which led me
      to believe that Aweber indeed was compromised.

      You see, when i test opt-in forms, i use my gmail account, but put dots in betweeen the
      user name.

      For example if my gmail address was jasoniscool[a]gmail dot com , i would use

      j.asoniscool , then ja.soniscool, jason.is.cool, etc.

      Aweber forms are the only places I submit those variations of my email addresses to.

      Guess what!!?!?!?!?!?!?!

      The email addresses these spammers sent their spam to was to those email address variations.

      If they did indeed get hacked, hopefully they are working towards correcting the
      situation and preventing it from ever happening again.

      Maybe they will come in here and clear things up for us, or admit it.(doubtful - lol)

      Cheers
      Jason

      P.S. - Other than that, I have found Aweber to be the best provider of these types of
      services in their price range.

      Obviously they are not the end-all-be-all, but they are good for most marketers.

      When I am making $3K per day or before that, I will definitely be looking for other
      providers.
      Jason's findings seemed very conclusive. I do the same thing as Jason, using different dot position for testing several optins with the same Gmail account. However I haven't noticed any spams to those Email addresses though. Mind you I haven't tested any Optin for quite a while now may be that is why.
      Signature
      {{ DiscussionBoard.errors[1519664].message }}
    • Profile picture of the author RobJones
      Originally Posted by jasondinner View Post

      Obviously they are not the end-all-be-all, but they are good for most marketers.
      You should have said "they WERE good."
      Because from now on spammers will ALWAYS send tons of spam emails to all the compromised email addresses (they know those email addresses are real).
      And I doubt that THIS "is good" for *any* marketer.

      Much rather it is the END for your list and all other lists because the only way to stop that flood of spam is to stop using those email addresses...

      Sure, most people can't trace their email addresses to the website/domain where they've originally entered it.
      But I wonder how long it would take those "most people" until they'll be forced to change their email address?
      {{ DiscussionBoard.errors[1519839].message }}
  • Profile picture of the author markgilbert
    OK, here's my 2 cents worth...

    Like Shaun, I use very specific emails when filling out forms, testing forms, submitting to social networks and bookmark sites, AWEBER, signing up for an ebook, orders, etc. just so I can track where crap (or gems) comes from, should I get any. I started getting spam today to emails that NOBODY but AWEBER knows about.

    But like you said Paul, this isn't ABSOLUTE PROOF exactly "WHAT" happened, or who or what is/was the culprit. All I know, with 99% certainty, is that AWEBER has a HIGH probability of being involved, no matter HOW it happened.

    That may not be 100% ABSOLUTE Certainty. But if I was a betting man, I'd put my money on AWEBER somewhere/somehow, and without hesitation.

    Now, where's GUIDO? I have a job for him.
    Signature
    PUSHY! is the answer to targeted traffic in 2010
    {{ DiscussionBoard.errors[1519710].message }}
  • Profile picture of the author toppito
    I am a member of this forum but I found this thread after making a Google search for "Aweber spam", not because I logged into the forum.

    Yes I've been getting a lot of spam and looks like my suspicions about Aweber being compromised were right. I'm on several lists from several marketers who use Aweber and when I signed up I used my domain's catchall address so I wouldn't have to setup an e-mail address for every website I am asked to enter my e-mail address. So I would go to a website and enter a different e-mail for every website for example marketer1@mywebsite.com, marketerbob@mywebsite.com, marketerjoe@mywebsite.com, etc and all the e-mails would all go to my domain's catchall address. Well now after checking the to: addresses the spam e-mails were sent to I can see the spam e-mails were sent to marketer1@mywebsite.com, marketerbob@mywebsite.com, marketerjoe@mywebsite.com, etc
    {{ DiscussionBoard.errors[1519775].message }}
  • Profile picture of the author DogScout
    Where are the 'from' addresses saying... you?
    If so your lists would be decimated!
    {{ DiscussionBoard.errors[1519914].message }}
  • Profile picture of the author Goatboy
    I just deleted a bunch of drug spams off the email that I normally sign up to aweber things. I haven't had that before today.
    {{ DiscussionBoard.errors[1519916].message }}
    • Profile picture of the author ExRat
      Hi,

      I did some searching on this -

      A rather prominent blogger saying that his Aweber list subscribers, who used a unique address to sign up, have been complaining directly to him about a deluge of spam to the address -

      Has Aweber Been Compromised? Reports of Spam Going to Aweber Lists

      He's added an update at the bottom -

      Within half an hour of posting this Aweber got in touch. They’re not ready to make a public statement on this but are happy for me to pass on that they’re aware of it and are “doing extensive investigations into any possible issues.”

      From what I can tell they’re collecting lots of data – perhaps if you have any specific data from those in your lists including header information of spam emails it could be worth emailing Aweber to let them know of your problem and any data that you have. I’d suspect that specific information would be helpful to them.
      Other prominent IMers are discussing it with him via twitter -

      Twitter / Andy Beard: Aweber spam @problogger @c ...

      The plot thickens.

      Regarding my post earlier about twitter - I was mistaken, they weren't only used for twitter. I now realise that I was subscribed to one list when I also used them as a paypal email for a one off purchase. In other words, the ones I'm getting the spam on were subscribed to one email list, and twitter is exonerated it would seem.

      HTH
      Signature


      Roger Davis

      {{ DiscussionBoard.errors[1520251].message }}
      • Profile picture of the author Paul Myers
        Rob,
        Conclusion:
        There is only ONE way how this could happen.
        The ONLY way this could happen is if someone would get the emails directly from Aweber's data base.
        That's it.
        Anything else is *technically impossible*.
        Actually, it's not. It's certainly possible that, and even looking like, someone got them from Aweber, either through cracking their systems or from an employee. (Those are two possibilities - not one.) But even they aren't the only ways.

        Ask a good network engineer about the possibility of capturing data in transit. That's a third way, and it's the one that concerns me most.

        There are others, but they're looking sufficiently improbable that they can be ignored for the moment.

        I get the feeling that I know a lot more about how this stuff works than you do, and I'm not at all certain what happened. I'm equally unsure how you could claim to have absolute proof of the one and only possibility.

        BTW, that's not a "unique" system for spam-tracking. It's not even new. It was in use at least 13 years ago, and probably a few before that.


        Paul
        Signature
        .
        Stop by Paul's Pub - my little hangout on Facebook.

        {{ DiscussionBoard.errors[1520348].message }}
        • Profile picture of the author RobJones
          Originally Posted by Paul Myers View Post

          Ask a good network engineer about the possibility of capturing data in transit. That's a third way, and it's the one that concerns me most.
          This is a *theoretical* possibility.
          This could NOT happen in my particular case.
          Because those emails of mine are not just from one or two or several lists.
          They are from MANY lists.
          A wide variety of different marketers.
          There were *not* all sending emails to their lists on a particular day or so.
          And besides, that capturing of data in transit is highly unrealistic anyway.
          {{ DiscussionBoard.errors[1520497].message }}
          • Profile picture of the author Paul Myers
            Rob,
            This is a *theoretical* possibility.
            This could NOT happen in my particular case.
            It is neither theoretical nor impossible in any case like the one described. It's happened before, just with different targets. As I suggested... talk to a good network engineer about it.

            Everything is a possibility at this point. We don't know what happened.
            I get the feeling that you don't.
            May I suggest Maalox?


            Paul
            Signature
            .
            Stop by Paul's Pub - my little hangout on Facebook.

            {{ DiscussionBoard.errors[1520995].message }}
            • Profile picture of the author Shaun OReilly
              Given that so many other AWeber users have been experiencing
              similar issues with unique e-mail addresses that are only housed
              within AWeber, then unfortunately I think it's now safe to conclude
              that AWeber has been compromised - somehow.

              How or by whom I do not know. That is still up for debate. It
              could be a database compromise, a rogue employee, a vengeful
              competitor or a whole host of other possibilities.

              What's important now is that AWeber quickly listen to the
              evidence put forward by their customers, and then either
              hold their hand up to the error or put forward an alternative
              and plausible cause for the problem.

