Email Marketing Services Targetted by Hackers

There have recently been two publicized, high profile attacks on email marketing services.  The two services are Aweber and iContact, each confirming the attacks within about a month of each other.

These companies, and many others like them, provide email marketing services to websites and other online businesses.  Email marketing, when done properly, is a legitimate practice and is not spam although some people do not make the distinction between the two.

A legitimate email marketing service will require a subscriber to deliberately opt-in to a list, usually by sending them a confirmation email before they are added to a marketer’s email list.  This stops spammers from simply harvesting email addresses, importing them into one of these services, and starting to spam them.

This opt-in requirement, plus other measures, assures a high deliverability rate for the customers of the email marketing service because antispam systems on the receiving end can have a high level of confidence that the marketing messages are opt-in and not spam.

Among the more paranoid web users there is a tendency to use unique emails for each mailing list that they sign up to.  So if they were to sign up to ABC Corp’s mailing list, they would use paul_abc@somewhere.com, and then for XYZ Pty Ltd would use paul_xyz@somewhere.com.

This might seem like a lot of hassle to go to, generating unique email addresses for every list you subscribe to, but when the attacks on these companies occurred it was these people who noticed the problem first.  Suddenly their secret, unique addresses began receiving pharmaceutical spam emails.   Your average person who uses one single email address probably would not have noticed this additional spam.

Initial reports were sketchy but eventually first Aweber, and then later iContact determined that a data breach had occurred in their systems.  In both cases the outcome was the same – subscriber email addresses were compromised, but customer account and billing information was not.For the attackers this was a major score.  Hundreds of thousands, if not millions of valid working email addresses are now in their hands ready to be spammed.  And now that the data is out there is no way to get it back in again.

The paranoid web users, with their single-purpose email addresses, can probably go to the effort of unsubscribing and then discarding those addresses and generating new ones to re-subscribe with.  The average user with just one email address that all their friends and family know has no such luxury.

Both incidents cast a shadow across the internet marketing industry and put a lot of pressure on email marketers.  These people ask for their subscribers’ trust and in turn trust their service provider to keep their subscriber email addresses secure.

As serious as this incident is, the real impact is not necessarily all that big.  Valid email addresses fall into the hands of spammers every day, there is nothing more special about the ones compromised in these attacks other than the sheer volume of them that the hackers were able to net in one go.

For email users, particularly those in businesses, who are running a good anti-spam system the impact will likely be nothing at all.  The spammers aren’t able to leverage the trust of the email marketing services’ servers to send their spam, they still need to send them out via their usual compromised servers and botnets, which a good anti-spam system will still block.

However it does highlight the fact that as long as we try to use email for legitimate business, spam will always be a problem.