Updated: this post has been updated – twice.
I don’t want to cause alarm on this but today I’ve had emails from 11 subscribers to two of my different email lists that I administrate at Aweber complaining that they’ve been inundated with pharmaceutical spam. In each case the subscribers have set up email addresses especially for my newsletters which they use for no other purposes.
In each case they’re complaining of getting the same types of emails – up to 20 of them in a few hours.
At first I thought perhaps my account had been compromised – but I began to do some investigating and am beginning to see some others talk about the same problem. For example @planetmike tweeted about a similar problem here.
I’m not sure if he’s talking about my newsletters – that’s a possibility.
Further searching in a few webmaster forums turns up similar discussions.
Webmaster World – “Today I got pharma/ED spam to various of those unique addresses. After a little research, I found the common thread: The companies I gave those addresses to use AWeber’s services. (AWeber provides mailing list services to businesses, e.g. sending newsletters to a company’s customers.)”
WarriorForum – “Today I am getting deluged with spam to addresses that are on aWeber lists, including a couple of email addresses that have ONLY been given to aWeber.”
From another user in the WarriorForum – “I’ve been having EXACTLY the same issue.
I have some test e-mail addresses that I ONLY use within AWeber and just today I’ve started receiving lots of spam to them.
These are e-mail addresses across multiple domains including my own and others such as GMail, etc.
These e-mails are only housed within AWeber so I know that the problem is somewhere within their systems.”
AWeber takes our security measures very strongly and employee tested technologies and measures to make sure that our system is not compromised. After receiving your email our team went through an exhaustive list of checks just to make sure that there are no indications that connects this spam message you received to an issue with AWeber. All of our tests have come back secure with no reports of intrusion or compromise.
Also note that after looking at the spam message in question we see that members of our teams have also received this same message to their personal addresses that have never been used in conjunction with AWeber.
We’ll continue to monitor our system. And of course if you have any further questions, please feel free to let me know.
I’m hesitant to make a call that Aweber has been compromised (I know they wouldn’t have played a part in this, they’re reputable and it’d be business suicide for them to be caught at that) – perhaps it’s a problem with some email service provider (although from the emails I’ve received it’s impacting people who subscribe with a variety of email providers) but something does seem to be wrong here.
I’ve got emails into Aweber and will update you with their response.
In the mean time – if you have received this spam and you’re on the ProBlogger newsletter list (as some are reporting) I sincerely apologise and hope we can get to the bottom of it.
PS: I’ve sat on this story for 18 hours hoping to get a response from Aweber but it seems that their support don’t work weekends (I’m actually a bit surprised that they don’t seem to have put any response on their blog or Twitter account as I’m now seeing more and more buzz about it in forums and on Twitter). I’ve since had another 10 or so angry complaints from readers and have seen the same thing happening for another list I have on a separate account which I use to promote the ProBlogger Book with Chris Garrett. That account is completely separate to my Aweber account and I don’t even have access to the password of it meaning that it’s not just my Aweber subscribers who are being hit.
Again – this could be a wider issue than just Aweber – perhaps some spammer is using some kind of system to target a whole lot of random email addresses – but it does seem that perhaps it’s somehow more centred around Aweber. Time will tell.
I don’t like to post this as I really love Aweber as a service (they’ve been brilliant since I switched to them) – but because readers seem to be unsubscribing and blaming me for it I wanted to make sure word was out that there may have been a problem.
I’d love to get comments from anyone who has similar experience with this in the last few days. Are your lists complaining of spam at the moment too? Hopefully in getting people’s experiences we’ll be able to help Aweber get to the bottom of what’s happening.
Update: Within half an hour of posting this Aweber got in touch. They’re not ready to make a public statement on this but are happy for me to pass on that they’re aware of it and are “doing extensive investigations into any possible issues.”
From what I can tell they’re collecting lots of data – perhaps if you have any specific data from those in your lists including header information of spam emails it could be worth emailing Aweber to let them know of your problem and any data that you have. I’d suspect that specific information would be helpful to them.
Update 2: Aweber have now made a statement about the compromise of data from their system. You can read my initial reactions to that here.
I’ve certainly noticed an increase in ‘Best Online Pharma’ type emails coming through to me over the last few days and hotmail is generally pretty good at filtering these out. In fact I would say I’ve never received this type of email until the other day.
Simon, Andy, and everyone else:
It may have taken AWeber a while to respond because the area is buried under nearly TWO FEET (58 cm) of SNOW!!
