An Update on the SitePoint Newsletter Lists

Matthew Magain

Some of you might have heard a few weeks ago that Campaign Monitor, the email marketing service that SitePoint uses to send its popular email newsletters, was hacked, and several accounts were compromised.

Unfortunately, one of those accounts was SitePoint’s. This post is an attempt to address some of the questions you might have, should you be a subscriber to one of our newsletters.

What is Campaign Monitor?

Campaign Monitor is a third party email marketing service that we use for sending our email newsletters—the Tech Times, the Tribune, the Design View and the Community Crier. We host all email lists for these newsletters on the Campaign Monitor service, and any time someone requests to be added or removed from a newsletter, we make use of the Campaign Monitor API to automatically update those lists.

What Happened?

The Campaign Monitor servers were subjected to a well-planned and organised attack by one or more experienced hackers, and several accounts were compromised, including ours.

The Campaign Monitor team did an excellent job of keeping their customers in the loop soon after the attacks took place. If you’re interested in a blow-by-blow report straight from the horse’s mouth, you can read the relevant posts on the Campaign Monitor blog:

Possibly because our newsletters have such a large number of subscribers, our newsletter subscriber lists were specifically targeted by the hackers.

Our understanding, based on discussions with the Campaign Monitor team both immediately after the attack and after the security audit that they commissioned over the past few weeks, is that the hackers intended to take advantage of Campaign Monitor’s good delivery record in order to send spam to SitePoint’s newsletter subscribers. Luckily, the Campaign Monitor guys appear to have detected the security hole and blocked it before this mail out occurred.

As far as we understand, the hackers performed at least two actions that affect SitePoint subscribers:

  1. The hackers imported their own list of email addresses, in preparation for send a spam email campaign from the SitePoint account on Campaign Monitor. Thankfully, the intrusion was detected and stopped before this campaign was sent.
  2. The hackers added a number of email addresses to the subscriber list for Alex‘s Design View newsletter. Unfortunately, the fact that these addresses were added to this newsletter list went undetected until a couple of weeks later—after the next issue of the Design View had been sent. As a result, the most recent issue of the Design View was regrettably sent to a number of email addresses that had not legitimately subscribed to receive that newsletter. This list has since been cleansed by the Campaign Monitor team, so that it once again contains only subscribers who have specifically signed up to receive this newsletter.

Is My Email Address in the Hands of Spammers Now?

It’s unknown to us whether the hacker performed an export of any of the lists hosted on Campaign Monitor. Unfortunately, it’s entirely possible that the hacker may have indeed exported some or all of SitePoint’s newsletter email lists, with the purpose of using them to send spam email. We have received a couple of reports of spam email being sent to addresses created specifically for these newsletters, but from what we can tell these are one-off reports and don’t appear to be an ongoing problem. That said, if you do believe that the email address you’ve used to subscribe to one of our newsletters is receiving an increased amount of spam email as of last month, please get in touch.

What About your Other Lists?

Our newsletter email lists are the only lists we host with Campaign Monitor. All of our other customer and subscriber information, including our book club, forum membership, customer database (including order history etc) and all other email lists to which we send book announcements and other opt-in email marketing communications are stored elsewhere. None of these lists are at risk of being exposed as a result of this attack.

What is Being Done to Prevent this from Happening Again?

It’s obviously horrible news to have to report this to our readers who trust us with their email address. However, based on the steps that the Campaign Monitor team have taken in order to prevent this from ever happening again, I’m sure you’ll agree that the way in which the Campaign Monitor team handled the situation has been exemplary. We also believe in adopting a similar policy of transparency—hence this blog post. In terms of our lists moving forward, we have complete faith in the team’s ability to tighten the security on their email marketing service, and we plan on continuing to use the Campaign Monitor service to deliver your newsletters.

Reporting news like this is always difficult, but we hope that by reading through this post and the details of what the Campaign Monitor guys have done in order to address this unfortunate incident, you’ll support this decision, and continue to subscribe to your favourite SitePoint newsletter.

If you have any concerns about SitePoint’s policy on the security and privacy of our visitors’ personal details, you can read our privacy policy, leave a question in the comments, or contact our customer support team.

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • ktdreyer

    “Is my email address in the hands of spammers now?”
    Yes.

  • essexboyracer

    Thank you Sitepoint for owning up and coming forward, honesty IS the best policy. I am currently looking at switching our ESP from a (very expensive Yesmail) to another provider; CM is currently in the lead and this hacking event has had no impact on my decision.

    Anyone can get hacked, you can bolt the windows but there is nothing to stop someone using a hammer to get in, that’s the way I see it. If someone has the determination to hack then they are going to do it, doesn’t matter who you are. I for one am glad that SP & CM are sticking together, and that my decision to go with CM will not be swayed by this event.

  • http://icoland.com/ glenngould

    I wonder if your Campaign Monitor account keep records for unsubscribed addresses?

  • Anonymous

    I am also using Campaign Monitor’s services for my clients. Fortunately, none of their accounts were compromised and I still have full confidence in CM. My clients are generally very impressed by the services, and yes, they do actually keep a list of unsubscribed emails. In fact, it is rather tedious to resubscribe someone who has unsubscribed, because it requires manual override…

  • Anonymous

    I’ve been a subscriber for the Tech Times, Tribune and Design View newsletters for a long time, and I haven’t received any spam to the specifically created email accounts for sitepoint newsletters.

    -HGC

  • http://www.anseltaft.com/http://www.amphibiacam.com/ open4biz

    I can’t wait for my additional spam. That’s why I have a Bayesian email filter
    No worries here. It’s not like I’m going to buy anything they’re selling…

    -A.