              I've been an AWeber customer for years and have had nothing
              but high praise for them. They've also built up a lot of goodwill
              by their exemplary behavior in the past so I for one will cut them
              some slack
              on this and hope others would too.

              I've also got offline clients that are using AWeber based on
              my recommendation, so I have a lot riding on this as well.

              In my book it's OK for an unintentional and albeit disastrous
              error to occur. What's important now is how they respond
              and prevent a reoccurrence.

              In this time of social media etc, it's hard to bury bad news
              or fob off customers.

              Tom Kulzer and Justin Premrick are members of the Warrior
              Forum as well as having Twitter accounts etc so they have
              ample channels to respond.

              At the moment, the silence is deafening. I'm sure that they
              are hard at work finding the true cause of the error and will
              make a responsible announcement very soon.

              Dedicated to your success,

              *Shaun O'Reilly

              P.S. One lesson to learn from this is to subscribe to your own
              list with unique e-mail addresses so that you can quickly
              identify potential issues.

              Also, use an e-mail address that you can terminate at your
              end should a similar thing happen again. I can terminate the
              cpanel forwarding e-mails but I'm not sure how to terminate
              an 'on-the-fly' GMail address like name+listname@googlemail.com.

              As for my non-unique and more widely used e-mails that were
              also within my AWeber account, they're now receiving the
              pharma spam for the first time ever too.
              Signature

              .

              {{ DiscussionBoard.errors[1521192].message }}
              • Profile picture of the author Chris Steiner
                I was intrigued when I saw this thread because I use unique email addresses whenever possible, using the google + address, and I also began receiving spam to these addresses recently.

                Originally Posted by Shaun OReilly View Post

                I can terminate the
                cpanel forwarding e-mails but I'm not sure how to terminate
                an 'on-the-fly' GMail address like name+listname@googlemail.com.
                Shaun - I'm not sure you can terminate these addresses, but you can create a filter in your gmail account and have it automatically deleted or archived. At the very least it will keep you from ever seeing these.

                HTH,

                Chris
                Signature

                "Without a plan, there's no attack. Without attack, no victory."
                "A plan. Oh, boy, I've got a plan." -Ack Ack Raymond

                {{ DiscussionBoard.errors[1529860].message }}
              • Profile picture of the author WPExpert
                Terminate them, yes, of course. That's why I got sxipper of course and I have been using sxipper for years. And of course, I've got nothing better to do than sit here blocking hundreds of nym addresses from sxipper!
                Signature
                Sales & Marketing Websites | QloudPressâ„¢ - When Your Website Is Mission-Critical
                {{ DiscussionBoard.errors[1535003].message }}
        • Profile picture of the author RobJones
          Originally Posted by Paul Myers View Post

          I get the feeling that I know a lot more about how this stuff works than you do
          I get the feeling that you don't.
          {{ DiscussionBoard.errors[1520504].message }}
  • Profile picture of the author Jeannie Crabtree
    I would have said the same thing, but one of the additional addresses I am just starting to get spam to, I use with Paypal. I don't have an aweber newsletter set up with that email address.

    edited: I realize now, that some of my orders would cause me to be subscribed to an aweber mailinglist with this email address. So yes, same here.

    This all started at the same time. Been good for years, before this.

    Jeannie
    {{ DiscussionBoard.errors[1520532].message }}
    • Profile picture of the author ExRat
      Hi Rob,

      I'm cross-posting here what I have replied to you on the other thread, as it's relevant here -
      All 4 posts quoted below originally posted by RobJones
      Quote:
      This setup is available through a Firefox addon and is called Sxipper.
      Here is their website: Sxipper: Welcome to Sxipper
      It has several different functions one of them being creating disposable email addresses on the fly for any given form.
      Those email addresses are always active. Unless I specifically disable some of them.
      All active sxipper emails are just forwarding to me.
      They are not on my PC and not on my servers.
      So in theory, sxipper could have been hacked?
      In which case, this is incorrect -

      Quote:
      This is *NOT* an assumption. I got PROOF.
      Aweber servers must have been HACKED.
      Also -

      Quote:
      I know this with absolute 100% certainty.

      Always when I opt in to some list I (automatically) generate a unique email address in the format:
      6iq8hmzjc9@domain.com

      So, the alias of that email is a *completely random* 10 character string consisting of characters and numbers randomly mixed together.
      In other words, there is NO WAY spammers could ever generate those emails by trying different character combinations for that domain.
      That's because the number of possible combination is so huge that it would take the spammers many HUNDREDS OF YEARS to send emails to all possible combinations of emails on just that one domain that I'm using.
      So, it's absolutely impossible anyone could ever "guess" my email addresses.
      And for every opt-in I use a brand new unique email address.

      That's how I can tell where I have used which email address.
      I can trace each and every of those automatically generated email addresses to the website where I've originally entered it into an opt-in form.

      And if I suddenly get a flood of spam emails *exclusively* to those of these unique email addresses that were normally used by the Aweber system and by their system only
      (i.e. marketers who were using Aweber to send follow-up or newsletter emails)
      then there ONLY ONE possible explanation for this:
      Aweber's data base has been hacked!
      If you have opted in to a 3rd party list, then the person who pays aweber to run that account could have extracted your email and sold it to spammers, or spammed it themselves from a different address. If the opt in form was made by the site owner, it could be the site owner (not aweber) who has been breached, or has deliberately compromised their own opt in form.

      In either case, again, this is incorrect -

      Quote:
      This is *NOT* an assumption. I got PROOF.
      Aweber servers must have been HACKED.
      Even if it happens on multiple email adresses on multiple aweber lists, this is still not proof.

      BUT, there are others in the other thread that are NOT talking about using an email which has been given to a 3rd party opt-in form (in which case it could be viewed by the list owner without being hacked) therefore that does suggest that they might have been hacked.

      But regardless, you are saying that another business MUST have been hacked and compromised and that you have proof, when in fact you have no personal proof.
      Also -

      Quote:
      Originally Posted by Paul Myers
      I get the feeling that I know a lot more about how this stuff works than you do
      I get the feeling that you don't.
      I don't know you, but I would hazard a guess that Paul is right.
      Signature


      Roger Davis

      {{ DiscussionBoard.errors[1520561].message }}
      • Profile picture of the author ericabiz
        Here's my story.

        I have a list of a few thousand people built through Aweber.

        Today I received a complaint from a subscriber. He uses the Gmail + system (i.e. hisname+mylistname@gmail.com) and received pharmacy spam to that address.

        I can tell you definitively I have not sold that list, nor have I ever exported it out of Aweber or imported it from any other system. Also, as far as I can tell, my Aweber password has not been hacked. I use a different password for Aweber than any other site.

        --

        I also noticed that my own private email address, that I use only to receive email from other marketers (who also use Aweber), has been receiving the same pharmacy spam for about a day and a half now.

        I didn't know the two were related until I saw Darren post about it on Problogger.

        I got the full headers from my subscriber and filed a ticket with Aweber. So far, their usually stellar support has been completely quiet.

        Now, out of thousands of people, I have only received 1 complaint...BUT I don't know how much of the database got compromised. Many people will have email filters that just delete it, no matter what. It's only the super-perceptive subscribers (and people who are around their computers this weekend) who will even notice.

        It's undeniably something with Aweber at this point. Whether, like Paul says, it was a database hack, an employee breakin, or a man-in-the-middle attack remains to be seen. But I think we can pretty definitively rule out sleazy list owners and other compromised systems (like Twitter.)

        -Erica
        {{ DiscussionBoard.errors[1520588].message }}
  • Profile picture of the author DogScout
    there is discussion on other forums, apparently. also using the service by name. When some is comfortable enough with a problem to point a finger and actually publish a service's name (as has been done here and elswhere) that would indicate a lot of very careless people, or very sure ones. (Or some mixture of both.)

