© 2010 . All rights reserved.

Suspected Data Security Breach at iContact.com

25 Jan ’10 Filed under regular. Tagged , , . Bookmark the permalink. Post a comment. Leave a Trackback (URL).

I suspect iContact.com has suffered a data security compromise.

Summary

I have received four nearly-identical spams to four different addresses known only to myself and four distinct websites. These four websites all use iContact.com for newsletter mailing. I have also received this spam to a spam-trap address, but importantly, to no other unique addresses that I use with other websites. The evidence points strongly to a data breach at iContact.com.

Evidence

Four addresses known only to four websites and myself have begun receiving spam today. Each address below links through to the spam in question.

All four websites in question (photonlight, slimelight, macheist and bloomsbury) have sent me emails via iContact. Extracts of the beginning headers of legitimate emails are as follows:

Received: from drone15.ral.icpbounce.com ([::ffff:66.192.165.135])
  by mx10.faelix.net with esmtp; Wed, 30 Dec 2009 19:16:37 +0000
  id 0000C014.4B3BA715.00001A1E
Received: from localhost.localdomain (localhost [127.0.0.1])
	by drone15.ral.icpbounce.com (Postfix) with ESMTP id CA9D776C0CC
	for <photonlight@maz.nu>; Wed, 30 Dec 2009 14:16:36 -0500 (EST)
Date: Wed, 30 Dec 2009 14:16:36 -0500
To: photonlight@maz.nu

Received: from drone5.rtp.icpbounce.com ([::ffff:74.202.227.45])
  by mx10.faelix.net with esmtp; Mon, 27 Jul 2009 10:17:55 +0000
  id 00006005.4A6D7ED3.000023ED
Received: from localhost.localdomain (localhost [127.0.0.1])
	by drone5.rtp.icpbounce.com (Postfix) with ESMTP id A13E6438A76
	for <bloomsbury.com@maz.nu>; Mon, 27 Jul 2009 06:17:50 -0400 (EDT)
Date: Mon, 27 Jul 2009 06:17:50 -0400
To: bloomsbury.com@maz.nu

Received: from smtp8.icpbounce.com ([::ffff:216.27.93.118])
  by faelix.net with esmtp; Sun, 15 Mar 2009 01:02:05 +0000
  id 000013D9.49BC538D.0000767F
Received: from localhost.localdomain (localhost [127.0.0.1])
	by smtp8.icpbounce.com (Postfix) with ESMTP id 6E1AF97161
	for <macheist.com@maz.nu>; Sat, 14 Mar 2009 21:01:44 -0400 (EDT)
Date: Sat, 14 Mar 2009 21:01:44 -0400
To: macheist.com@maz.nu

Received: from smtp3.icpbounce.com ([::ffff:216.27.93.123])
  by mx10.faelix.net with esmtp; Thu, 14 Jan 2010 17:59:02 +0000
  id 0000C00A.4B4F5B66.0000129A
Received: from localhost.localdomain (localhost [127.0.0.1])
	by smtp3.icpbounce.com (Postfix) with ESMTP id 4124C596396
	for <slimes@maz.nu>; Thu, 14 Jan 2010 12:58:58 -0500 (EST)
Date: Thu, 14 Jan 2010 12:58:58 -0500
To: slimes@maz.nu

The only other addresses to receive the junk-mail in question are spam-traps, known to receive large amounts of spam: my Debian consultant email address. No other addresses I use (there are several hundred) has received this spam today. Therefore I do not feel that a virus on my laptop or a compromise of my mail servers has leaked these addresses.

I feel it is highly unlikely that four different websites would all have their mailing list databases separately compromised. Applying Occam’s Razor, the simplest explanation is that the common element — iContact.com — is the source of these email addresses of mine.

It is my belief, having read their website and spoken to customer services, that iContact do abide by their strict privacy and anti-spam policies. I do not believe they have sold their address database to spammers. I fear they have been victims of an attack against their database servers, or possibly an disgruntled insider has leaked their database.

Their abuse team has been notified, and I await their feedback.

  • http://twitter.com/joshuabaer Joshua Baer

    That’s a very detailed report!

    OtherInbox works the same way you do – each place that you sign up gets a different email address. We’re seeing numerous reports from OtherInbox users that are seeing the same thing. We asked iContact for confirmation but haven’t heard back.

    • http://maz.nu/ Marek Isalski

      Thanks. Glad to hear something corroborating what I’ve seen.

      I received a message via Facebook on the day I published this from someone at iContact.com, emailed them with a little more detail (the emails I originally sent to abuse@), but haven’t heard anything back yet either.

  • http://twitter.com/joshuabaer Joshua Baer

    I just verified that @Shoeboxed list was abused also, it is hosted at @iContact. The subject of the email I received personally was “Pharmacy Best Product Vicodin.Viagra!!!!!”.

    • http://maz.nu/ Marek Isalski

      I assume a company in the business like iContact.com would have “honey-token” records in their database which, now that the database is likely leaked to spammers, they can use to determine roughly when it was stolen. If not, their job will be that much harder.

