Some of you might have heard a few weeks ago that Campaign Monitor, the email marketing service that SitePoint uses to send its popular email newsletters, was hacked, and several accounts were compromised.
Unfortunately, one of those accounts was SitePoint’s. This post is an attempt to address some of the questions you might have, should you be a subscriber to one of our newsletters.
What is Campaign Monitor?
Campaign Monitor is a third party email marketing service that we use for sending our email newsletters—the Tech Times, the Tribune, the Design View and the Community Crier. We host all email lists for these newsletters on the Campaign Monitor service, and any time someone requests to be added or removed from a newsletter, we make use of the Campaign Monitor API to automatically update those lists.
The Campaign Monitor servers were subjected to a well-planned and organised attack by one or more experienced hackers, and several accounts were compromised, including ours.
The Campaign Monitor team did an excellent job of keeping their customers in the loop soon after the attacks took place. If you’re interested in a blow-by-blow report straight from the horse’s mouth, you can read the relevant posts on the Campaign Monitor blog:
- Campaign Monitor attacked by hackers, some accounts compromised
- Update on the hacking issue
- Security update and a big thanks
- Required account password changes starting today
Possibly because our newsletters have such a large number of subscribers, our newsletter subscriber lists were specifically targeted by the hackers.
Our understanding, based on discussions with the Campaign Monitor team both immediately after the attack and after the security audit that they commissioned over the past few weeks, is that the hackers intended to take advantage of Campaign Monitor’s good delivery record in order to send spam to SitePoint’s newsletter subscribers. Luckily, the Campaign Monitor guys appear to have detected the security hole and blocked it before this mail out occurred.
As far as we understand, the hackers performed at least two actions that affect SitePoint subscribers:
- The hackers imported their own list of email addresses, in preparation for send a spam email campaign from the SitePoint account on Campaign Monitor. Thankfully, the intrusion was detected and stopped before this campaign was sent.
- The hackers added a number of email addresses to the subscriber list for Alex‘s Design View newsletter. Unfortunately, the fact that these addresses were added to this newsletter list went undetected until a couple of weeks later—after the next issue of the Design View had been sent. As a result, the most recent issue of the Design View was regrettably sent to a number of email addresses that had not legitimately subscribed to receive that newsletter. This list has since been cleansed by the Campaign Monitor team, so that it once again contains only subscribers who have specifically signed up to receive this newsletter.
Is My Email Address in the Hands of Spammers Now?
It’s unknown to us whether the hacker performed an export of any of the lists hosted on Campaign Monitor. Unfortunately, it’s entirely possible that the hacker may have indeed exported some or all of SitePoint’s newsletter email lists, with the purpose of using them to send spam email. We have received a couple of reports of spam email being sent to addresses created specifically for these newsletters, but from what we can tell these are one-off reports and don’t appear to be an ongoing problem. That said, if you do believe that the email address you’ve used to subscribe to one of our newsletters is receiving an increased amount of spam email as of last month, please get in touch.
What About your Other Lists?
Our newsletter email lists are the only lists we host with Campaign Monitor. All of our other customer and subscriber information, including our book club, forum membership, customer database (including order history etc) and all other email lists to which we send book announcements and other opt-in email marketing communications are stored elsewhere. None of these lists are at risk of being exposed as a result of this attack.
What is Being Done to Prevent this from Happening Again?
It’s obviously horrible news to have to report this to our readers who trust us with their email address. However, based on the steps that the Campaign Monitor team have taken in order to prevent this from ever happening again, I’m sure you’ll agree that the way in which the Campaign Monitor team handled the situation has been exemplary. We also believe in adopting a similar policy of transparency—hence this blog post. In terms of our lists moving forward, we have complete faith in the team’s ability to tighten the security on their email marketing service, and we plan on continuing to use the Campaign Monitor service to deliver your newsletters.
Reporting news like this is always difficult, but we hope that by reading through this post and the details of what the Campaign Monitor guys have done in order to address this unfortunate incident, you’ll support this decision, and continue to subscribe to your favourite SitePoint newsletter.
Matthew Magain is a UX designer with over 15 years of experience creating exceptional digital experiences for companies such as IBM, Australia Post, and sitepoint.com. He is the co-founder of UX Mastery, and recently co-authored Everyday UX, an inspiring collection of interviews with some of the best UX Designers in the world.