    In my case, none of my service test email addresses are receiving any spam. (of course that could be because I deleted all test emails and Downloaded all customer emails from that system and then deleted them before whatever is happening got to my account. Or my account is just too small to bother with. Lol)

    If anyone is receiving customer complaints, ignoring them at this point may do more harm than good? Although customers recieving spam that are not able to connect it with your account, getting an email from you may well open up other problems. I guess this is one of those times I am glad most of my customer's private information is stored at an 'inferior' AR service. Lol. One apparently too small to be a target (or one with better security, though that is unlikely?)

    It sort of shows that there is nothing as totally 'secure'. Will be interesting to see if any of this hits the national news. I think few will be as sanely forgiving as Shaun, but I could be wrong. If thought about enough, this could happen to any service? Would the only truly secure system would be keeping all customers on a cvr file and uploading it encrypted each time you wanted to send out an email... until someone stole the .cvr file from you....
    {{ DiscussionBoard.errors[1521345].message }}
  • Profile picture of the author Colin Evans
    I am getting spam to email addresses which have been set up but never used in any public service... The only common denominator is I have sent emails to these addresses to test them or a product I have been developing.

    I am now getting spam to email addresses used in all autoresponder services (and many of those addresses are unique to the list subscribed to).

    Which leaves two possibilities - either somebody is sniffing internet traffic for email addresses or my machine has spyware which none of the commercially available anti-spyware programs can find (and I use more than one).

    [added]I am also getting spam with my own unique addresses as the from address[/added]
    Signature

    Sig not working today - too hung over...

    {{ DiscussionBoard.errors[1521434].message }}
    • Profile picture of the author Chris Simpson
      My first thoughts when I saw the big influx of spam on Friday was that I had somehow been compromised. It was only after spending some time examining the email addresses that had received the spam that I came to the same conclusion as most others that AWeber seems to be the common factor here as like other people I use an email address format that allows me to identify where I submitted my details. In fact, I found this thread when I was searching on Google to find out more information about what was happening.

      The primary reason I can rule out my own machine being compromised isn't just me being naive enough to think having up to date anti-malware software is going to completely protect me. New exploits come out all the time which means that the security software vendors are always playing catch up. The main reason I have for ruling out my own machine is that I have reinstalled the operating system in the last couple of months and many of the email addresses that received spam have been inactive for much longer than that. In fact, I'd actually forgotten how many lists I'd joined over the years until I saw that influx.

      I can also rule out my cPanel being compromised because, well, I don't have cPanel installed on my servers. Again, even if my POP3 account on my server had been compromised that wouldn't explain why emails addresses that hadn't been used for some time would have been harvested. Also the fact that it wasn't just my own domains that received spam but also some of my GMail accounts tells me the cause is likely to be elsewhere.

      Another theory put forward is rogue list owners selling their email addresses. Given the sheer number of spam emails I received to different addresses that would mean that many, many different marketers had been involved and since I know for a fact I haven't sold *my* email list the fact that some of my test addresses that I used when testing my autoresponder sequences had received spam can rule that one out.

      Packet sniffing is another possibility that had been put forward, and while it can't be ruled out technically, I would have to say that I find it unlikely. As I've already said, some of the email addresses that received spam had been inactive for many months so sniffing the internet for email addresses would not have picked those email addresses up. Also, I have other email addresses that aren't on AWeber lists that have not received spam so surely if this was the cause I would expect to have received spam to those addresses as well.

      So what else is left? All I can think of is AWeber either being compromised somehow. Even this gives us several options. It could have been an external hack that somehow gained direct access to their database, or someone could have gained administrator access due to a weak password or through brute force. There's also the possibility of a rogue employee or even a disgruntled former employee selling the database, or even one of their developers having a copy of the database on a laptop that got stolen along the lines of the many high profile news stories we've all heard in recent years.

      The question now is what will AWeber do about it to ensure that it doesn't happen again? Like many others I do like their service a lot and it has been an essential part of my business for several years. They're a good company. The one thing they won't be able to do anything about is stopping the spam. Those email addresses have fallen into the hands of spammers so they'll get spammed forever. The best thing we can do is to set up filters on our servers to blackhole emails sent to those addresses and if we really want to keep receiving emails from the marketer that should be sending email to that address then resubscribe with a clean email address.
      {{ DiscussionBoard.errors[1521536].message }}
      • Profile picture of the author Paul Myers
        Chris,
        Packet sniffing is another possibility that had been put forward, and while it can't be ruled out technically, I would have to say that I find it unlikely. As I've already said, some of the email addresses that received spam had been inactive for many months so sniffing the internet for email addresses would not have picked those email addresses up. Also, I have other email addresses that aren't on AWeber lists that have not received spam so surely if this was the cause I would expect to have received spam to those addresses as well.
        It seems that folks are looking at the idea of sniffing as having only one target.

        I was thinking more of the possibility that traffic coming out of Aweber's systems might have been sniffed. If the weak spot was outside their perimeter, the only real clue to be had would be if there were unique addresses on lists that had not been mailed at all and which didn't get spammed.

        I have no idea where that kind of sniffing fits on the probability scale, but it's a scary thought.

        General response:

        I tend to feel the same way as Shaun on this. The issue isn't what happened, but how it's handled. I rather suspect Tom and his crew will be at work on it today, and every day until it's figured out.

        As far as the deafening silence, that's the proper response at the moment. As we've seen too many times before, any answer (or no answer at all) will be treated as a reason for someone to shout "Conspiracy" or promote their own pet theory. Such discussions tend to spiral out of control. Better for them to use the time finding out what happened and how to make it less likely in the future.

        Let's keep in mind, folks, that any system can be compromised. ANY system.

        It's easy to get indignant and point fingers when it's someone else. The folks who do that seem to be the most likely to fall into the same or similar problems later, since they're focused on blame, rather than correction or prevention. And, statistically speaking, the odds are good that at least a few of the people posting in this thread are doing so from machines that are infected with bots and sending spam without their even knowing.

        By the way... The images in some of the spams being sent to these addresses are tagged. If you read the mail in HTML format, with images enabled, they know it.


        Paul
        Signature
        .
        Stop by Paul's Pub - my little hangout on Facebook.

        {{ DiscussionBoard.errors[1521773].message }}
        • Profile picture of the author Colin Evans
          It's easy to get indignant and point fingers when it's someone else. The folks who do that seem to be the most likely to fall into the same or similar problems later, since they're focused on blame, rather than correction or prevention. And, statistically speaking, the odds are good that at least a few of the people posting in this thread are doing so from machines that are infected with bots and sending spam without their even knowing.
          A little while back a spam ring was busted where they were turning thousands of computers into "spam drones" - I'm quite sure that system has been refined to be less detectable.

          What's to stop a bit of gremlin like code from sending all the emails it finds in an email client to another drone so it can send spam back to the original addresses. That way all the unique email addresses found on a machine would get eventually get spammed. It's a lot less risky for a spammer to do this - hacking into an autoresponder is risky business (and often leaves a trail).

          By the way... The images in some of the spams being sent to these addresses are tagged. If you read the mail in HTML format, with images enabled, they know it.
          Another way they know an email address could be valid is when they don't receive a bounce message. Deleting spam messages or sending them into a black hole doesn't help in this regard. I doubt they would waste server resources to check this, but thousands of drones can...
          Signature

          Sig not working today - too hung over...

          {{ DiscussionBoard.errors[1521853].message }}
        • Profile picture of the author Chris Simpson
          Originally Posted by Paul Myers View Post

          Chris,It seems that folks are looking at the idea of sniffing as having only one target.

          I was thinking more of the possibility that traffic coming out of Aweber's systems might have been sniffed. If the weak spot was outside their perimeter, the only real clue to be had would be if there were unique addresses on lists that had not been mailed at all and which didn't get spammed.

          I have no idea where that kind of sniffing fits on the probability scale, but it's a scary thought.
          I hadn't thought of the traffic being sniffed in the way you suggest, but that's certainly food for thought. Some of my addresses that received spam, however, had not been mailed for many months. It's always possible that if such sniffing was in place then it has been silently collecting email addresses for some time but I would have thought it would only be more recent email addresses that would have been picked up.