      I only have four data-points to provide iContact.com: bloomsbury.com@ was the last address which received iContact-breach-related spam. That received its first email (from iContact) on April 2nd 2009, pretty soon after I subscribed to something. Therefore breach probably happened after April 2nd. I don’t know of any of my own email addresses that were ultimately provided to iContact.com which haven’t received spam, so I can’t put a bound on the breach having occurred before a certain date. It’ll be an hour or two before my search of all non-spam emails I’ve received since 1999 completes to confirm that. I wonder if there’s anything else of help that the wider “we hate spam” community can do right now?

  • sks

    I have a similar system for my domain and received 3 similar spams on 3 different addresses within a few minutes of each other. I’ve filed a complaint with the FTC.

    • http://maz.nu/ Marek Isalski

      I don’t know if it would help iContact.com to track down where/when the leak happened (I’m guessing quite recently), but have you sent any information to their abuse@ email address?

    • sks

      yeah, i gave it to them via online chat (they seemed thoroughly disinterested in hearing about any info i had) and responded to their blog post (which I have not received any response regarding). this just pisses me off because regular folks who have only a single e-mail address always wonder why they get so much spam and it’s because companies like iContact, whose business is premised on the idea of keeping customer data secure, can’t even do so.

    • http://maz.nu/ Marek Isalski

      Their customer service people in online chat are front-line staff. They won’t know what to do with the information you give them. I suggest you email abuse@ – that should go to some technical staff who do know what to do.

    • http://maz.nu/ Marek Isalski

      iContact have updated their blog, confirming the breach!

  • Anonymous

    I’ve gotten the exact same spam to my catchall addresses for macheist, tenbills.com, uneetee.com and nowpublic.com if these extra data points mean anything.

    • http://maz.nu/ Marek Isalski

      Judging by what iContact said on their blog at http://www.icontact.com/blog/index.php?blog=1&p=401&more=1&c=1&tb=1&pb=1 they could probably do with the information. If you trust them I suggest emailing abuse@ and letting them know the compromised addresses. Hopefully it might help them? But finding how information was stolen can be very difficult at the best of times… good luck to them!

    • http://maz.nu/ Marek Isalski

      iContact have updated their blog, confirming the breach!

    • http://maz.nu/ Marek Isalski

      iContact have updated their blog, confirming the breach!

  • massimo Fubini

    We have more then 20 different subscription with unique email to icontact lists…
    all of them started receiving spam few days ago

    • http://maz.nu/ Marek Isalski

      Alas, still no update from iContact after their blog post almost four days ago: http://www.icontact.com/blog/index.php?blog=1&p=401&more=1&c=1&tb=1&pb=1

      I don’t know how much more evidence they need to help track down where the breach occurred, but it might be worthwhile letting their abuse team know. If nothing else, they might decide to acknowledge the problem a little more strongly than “we’re looking into it”?

    • http://maz.nu/ Marek Isalski

      iContact have updated their blog, confirming the breach!

  • http://blog.flame.org/ Michael Graff

    I called iContact today and was told there was a database compromise. I have an email address that is used only on iContact as a honeypot, and it just received spam today. See http://www.icontact.com/blog/index.php?blog=1&p=401&more=1&c=1&tb=1&pb=1 for full details.

    • http://maz.nu/ Marek Isalski

      Yeah, I avidly watched their blog after I reported the suspected breach to them. It must’ve been some very stressful days for them. You might want to send them your evidence as it sounds like they were the targets of an organised attack: your data points might be useful?

    • sks

      Looks like iContact is just going to wait and let this be forgotten. None of the companies which had my e-mail addresses have contacted me regarding the data breach–I wonder if they even know. how responsible.

  • sks

    Dammit–this is happening everywhere. I’m now getting spam on addresses disclosed to MailerMailer.com. Who will hold these email marketers accountable for their shoddy practices?

    • http://maz.nu/ Marek Isalski

      Disappointing, but not surprising: email addresses have value, and given how many companies are operating on tiny margins they’re easy targets for the scammers and spammers… especially if it gets them nicely validated “trusted” addresses. I don’t think anyone will hold them accountable because they’re victims of crime – unless they’ve been criminally negligent themselves. As most of these companies operate out of the USA, where data protection laws likely offer no real protection, I predict that nothing will change.

    • sks

      Mailermailer.com has acknowledged their data breach–it was an opportunistic employee: http://www.mailermailer.com/releases/march-18-2010.rwp

    • http://maz.nu/ Marek Isalski

      Nice for them that they have a scapegoat to pin it on, rather than “we were utterly incompetent and got hacked”. Still, very disappointing.

  • Guest

    Just wanted to mention that iContact is notorious for having customer accounts being SPAMMED. Truly unbelievable. Don’t these guys have security? You know, basic security where VERY simple things like mailing lists can’t be compromised. Yeesh!

    I’ve been the victim of SPAM from three iContact mailing lists:

    1. Stratosphere Hotel & Casino in Las Vegas;
    2. CyberTradingUniversity.com; and most recently
    3. ThinkBuzan.com

    How do I know? I use proprietary email adddesses that are specific to the mailing list. Designed specifically to combat SPAM and various hackers.

    If you ask me, these guys iContact, should have been out of business a long time ago for just plain negligence in terms of making sure their systems are secure.

    Signed, one pissed off mailing list subscriber who hates SPAM.

    • http://maz.nu/ Marek Isalski

      I saw several addresses “compromised” in the same way (similarly I use different addresses for different mailing lists). iContact did acknowledge that they had a security breach eventually, but I’ve no idea what additional security measures are now in place.