They had near-blizzard conditions over the weekend.
I never did like aweber.
Maybe try CompanyResponder.
I just spoke with AWeber Customer Service re: my small account.
I’m confident after my conversation with them that they are:
– aware
– concerned
– attentive
According to the person I spoke with an official announcement is forthcoming – they have fixed the breach – and are trying to determine the extent – although they seemed certain that none of my ‘personal account information’ had been compromised.
I was happy with their response and feel like they will address the issues.
I am thankful that Darren shared this info – it needed to be addressed. As users I think we should stay calm and allow AWeber to fix the problem.
Wow, thanks for the heads up! Have been using Aweber off and on for years and believe they’ve really stepped up to Full Strength on their antispam stuff…
My belief is it will turn out that it’s related to but not a fault of Aweber… but can’t wait to hear.
ONE LAST THING… what I find most amazing is that this sort of crap is at all profitable… that’s amazing! Who the hell is looking at this as a good deal.
Shawn
Hey guys, I just got off the phone with Aweber this morning after I wanted to learn about about the situation.
They told me that yes, their system was compromised over the weekend and our leads were exposed. Our own personal account information, credit card info, etc. was not.
They’ve had developers in over the weekend to fix the problem, and they assured me that nothing like this will ever happen again, and they are doing extensive checks to make sure there aren’t any more holes.
They will be announcing exactly what happened on their blog as soon as they get all the information and details worked out, they tell me.
It was nice to see how friendly and honest they were about the situation. I was on live chat, but the person offered to call me to talk about it, and I gladly accepted. He filled me in on the details, which was nice. Their customer service was awesome, and it seems like they’ve done all they can to take care of the situation as best as they can.
I will continue to use their services, so long as this doesn’t happen again.
I have no axe to grind with Aweber so I don’t want to be needlessly antagonistic, but I’m trying to figure something out here. It’s pretty easy to forget that Aweber’s initial response was:
“After receiving your email our team went through an exhaustive list of checks just to make sure that there are no indications that connects this spam message you received to an issue with AWeber. All of our tests have come back secure with no reports of intrusion or compromise.”
(That boilerplate response was documented in multiple venues; I suppose you could argue that it’s a fake, but there’s no reason to think that wasn’t Aweber’s initial position.)
That’s not an example of a company saying, “Wow! That looks bad; we’re looking into it!” or “Things look fine on our end but we’ll keep digging.” They said unequivocally that they ran all the security checks that they were capable of, and they were positive that no breach occurred.
It took the full weight of the Internet and lots of wasted man-hours by people like those on this thread to convince them otherwise.
This can mean only one of two things: Either Aweber support will bald-faced lie to you when confronted with an obvious security breach, or they have really have no idea what statements like an “exhaustive list of checks” or “reports of intrusion or compromise” really mean.
Either way… since you can’t rely on them to give you an accurate response to an issue of this caliber (and they’re not willing to say, “I don’t know”), how on earth could anyone trust this company again? Seriously — are people still going to give them their money after they’ve proven themselves to be incompetent, liars, or lying incompetents?
Aweber have released an official statement: https://www.aweber.com/blog/uncategorized/data-compromise.htm
I haven’t noticed this issue myself yet, but I have heard it talked about on other blogs.
I may be a little slow on the draw here, but thanks for the information! I actually noticed some of the same pharmaceutical spam emails beginning around the time of this post as well. Really makes you think twice about giving out your email address (even to “trusted” sources).
Today I deleted like 7 spam e-mails from Aweber. (Yes, I’m one of those who have like 200 e-mail addresses just to see who is spamming who…) I think it is their end. Last time they confirmed, that they have lost “only” ALL of our E-MAILS :( Last month I was unaffected and it has shown up only today…
By now. Every subscriber who registered through forms that used aWeber.com are now in the list of lists of getting SPAM big time. I am getting 100+ spam per day now from supposedly safe subscribing. So in the long term when a system is compromised you have no escape. You’ll be a victim of spam.
You will get span regardless if you have un-subscribed from their list many years ago. The email addresses you registered with are not deleted from their databases and they can reach you.
The funny thing is they (list-servers) continue as if nothing has happened. I see their doom like an avalanche coming upon them. It was meant to happen.
Your firewall is as strong as the weakest link. If the weakest link is weak then the whole systems defenses are based on the strength of that weak link. They obviously did not do their homework carefully enough and their systems were as strong as the weakest point defense.