          I'm not trying to point fingers or blame anyone and I certainly don't hold anything against AWeber even though they seem to be the common factor here. If anything they're a much bigger victim in all this than us suffering the inconvenience of having to delete a few emails from our junk mail folders. I was merely going through my own thought processes and ruling out things that I did not think would be the cause of this given my own evidence and the experiences of others posted here. Although I agree that what happens next as a result of this is the most important issue here, I come from a software development background so I'm naturally inclined to want to understand why things happen as well.
          {{ DiscussionBoard.errors[1521896].message }}
          • Profile picture of the author Paul Myers
            Colin,
            What's to stop a bit of gremlin like code from sending all the emails it finds in an email client to another drone so it can send spam back to the original addresses.
            Ummm... Good anti-virus/security software?

            That's been going on for years. It was one of the earliest uses for trojans.
            It's a lot less risky for a spammer to do this - hacking into an autoresponder is risky business (and often leaves a trail).
            These are snowshoe spammers, pushing pills via botnets. They're already breaking enough laws in the US, NZ, Oz and most of Europe that they are unlikely to even care about the added risk. Assuming, of course, that they're in a country where they'd be prosecuted if caught.

            If this is the Russian Business Network, there's little risk of their being caught, much less prosecuted. I'm not up on spam fingerprints enough to say if they're involved or not, but it's a possibility. Chinese registrations, hosting in Israel and Taiwan... Looks Russian or eastern European to me.


            Paul
            Signature
            .
            Stop by Paul's Pub - my little hangout on Facebook.

            {{ DiscussionBoard.errors[1521939].message }}
            • Profile picture of the author Paul Myers
              Chris,

              I hear ya. The comments about finger-pointing weren't directed at you. (Hence the shift of address from "Chris" to "General response.") Overall, this is one of the most sensible discussions of this kind of problem we've seen on this board in quite a while. Lots of light, very little heat.
              It's always possible that if such sniffing was in place then it has been silently collecting email addresses for some time but I would have thought it would only be more recent email addresses that would have been picked up.
              Keeping in mind that I'm not assuming this is the attack vector...

              It would make sense, if they were collecting the information this way, to wait a while before mailing those addresses. Anyone technically savvy enough to do this (or hire someone to) would also be smart enough to know the source of the addresses would be figured out quickly. Why risk being spotted and having the source cut off before you get the lion's share of the data?

              Pure speculation, of course. We don't currently know. Still, it's a useful exercise in problem analysis and prediction.


              Paul
              Signature
              .
              Stop by Paul's Pub - my little hangout on Facebook.

              {{ DiscussionBoard.errors[1521988].message }}
  • Profile picture of the author MichaelHiles
    FWIW... I have specific email addresses that are strictly used for lists. One is specifically for an Aweber list and nothing else.

    I have been getting Pharm spam on that address.

    I think Aweber has a problem.
    {{ DiscussionBoard.errors[1521766].message }}
  • Profile picture of the author MichaelHiles
    I see this as yet another reason why email is eventually going the way of the Dodo Bird.
    {{ DiscussionBoard.errors[1522074].message }}
    • Profile picture of the author JohnMcCabe
      I hate to pile crap on the compost heap, but it could be worse than just aweber getting compromised.

      Over the years, I've used three addresses to subscribe to lists, and all three have been getting hit with the pharma spam mentioned here.

      My wife likes to enter drawings and sweepstakes run by major corporations - mainstream magazines, network TV shows and the like. I set up one email address strictly for her to use in those contests.

      Starting Friday last (12/18), that address has been getting hit with the exact same thing.

      I know it's not conclusive, but it is scary...
      {{ DiscussionBoard.errors[1522129].message }}
  • Profile picture of the author DogScout
    Or encrypted email?
    {{ DiscussionBoard.errors[1522116].message }}
  • Profile picture of the author Richelo Killian
    Aweber is a competitor of mine, BUT, when I was a customer many moons ago, and even now as a competitor, they have ALWAYS been extremely fair in their dealings.

    Thus, I have to pipe up here and say there are a THOUSAND different ways this all could have happened!

    I have email address I have NEVER signed up to ANY list with, nor given out in public, nor put on any web site, and, eventually, they ALL get SPAM mail.

    Spammers are VERY clever in getting email addresses. If it's a public one like Gmail, or Yahoo, why do you not also assume that THOSE services were compromised?

    Me and my staff hang around in spamming forums under aliases to learn what these scum of the earth are doing, and blocking them were we can.

    With that said, the only 100% secure site/server/PC, is an OFF one, in orbit around Saturn!

    Was Aweber compromised? Possibly. Is it a fact, even after all the evidence here. NO!

    I really hope for their part they were not! If they were, I am SURE they will make some announcement, as well as fix the issue.

    Competitor or not, they are a honorable company, with an honorable leader who never gets drawn into mud slinging fights.

    Tom usually jumps on threads here about his company, and I am SURE he will get on this one, and clear up the mess.
    Signature

    Kind Regards
    Richelo Killian
    Imnica Mail - Email Marketing Service - Tired of being ripped off by your AutoResponder?

    {{ DiscussionBoard.errors[1522364].message }}
  • Profile picture of the author MichaelHiles
    IF it happened... regardless of how, the problem COULD end up being a drop in opt-in rates of Aweber clients because people will be hesitant to subscribe to any list that has a visible Aweber confirmation URL.

    This is my concern, because the Aweber brand will have been seriously tarnished - not that I think that they did anything wrong, but perception is reality in the marketplace.

    This is certainly something that I am taking very seriously and will be watching closely.
    {{ DiscussionBoard.errors[1522469].message }}
  • Profile picture of the author Deric Yin
    I've received an angry email from a subscriber who claimed that he created an email account especially to subscribe to my list - and he received a pharma spam a few days ago.

    Have lodged a query with AWeber two days back but haven't heard back since. The silence is deafening.
    Signature
    Got Dating Traffic? This has got to be the easiest way to make money. Click Here

    Get $200 EXTRA on top of 75% ClickBank commissionsFind Out How
    {{ DiscussionBoard.errors[1524791].message }}
    • Profile picture of the author Kevin Marshall
      I haven't had any problems with my Aweber account so far, but I probably should look into it. I have nothing but positive things to say about them right now.

      With that said, I better check my account and see if I see anything funny going on over there.
      Signature

      Confused about SEO? Facebook? Adwords? Send me a PM to apply for your free 30 minute consultation today!



      {{ DiscussionBoard.errors[1525085].message }}
  • Profile picture of the author cma01
    However the email addresses were stolen, I think the hackers have now sold them to other list email services.

    I received a couple of the pharmacy emails, but the majority were caught by my spam filter. However, today I have been receiving emails nonstop from businesses I've never heard of.

    I've just been deleting the majority of them; however, one I did take the time to look up the actual contact information for the site that was being promoted (it wasn't in the email) and let them know that I thought they had bought an email service that was bad.

    They looked like a legitimate company and I'm sure they just responded to an email that claimed "we can send your email to XXX,XXX qualified prospects."
    Signature
    "Wise men talk because they have something to say; fools, because they have to say something."
    ~ Plato
    {{ DiscussionBoard.errors[1525724].message }}
    • Profile picture of the author gph
      After posting a ticket with AWeber on this issue over the weekend, [and not having seeing this or other threads until now], I received a phone call from AWeber a short time ago. They said that there *was* a breach, and that it was related to the Live Chat software on their Web site, which had a vulnerability leading to the hack. They said that only the email addresses were exposed, and they're not sure how many were copied. they said that they have rebuilt the software, which was originally from a third party, and implemented new security features.

      That's all I have for now.
      {{ DiscussionBoard.errors[1525899].message }}
      • Profile picture of the author ericabiz
        Originally Posted by gph View Post

        After posting a ticket with AWeber on this issue over the weekend, [and not having seeing this or other threads until now], I received a phone call from AWeber a short time ago. They said that there *was* a breach, and that it was related to the Live Chat software on their Web site, which had a vulnerability leading to the hack. They said that only the email addresses were exposed, and they're not sure how many were copied. they said that they have rebuilt the software, which was originally from a third party, and implemented new security features.

