This is True List Break-in
From True's 17 October 2010 issue.
On the whole, This is True readers are a pretty technically savvy bunch: many of you use "tracking" e-mail addresses -- addresses which readers have used only to subscribe to my newsletter(s) -- and I've had a number of reports this week from readers who have received spam to those unique addresses. That's obviously a big concern to me.
Weekly Weird News
I use the industry leader "E-mail Service Provider" (or ESP), AWeber, for all of my lists (except, for technical reasons, the Premium -- paid -- list). I've used them since 2006 for "blog notification" e-mail subscriptions for my personal blog, for Cranky Customer, for Jumbo Joke, and several other minor lists. I moved This is True there in December 2009, when I started having significant service problems with the former industry leader, Lyris.
Like all ESPs, AWeber fends off thousands of attacks on its servers every day (literally: every day) from criminals trying to get hold of their vast store of e-mail addresses used by thousands of customers. Earlier this year, one of those criminals succeeded in obtaining subscriber lists from AWeber, including a portion of my subscriber list. This week, these criminals apparently got my entire list (along with many others).
On both of these occasions, I've communicated directly with the CEO of AWeber. As with every e-mail publisher (like me), their reputation is key: we're asking you to trust that we won't abuse your address. You sign up to get a newsletter or other service, not spam. And I hold that trust as sacred -- even though you've asked to get information from me, I never send ads-only mailings; that's not what you signed up for. So I've obviously put a lot of trust into AWeber, that they have the highest integrity too.
That includes my having trust in their security. "Industry standard" security isn't enough: they must be industry leaders and have their lists buttoned down tight. But with literally thousands of intrusion attempts per day, that means keeping on top of things, and AWeber has a full-time security team -- doing nothing but checking and tightening security anywhere there's even an inkling of trouble.
But last week, the criminals succeeded. AWeber did the responsible thing: they immediately acknowledged the security breach in public, on their blog, signed by the CEO himself.
While I'm obviously concerned that this security breach affected me, I'm much more concerned that it affected you: you undoubtedly have more spam on the address(es) you entrusted to me because of this. And for that you have my apologies. If you are using a "tracking address", you have the advantage that you can shut it down: the "change subscriber options" link at the bottom of each free edition newsletter not only allows you to easily unsubscribe, but allows you to change your delivery address too. If you can easily shut down your old address, I do urge that you do so now, and I hope you will continue to get This is True on a new address.
Can I Guarantee This Won't Happen Again?
Fighting spam and spammers' tactics is an ever-escalating battle. Spam is now the vast majority of all e-mail traffic for one simple reason: it makes the spammers money. They lie, they steal, they defraud, they infect your computer with viruses to steal your bank account information -- anything they can do to rip you off so they can deprive you of your hard-earned money. They'll literally do anything to steal more -- including invest their ill-gotten earnings in programmers and network professionals to do anything they can to expand their activities.
It's disheartening that AWeber's security was breached. I've learned a lot about their security procedures after signing a "Non-Disclosure Agreement" or "NDA", and I'm impressed with the investments they've made in their security infrastructure -- the specifics of which I cannot repeat due to that NDA. I'm convinced that moving to another ESP will not result in better list security, so I have chosen to remain with AWeber. Yes, as industry leader, they're a juicy target. But, as industry leader, they can also afford to fight back. Other ESPs are being targeted, and I have no doubt other providers have suffered such breaches too. (Lyris, did, while I was using them, in a highly publicized incident. But the criminals didn't get my list that time.)
I've spent more than 16 years building my own reputation -- as one of the first e-mail publishers in existence, as an anti-spam educator, as a successful online businessman. There is no perfect security, but I am confident that AWeber is doing everything that can be done, and will continue to improve as this fight evolves. So I think it's a "big deal" that they still have my confidence.
So, might criminals succeed again in getting your address from the lists you subscribe to, from your own address book, or from your friends? Yes. The only way to be completely safe is to not be online at all. Just like the only way to not be robbed is to not go outside your home at all. But then, robbers (and spammers!) can just come into your home, too. They try daily, and they will continue to succeed from time to time. The only thing you can do is be smart and careful, and change your address now and then (and virus scan your computer regularly!), because they will succeed again -- if not at AWeber, then somewhere else.
And I'm using the word "criminals" advisedly: there is no other word for them. I know AWeber is working with the FBI on this, and I truly hope the FBI takes this case seriously. This is organized crime, and it does have serious repercussions on a significant business sector -- one of the few that is still growing in this horrible economy.
I believe the "spam war" is a real war, complete with collateral damage and innocent victims. But it's a war we must win if e-mail in particular, and online business in general, is to be viable economic force.
Again, my apologies for any "collateral damage" that you've suffered.