        That's all I have for now.
        Just to confirm, I just got the same phone call from Aweber. If you submitted a ticket over the weekend, they are calling each person individually. I expect they'll go public with this today or tomorrow.

        -Erica
        {{ DiscussionBoard.errors[1525905].message }}
  • Profile picture of the author MichaelHiles
    Extremely annoyed.
    {{ DiscussionBoard.errors[1526032].message }}
    • Profile picture of the author Paul Myers
      Signature
      .
      Stop by Paul's Pub - my little hangout on Facebook.

      {{ DiscussionBoard.errors[1526146].message }}
      • Profile picture of the author LB
        Originally Posted by Paul Myers View Post

        I hope they are pursuing criminal charges against the involved. They are of course most likely overseas but that doesn't mean they should simply accept this as inevitable. The volume of theft alone would interest the feds I'm sure.

        What of their customers who now have lists that were compromised? How many people use privacy policies that say "your privacy is 100% guaranteed!" below their opt-in boxes.
        Signature
        Tired of Article Marketing, Backlink Spamming and Other Crusty Old Traffic Methods?

        Click Here.
        {{ DiscussionBoard.errors[1526218].message }}
      • Profile picture of the author JohnMcCabe
        Originally Posted by Paul Myers View Post

        I'm not an aWeber customer, although I am an affiliate.

        Props to them for not ducking or hiding the issue...
        {{ DiscussionBoard.errors[1526338].message }}
      • Profile picture of the author PCRoger
        Originally Posted by Paul Myers View Post

        The least they could have done is emailed me with a link to that.

        They have not responded to me since I sent them the requested spam emails with headers.

        I have, however, continued to be contacted (spammed) by the perpetrators.

        Regards,
        PCRoger.
        Signature
        Track your affiliate sales back to the ARTICLE or WEBSITE that generated the sale. CBSaleTracker

        I was making money in days with the 4 Day Money Making Blueprint

        {{ DiscussionBoard.errors[1529116].message }}
        • Profile picture of the author Talent ISL
          Warriors,

          I've been having exactly the same issue not only from Aweber,
          but some of the Gurus' non-aweber list have the same problem.
          I am not sure whether spammers are hacking the autoresponder
          systems or Gurus themselves are doing this with a different pen name!?

          When I subscribe to a list, I enter a unique email ID. For example;
          when subscribing at MakeMoneyFromHotAir.com, I give an email
          address makemoneyfromhotair@mydomain.com. (I have setup an
          email forwarding in my Cpanel to forward anything@mydomain will be
          forwarded to the inbox.) After I signed up, sometimes I am started getting
          spams promoting mostly porn, dating, rolexwatch, enlargement stuff etc.
          By verifying the email To address, I can easily find from which list
          the spammer is getting my email address.

          I suggest warriors to subscribe to lists this way, so that you can
          easily find where the loophole is.

          Best Regards,
          Ali.
          Signature
          {{ DiscussionBoard.errors[1529438].message }}
  • Profile picture of the author DogScout
    Don't think they fixed it... I just made an email and sent it to a form I had on a page, it took all of 3 minutes to find out I had a small penis.
    (As is I didn't already know that!)
    {{ DiscussionBoard.errors[1526618].message }}
    • Profile picture of the author Paul Myers
      Don't think they fixed it... I just made an email and sent it to a form I had on a page, it took all of 3 minutes to find out (TMI)
      Good idea. I'm testing this now.


      Paul
      Signature
      .
      Stop by Paul's Pub - my little hangout on Facebook.

      {{ DiscussionBoard.errors[1526718].message }}
  • Profile picture of the author Chris Simpson
    I had a voicemail off them as I missed their call, but kudos to them for being upfront about it and plugging the hole so quickly so it can't happen again.

    Since I'm getting numerous spam emails on a daily basis to the email addresses that were taken I'm thinking of setting up some filters on my server. There are two approaches I can take - I can either bounce the emails as undeliverable, or blackhole them.

    If I bounce them, my server will be sending out an undeliverable message for every spam it receives. Also, if the sender email address has been forged then some innocent person somewhere will be getting a barrage of undeliverable messages from my server.

    If I blackhole them then the messages silently disappear before I get them, but if the spammers are monitoring for bounces then it would appear to them that it's still a live email address and I could expect that address to be passed around.

    I'd like to hear what other Warriors think about this. Is it better to bounce or blackhole?
    {{ DiscussionBoard.errors[1533024].message }}
    • Profile picture of the author LB
      There's definitely going to be fallout from this with services like Mcafee's website advisor that flag sites as dangerous.

      For those who don't know when Mcafee finds a signup form they submit a unique email and then monitor that email address for spam. If it gets spammed then they will possibly flag the site as "dangerous".

      You can read more about it here:

      McAfee SiteAdvisor Software ? Website Safety Ratings and Secure Search

      Our test computers click on these links and register our e-mail at each sign-up we find. We use each test e-mail address once and only once so we know exactly what registration led us to receive a given set of e-mails. Depending upon the type and number of e-mails we receive, we may assign a yellow or even red rating for that site's e-mail handling practices.
      Has anyone confirmed whether or not this is still happening with new forms?

      I'm getting plenty of spam on the unique addresses I used with aweber forms but they were submitted long ago.

      This is just unbelievably bad.
      Signature
      Tired of Article Marketing, Backlink Spamming and Other Crusty Old Traffic Methods?

      Click Here.
      {{ DiscussionBoard.errors[1533989].message }}
  • Profile picture of the author MichaelHiles
    Just as I had suspected.

    I have now lost subscribers from lists because of the Aweber breach. One was particularly aware of the problem with Aweber.

    I was extremely annoyed before.

    Now it's costing me money, and annoyance is turning to anger and direct losses.

    I can quantify my cost per lifetime value per subscriber, and suffice it to say that the money I have already lost from this far exceed the current total that I've even paid to Aweber.

    As a calculated financial decisioin, I am going to have to terminate my business relationship with the company.

    This isn't just a little "oh, whoops, we plugged the hole" issue. Tom has a major PR issue right now that is now translating into financial losses for his clients.

    Just saying "oh whoops we fixed the hole and have better systems now" isn't going to cut it.
    {{ DiscussionBoard.errors[1534341].message }}
    • Profile picture of the author CDarklock
      Originally Posted by MichaelHiles View Post

      Just saying "oh whoops we fixed the hole and have better systems now" isn't going to cut it.
      What is?

      I mean, honestly, what can they do?

      Someone broke in and stole some stuff. We can't get back what they stole. We installed better locks, so they won't steal stuff again.

      They should do something else, too?

      Like what?
      Signature
      "The Golden Town is the Golden Town no longer. They have sold their pillars for brass and their temples for money, they have made coins out of their golden doors. It is become a dark town full of trouble, there is no ease in its streets, beauty has left it and the old songs are gone." - Lord Dunsany, The Messengers
      {{ DiscussionBoard.errors[1534720].message }}
      • Profile picture of the author MichaelHiles
        Originally Posted by CDarklock View Post

        What is?

        I mean, honestly, what can they do?

        Someone broke in and stole some stuff. We can't get back what they stole. We installed better locks, so they won't steal stuff again.

        They should do something else, too?

        Like what?
        I dunno. I don't think really they can do anything else without getting into serious $.
        {{ DiscussionBoard.errors[1535093].message }}
        • Profile picture of the author Paul Myers
          Michael,
          This isn't just a little "oh, whoops, we plugged the hole" issue. Tom has a major PR issue right now that is now translating into financial losses for his clients.
          The response could hardly be characterized as "Oh, whoops." Beyond that, I'd generally agree with this statement. And then I'd look at the track records of the alternatives.

          This is the first significant issue with Aweber in 11 years. They have the occasional glitch, but there isn't a major player in the market who doesn't.

          GetResponse? I'd consider the serious issue they had with their recent update. Some of the other big providers that people regularly recommend here have had recurring and significant issues with spam, resulting in their systems getting blocked at some hefty services.

          All of these end up costing publishers measurable amounts of money. The improved deliverability and time/cost efficiencies more than make up for them. The question is, which provides the best ratio?

          The only one who can answer that for you is you.

          As far as security, I've heard of one very large ISP, several banks, and a leading investment house that have had more serious breaches in the past few years. Oh yeah... and the Department of Defense.

          Just some perspective on the issue of perfect security...


          Paul
          Signature
          .
          Stop by Paul's Pub - my little hangout on Facebook.

          {{ DiscussionBoard.errors[1535228].message }}
          • Profile picture of the author MichaelHiles
            Originally Posted by Paul Myers View Post

            Michael,The response could hardly be characterized as "Oh, whoops." Beyond that, I'd generally agree with this statement. And then I'd look at the track records of the alternatives.

            This is the first significant issue with Aweber in 11 years. They have the occasional glitch, but there isn't a major player in the market who doesn't.

            GetResponse? I'd consider the serious issue they had with their recent update. Some of the other big providers that people regularly recommend here have had recurring and significant issues with spam, resulting in their systems getting blocked at some hefty services.

            All of these end up costing publishers measurable amounts of money. The improved deliverability and time/cost efficiencies more than make up for them. The question is, which provides the best ratio?

            The only one who can answer that for you is you.

            As far as security, I've heard of one very large ISP, several banks, and a leading investment house that have had more serious breaches in the past few years. Oh yeah... and the Department of Defense.

            Just some perspective on the issue of perfect security...


            Paul
            Yeah I know Paul. There's no such thing.

            It's just disheartening all the way around.
            {{ DiscussionBoard.errors[1535232].message }}
            • Profile picture of the author Paul Myers
              Michael,
              It's just disheartening all the way around.
              Yeah. For everyone.

              In the time I've been doing business online, I have yet to see a system these bast_rds didn't make more difficult and expensive to run. Usually by orders of magnitude.

              It's made worse by idiots who don't keep track of the security of their own computers, and who demand everything for nothing. (Clearly not a comment about you personally. You see them here all the time, though.)

              And then there are the in-duh-viduals who think it's cool to come up with tricks to get around the terms of service of various sites, flooding them with traffic that doesn't fit the sites' purposes. The souls of spammers and phishers, every one of them.

              As disheartening as that all is, it's barely the tip of the iceberg. There are things in the vasty virtual deep that scare the hell out of me. 10's of millions of bot-infected computers, and crackers that couldn't care less about little things like spam or credit card numbers, for starters.

              If you're in this business and you're not at least a little disheartened, you just don't know enough.


              Paul
              Signature
              .
              Stop by Paul's Pub - my little hangout on Facebook.

              {{ DiscussionBoard.errors[1535323].message }}
              • Profile picture of the author Shaun OReilly
                Originally Posted by MichaelHiles View Post

                This isn't just a little "oh, whoops, we plugged the hole" issue. Tom has a major PR issue right now that is now translating into financial losses for his clients.

                Just saying "oh whoops we fixed the hole and have better systems now" isn't going to cut it.
                I think that AWeber have handled this pretty well, but certainly
                not excellently.

                Yes - they owned up to the source of the problem. That's admirable.

                Yes - they posted a detailed blog post going into the specifics
                about how it happened and what was being done to prevent
                further issues. Great.

                However, where they completely missed the ball was in actually
                empathizing with the IMPACT this admittedly inadvertant slip-up
                has caused their customers and the subscribers of their customers.

                I got the AWeber announcement within minutes of it being
                posted on Twitter. The original blog post didn't even have an
                apology on it at all - no 'sorry' (the lame 'We're sorry' was only
                added later).

                However, in their defence I guess that they had 1001 fires to
                put out then (and now) at AWeber so they likely weren't thinking
                fully straight at the time.

                I agree with Michael that sorry doesn't cut it. So what does?

                Empathy.

                Let me dimensionalize the impact this AWeber faux pas has had
                on me and likely to some of my subscribers as well.

                For years I've had a 100% spam-free private e-mail address that
                is now receiving not just spam, but foul pornographic spam.

                I used to have peace of mind that I could open up my private
                e-mails and no spam would be present.

                That's now gone. (See the attached screenshot of the Mailwasher
                Pro inbox that now greets me in the morning - yuck).

                My vital business and previously spam free e-mail addresses of
                support@domain.com, paypal@domain.com, etc are now receiving
                the same pharma spam.

                Before this issue, I knew that if my iPhone beeped, either an order
                had just come in or a valued customer required support.

                Now that's gone too.

                I can't terminate these vital business e-mails without major
                disruption in the interim.

                My GMail addresses are also getting spam too (see screenshot).

                Comprende now AWeber?

                Can you see how AWeber's blog apology of 'We’re very sorry
                this occurred and may have affected you.' is almost completely
                inadequate?

                If there's a real issue - address it. Don't shine over it with inane
                and completely bromidic one liners.

                In addition to lacking empathy, AWeber's response time to the
                issue was too long. Note that I was not expecting a definitive
                answer within minutes, but I was expecting a Blog or Twitter
                post on Friday/Saturday saying that they were aware there was
                a problem - somewhere - and they were taking their time to
                thoroughly investigate the root of the problem to see if they
                were even the source.

                Making the correct diagnosis on Monday was great. But not
                publicly acknowledging a problem existed in the meantime was
                not a good idea from a customer relationship point of view.

                So, more communication so customers don't feel in the lurch
                whilst the issue is being investigated and dealt with.

                A simple 'We've heard there could be a problem. We don't
                know if we're even the source. We'll report back as soon as
                we know.'

                (That's 140 characters and could fit on a Tweet!).

                Originally Posted by CDarklock View Post

                What is?

                I mean, honestly, what can they do?

                Someone broke in and stole some stuff. We can't get back what they stole. We installed better locks, so they won't steal stuff again.

                They should do something else, too?

                Like what?
                Here's what else AWeber could have done but as yet have not.

                They could have proposed some potential solutions that their
                customers could implement to deal with the spam that AWeber's
                inadvertent system lapse has caused.

                Yes the spam horse has bolted but there are ways of dealing with
                it.

                Admit the problem - yes. But also point to useful solutions for
                customers too.

                (As a former engineer, I'm decent at problem identification but
                I'm also obsessed with the more important part of actually
                finding solutions).

                For example, here's ONE potential solution that I'm testing to
                clean my own inbox of the pharma spam from this issue...

                (It's worked with one of my forwarding e-mail addresses so
                I'll transfer the others over today).

                GMail seems to be very effective at picking up the spam and
                consigning it to their spam folder. Luckily, the current spam is
                so blatant that it's all getting filtered by GMail into spam
                automatically - so far.

                Therefore, I've created a unique GMail account to 'wash' the mail.

                Here's specifically what I'm doing:

                1. Forward E-mails from My Domains to GMail


                I'm forwarding all of my own domain e-mails to the newly created
                GMail account. This ensures that the current spam gets filtered
                into the spam folder.

                2. Forward E-mails from GMail to Unique Domain E-mail

                I've now created a unique e-mail address on my domain and all of
                the cleaned e-mails are being forwarded from GMail to my
                new e-mail account.

                So, the process is:

                All Email -> Forward to GMail -> Forward to Unique Domain E-mail

                Result: Cleaned up inbox once it gets to my end.

                Sure it's not ideal because I'm now relying on GMail in the process
                of getting my own e-mail but it's working for the blatant spam
                for now. This way, I don't get to see the filthy spam (unless I go
                looking into my Gmail 'washing' account).

                So, why couldn't AWeber have suggested something like this?

                Understandably too busy at the moment.

                I began moving my lists over to Infusionsoft back in April and the
                transfer was fully completed around 2 weeks ago before this
                AWeber issue even came up.

                Ironically, AWeber is probably one of the safest places to have your
                list from now on as I'm sure that they'll be hyper-paranoid from
                here and will have multiple systems in place to make sure that
                the locks are never off their doors again.

                This could have happened to any third party autoresponder service.

                Remember, that the spammers only have to be lucky ONCE and
                the service providers have to be luck ALL THE TIME.

                I hope this post is helpful for you.

                Dedicated to your success,

                *Shaun O'Reilly
                Signature

                .

                {{ DiscussionBoard.errors[1535612].message }}
          • Profile picture of the author 52.ct
            Originally Posted by Paul Myers View Post

            Michael,The response could hardly be characterized as "Oh, whoops." Beyond that, I'd generally agree with this statement. And then I'd look at the track records of the alternatives.

            This is the first significant issue with Aweber in 11 years. They have the occasional glitch, but there isn't a major player in the market who doesn't.

            GetResponse? I'd consider the serious issue they had with their recent update. Some of the other big providers that people regularly recommend here have had recurring and significant issues with spam, resulting in their systems getting blocked at some hefty services.

            All of these end up costing publishers measurable amounts of money. The improved deliverability and time/cost efficiencies more than make up for them. The question is, which provides the best ratio?

            The only one who can answer that for you is you.

            As far as security, I've heard of one very large ISP, several banks, and a leading investment house that have had more serious breaches in the past few years. Oh yeah... and the Department of Defense.

            Just some perspective on the issue of perfect security...


            Paul
            About 3 years ago I had a medical procedure preformed. About 1.5 years ago the hospital sent me a letter saying that their system was hacked and the culprit(s) stole the personal information, including name, address, SSN, and etc, of patiences for the last 15 to 20 years.

            Who ever did it actually, walked into the building and accessed the computers directly.

            About 300,000 patients' info was stolen. Now I have to monitor my credit closely for the rest of my like.

            I guess it is the sign of the times.
            {{ DiscussionBoard.errors[1535654].message }}
  • Profile picture of the author teakwood
    Yes, the last few days I have been getting hammered with pharmacy and enlargement spam to a variety of email addresses I have used to sign up to IM lists.

    Some of these addresses were created for specific sign-ups and have hardly been used, so much so I forgot they existed.

    I have searched these rare addresses specifically to find the original sign-ups, and so far every one of them - from several different marketers/lists - has been with Aweber.

    I came to the forum today just to look for whether this question had been asked, and find it a clear confirmation of my own suspicions.
    {{ DiscussionBoard.errors[1534598].message }}
  • Profile picture of the author trafficwave
    Aweber appears to have responded on their site:

    How We’ve Addressed The Recent Data Compromise

    In the world of IT, software, online systems, etc... the question is never "will it happen" but "WHEN will it happen?".

    From what they are saying, they appear to have identified where the breach occurred, solved it, and are now taking corrective action to prevent this from happening again.

    One really can't ask for much more than that from any company.

    I can imagine that any of the rest of us in this market would have handled it the same way.

    Kudos to Tom and Company for handling the situation quickly.
    Signature

    -----------------------------
    Brian Rooney
    TrafficWave.net Email Marketing AutoResponders
    Email Marketing Blog

    {{ DiscussionBoard.errors[1534690].message }}
  • Profile picture of the author ktpasco
    Aweber has had some security issues over the past few weeks but everything is up and running now!
    {{ DiscussionBoard.errors[1535231].message }}
  • Profile picture of the author MichaelHiles
    Shaun, you do address a piece of the problem. On a personal basis, I have a Barracuda anti-spam device in my rack. So I can just turn up the volume a little.

    The part that I don't think Aweber's response really takes into account is the fact that we use their service to manage a vital link in the relationship with OUR customers.

    I agree with Paul, it's not something that hasn't happened to other providers. And yes, I understand and agree that it's a sign of the times.

    But I am going to put it on the table here.

    Each and every person who uses Aweber to manage their list theoretically COULD be sued for breaching the stated privacy policy and anti-spam language of their list by each person who has received spam after agreeing to sign on based upon those disclosures.

    I have language that states how I hate spam, and their email is safe with me. Etc...

    Those people have put a level of trust in me.

    That trust was compromised in a significant way - and has not only created direct financial loss because of unsubscribes (remember, I can't sell them something in the future if I can't communicate with them), but it has opened each of us up to a theoretical liability.

    Now it would indeed be a $hitbird of gargantuan scale that would initiate some sort of action like this, but should that happen, each of us would have no choice but to then sue Aweber because of the jeopardy that we're now facing.

    I've tried to stress this several times to this community - in business, when you place your trust in a service provider, mentor, etc... and that person fails, the loss of revenue and opportunity creates this nasty thing called liability. I've tried to caution a lot of these starry-eyed offline folks who want to dance down the road into the nearest local business and start tweaking with someone's revenue based on their self-aggrandizing view of being a marketing superstar when they really only know how to push out a few articles and jack some SEO.

    The point is that we're talking about a grownup game here with very real consequences and liabilities.
    {{ DiscussionBoard.errors[1536338].message }}
    • Profile picture of the author LB
      Originally Posted by MichaelHiles View Post

      Shaun, you do address a piece of the problem. On a personal basis, I have a Barracuda anti-spam device in my rack. So I can just turn up the volume a little.

      The part that I don't think Aweber's response really takes into account is the fact that we use their service to manage a vital link in the relationship with OUR customers.

      I agree with Paul, it's not something that hasn't happened to other providers. And yes, I understand and agree that it's a sign of the times.

      But I am going to put it on the table here.

      Each and every person who uses Aweber to manage their list theoretically COULD be sued for breaching the stated privacy policy and anti-spam language of their list by each person who has received spam after agreeing to sign on based upon those disclosures.

      I have language that states how I hate spam, and their email is safe with me. Etc...

      Those people have put a level of trust in me.

      That trust was compromised in a significant way - and has not only created direct financial loss because of unsubscribes (remember, I can't sell them something in the future if I can't communicate with them), but it has opened each of us up to a theoretical liability.

      Now it would indeed be a of gargantuan scale that would initiate some sort of action like this, but should that happen, each of us would have no choice but to then sue Aweber because of the jeopardy that we're now facing.

      I've tried to stress this several times to this community - in business, when you place your trust in a service provider, mentor, etc... and that person fails, the loss of revenue and opportunity creates this nasty thing called liability. I've tried to caution a lot of these starry-eyed offline folks who want to dance down the road into the nearest local business and start tweaking with someone's revenue based on their self-aggrandizing view of being a marketing superstar when they really only know how to push out a few articles and jack some SEO.

      The point is that we're talking about a grownup game here with very real consequences and liabilities.
      I agree completely. As I posted above, there is also the possibility that sites could be listed as "dangerous" by certain web services.

      I hope that aweber has contacted the appropriate authorities and is pursuing criminal charges against those involved.

      I hope aweber has some serious liability insurance...what aweber doesn't seem to realize is that when customers receive mail from us they don't think of it as coming from "aweber" but US.

      In other words our lists think we're spamming them.

      Sadly, I moved from aweber years ago but I still have a 10k or so list with them. I'm not even using them anymore and this happened to everyone on that list.

      I've never been a fan of aweber's "holier than thou" attitude. A couple of times I posted a response to one of their blog posts that was contrarian and it never gets approved by their moderator...they just let it sit.

      I hope aweber is meeting with their insurer about the real ramifications of this.

      As we all know, spam seems to multiply. Expect these email addresses to be sold/traded repeatedly. I would not be surprised to be received 100 spams per day within a few months.
      Signature
      Tired of Article Marketing, Backlink Spamming and Other Crusty Old Traffic Methods?

      Click Here.
      {{ DiscussionBoard.errors[1536796].message }}
  • Profile picture of the author DogScout
    Infusionsoft is also a 'big' player. Big players make for big targets, I know of no system that is uncrackable unless it is off line (with the possible exception of SAC). Don't want to be a target? Don't play with targets. I think in any case it is up to us to be ever vigilant. Just as I have to ultimately be responsible for my own income, health-care and everything else, this is much the same.


    I am sure Aweber has covered themselves in the event something like this ever occurred. Bottom-line? Don't think there is much to be done at this point except 'spin control'

    fortunately most of my stuff is elsewhere, not IS, Lol.
    {{ DiscussionBoard.errors[1536386].message }}
  • Profile picture of the author robognome
    Sorry, Shaun. I've got some bad news. It isn't just aweber (and the aweber private label prosender).

    I use a unique email alias for each list I subscribe to - each is not use anywhere else - Just in case some marketer decides to go rogue. Silly me. Little did I imagine.

    I am getting the same viagra and "male enhancement" spams to all of my subscription email accounts. Not one of my regular email accounts (not even ones used for domain registration) have been hit with this spam.

    So that pretty much rules out scraping or a compromised pc.

    The really scary part is that I am getting this spam through email addresses that I only used to subscribe through other services like getresponse and infusionsoft to name two more.

    So do these guys all share a common platform? Are they pooling their resources somehow?

    Are they checking email addresses against some 3rd party service (or is it a 4th party?) that has been compromised? Maybe a 3rd party service has gone rogue. Or just compromised.

    Or it is the worlds biggest coincidence.

    Bottom line it ain't just aweber.

    Edit: The email addresses I use are not obviouse ones like info or sales or owner. That would be lame. They are usually of the form product-or-marketername-##@example.com. where ## is a number etc. So it doesnt take long to figure out who screwd the pooch.
    {{ DiscussionBoard.errors[1537648].message }}
  • Profile picture of the author LB
    Has aweber sent out any sort of notice to their customers about this? Or is it just that post on their website?

    I haven't received anything.
    Signature
    Tired of Article Marketing, Backlink Spamming and Other Crusty Old Traffic Methods?

    Click Here.
    {{ DiscussionBoard.errors[1538072].message }}
    • Profile picture of the author Josh Anderson
      Originally Posted by LB View Post

      Has aweber sent out any sort of notice to their customers about this? Or is it just that post on their website?

      I haven't received anything.
      Their silence is deafening.

      The lack of an email notification about this issue from them is very concerning to me. The blog post and yet no email to truly notify their client base does not feel right.
      Signature
      {{ DiscussionBoard.errors[1538136].message }}
      • Profile picture of the author Talent ISL
        Originally Posted by Josh Anderson View Post

        Their silence is deafening.

        The lack of an email notification about this issue from them is very concerning to me. The blog post and yet no email to truly notify their client base does not feel right.
        We received an email notification on their blog post.

        Here is the screen-shot:


        Wishing Merry Christmas to all Warriors,
        Ali.
        Signature
        {{ DiscussionBoard.errors[1538218].message }}
        • Profile picture of the author Josh Anderson
          I am referring to an actual email sent to all Aweber clients... not just people subscribed to the blog.

          They have not yet notified their client base who may not be subscribed to the blog via email... I have not received any email from them or any notification of the breach.

          At this point in the game since they are aware of it I would have liked to have been notified... as I am sure many other clients would appreciate as well.

          It sucks to read about it here first... and even after they confirm it to not be notified.

          My faith in them is a bit shaken.

          Originally Posted by Ali Anjamparuthi View Post

          We received an email notification on their blog post.
          Frankly I would be less concerned if it were only my info that was breached. It has already been illustrated in this thread how this can negatively effect the companies who's subscriber list information has been breached.
          Signature
          {{ DiscussionBoard.errors[1538290].message }}
  • Profile picture of the author DogScout
    an email to all user's customers might be a good thing...
    unless one particular user's customer was not getting spam and this just fueled a fire...

    hard to know what the best course of action would be sometimes.

    the thing is, this really is a pain for Aweber too, as well as the users.
    {{ DiscussionBoard.errors[1538573].message }}
    • Profile picture of the author LB
      Originally Posted by DogScout View Post

      an email to all user's customers might be a good thing...
      unless one particular user's customer was not getting spam and this just fueled a fire...

      hard to know what the best course of action would be sometimes.

      the thing is, this really is a pain for Aweber too, as well as the users.
      I think contacting people actually on the lists would be inappropriate and very bad.

      However, not contacting the people who actually purchase and use their service is really inexcusable.

      It seems they are in full "damage control" while hoping no damage actually occurs.

      If we were to assume the hackers got access to all the emails...which at this point seems possible since I'm getting hit on 4-year old unique addresses, then this could be one of the largest single email thefts in history. Frankly, it could be national news.
      Signature
      Tired of Article Marketing, Backlink Spamming and Other Crusty Old Traffic Methods?

      Click Here.
      {{ DiscussionBoard.errors[1538794].message }}
  • Profile picture of the author Jay D
    I got so many spam emails from pharmaceutical companies and sh*t! It was annoying. You people should be glad that your credit card & personal info wasn't stolen or it could have been worse.
    {{ DiscussionBoard.errors[1538811].message }}
  • Profile picture of the author LB
    The other thing is this...wasn't this data encrypted?

    I'm sort of at a loss how this technically occurred. If you simply hack into a database it should look like "@#4s$%r6g7774$&" unless the data was NOT encrypted or the hackers gained root level access.

    Additionally, aweber asserts that no personal data like addresses or credit card numbers were taken but then go on to say that they're not sure how many email addresses were affected? How can they know one without the other?

    This whole thing stinks.
    Signature
    Tired of Article Marketing, Backlink Spamming and Other Crusty Old Traffic Methods?

    Click Here.
    {{ DiscussionBoard.errors[1539114].message }}
    • Profile picture of the author DogScout
      Originally Posted by LB View Post

      The other thing is this...wasn't this data encrypted?

      I'm sort of at a loss how this technically occurred. If you simply hack into a database it should look like "@#4s$%r6g7774$&" unless the data was NOT encrypted or the hackers gained root level access.

      Additionally, aweber asserts that no personal data like addresses or credit card numbers were taken but then go on to say that they're not sure how many email addresses were affected? How can they know one without the other?

      This whole thing stinks.
      The lack of encryption is disconcerting

      unless they were able to hack the encryption as well!
      {{ DiscussionBoard.errors[1539473].message }}
    • Profile picture of the author robognome
      Originally Posted by LB View Post

      I'm sort of at a loss how this technically occurred. If you simply hack into a database it should look like "@#4s$%r6g7774$&" unless the data was NOT encrypted or the hackers gained root level access.
      I doubt they gained root access.

      The aweber page says that the hackers used a vulnerability in some 3rd party software that they used. My hunch is that this was software that handled the actual mass emailing since that would be generic. The hackers did NOT take control of the software, but apparently just found a way to make it reveal the email addresses it was sending to.

      This would not necessarily be a database hack. It could be just a matter of getting access to a sensitive script or log file directory. Any one of a million things,

      Hell, it could be as simple as finding a way to read a log file that kept an audit trail of email addresses that were sent email by their system. That's all they would have needed.

      This would also explain why my getresponse and infusionsoft email aliases where also obtained by the spammers. I sure wish I knew what software was involved.

      Has anyone contacted or been contacted by infusionsoft or getresponse about this?
      {{ DiscussionBoard.errors[1539493].message }}
  • Profile picture of the author Simon Grabowski
    Robognome,

    There's no reason to think that GetResponse got hacked
    because Aweber got hacked in the first place.

    We're confident about our security measures, and there are
    no customer reports about any potential issues like this.

    I understand that things can get a bit emotional when a large
    email marketing company gets breached like this, but
    GetResponse has a totally different infrastructure.
    GetResponse was not breached and we fully stand by our
    security measures.

    Please feel free to PM me the email address that got
    spammed (+ full headers of the spam email) and I'll
    have our team look into it. Currently there's nothing to
    indicate that it's anything other than a coincidence.

    Regards,

    = Simon
    Signature
    WARRIORS - Try GetResponse Free for 30 Days!
    99.3% deliverability. Top features. $15/mo for 1,000 subscribers.
    {{ DiscussionBoard.errors[1546817].message }}

Trending Topics