Aweber has been hacked again

Remember December last year, when a bunch of people complained about having received medical and replica spam from a-list internet gurus and bloggers? Turned out that Aweber, the email list provider most gurus and a-list bloggers use, had been compromised (see this post on Awebers own blog from December last year) So, for once, the gurus were innocent, they didn’t send out the scam, they got their email list data stolen through a security hole in the Aweber website. BTW, only Darren Rowse wrote then about it, here is the blog post on Problogger. As far as I know none of the other a-listers mentioned it and everybody continued to promote Aweber as the best thing since sliced bread when it comes to email marketing. In the end, Aweber had promised:

“We’re very sorry this occurred and may have affected you. We have taken extra steps beyond fixing the problem to ensure that such a breach cannot occur again.”

Now, what was the title of this old James Bond movie again? Right, ‘Never say never again!‘ Because, less than a year later, it happened again. This time it didn’t take an a-lister to call them out, Aweber admits it right on their blog here. This time with an apology to the email list owners, and instead of claiming that it will never happen again, they state this time round:

“We continue to invest significant resources into enhancing our current security and implementing new security measures to combat future attacks. We are also working with other ESPs who have been similarly attacked to share knowledge and better secure the email marketing industry as a whole.”

But what really gets my back up is, that neither this year, nor last year, has Aweber ever apologized to those that were the real victims: The ones that get inundated by spammers and will get so in future because spammers have now gotten their dirty little fingers on our email addresses. In my case this is so bad that I am receiving spam emails at a rate of 20-30 / hour and I know it will get worse, because these spammers sell the email adresses they have on and on to others. And Aweber apologized only to the ’email list owners’, but not to the ones that now have to fight the email spam in their inbox even harder.

And the other thing I can promise you is, that the A-listers and bloggers will continue to flog Aweber as the best email list marketing tool available, simply because they have such a terrific affiliate program.

Don’t get me wrong, Aweber is a legit company and the real bad guys are the hackers and spammers that broke through their security and mined the data and are now using this data to send even more email scams around the globe. Aweber is so big, that they have become a first class target for hackers.

So, if you like to keep your email list subscribers happy and subscribed, you might want to switch to one of the smaller providers like Mailchimp or even host your own email list with PHPList. Small is beautiful and sometimes even securer than big. And now excuse me, I have to install a few more email filters in order to trash the spam more easily *sigh*


On a more cheerful note: My word counter for Fall Frenzy is now at 21,774 (not counting this post) not too bad for less than four days. If you wonder about what Fall Frenzy is, read my last blog post before this on 😉 SY

If you like this blog post and found it helpful, why not share it with your preferred social network? Handy links and bookmarklets above ^^^ 😉

26 comments to Aweber has been hacked again!

  • There are ways to recover an email address from spam attacks, and have them moved on to the spammers’ “don’t spam this one at all costs” list.

    By sending effective complaints to the registrars of spammed domains, and having those domains removed, the sender gains a reputation – this person can create trouble for me. This person can affect my income.

    One of the most effective tools for achieving this is the automatic complaint generator.
    It allows you to generate a suspension request, and you decide whether or not to click the “Send” button, after adding the evidence of crime.

    Adding evidence is quite simple – you don’t have to amass that yourself. You can find the most prevalent spam brands already identified at the spamtrackers wiki –

    Before long, the not so bright registrars will forward your email as evidence to the spammers. Inevitably they get to know your email address, and put it onto the “don’t spam” list.

    This tool is available at no charge from and runs on a Windows platform. Spammers hate it.

    • hospitalera

      Mark, I kept your comment for several days on hold because you are suggesting a dangerous game: Telling the spammers and spam nets who is against them. Whilst I do appreciate your advice, I caution everybody to evaluate the risk involved for themselves. Getting a reputation of ‘This person can create trouble for me. This person can affect my income’ could create a reaction of ‘I will destroy this person and all his / her internet properties.’ Good luck in your fight against email spammers, SY

  • I was wondering where all this extra spam has come from, I have a new email address I’ve only used in 3-4 places and even that is getting a fair amount of spam recently.

  • Matthew Robbins

    No complaints of spam to my own AWeber list, and no extra spam received today, in spite of being subscribed to yours. As you say, AWeber’s a reputable outfit, and Bucks County, PA, where AWeber is located, is under a whole lot of snow today. Not much work getting done, except by folks with plows.

    • hospitalera

      Matthew, I am not using Aweber, I am using Feedburner! And nothing to do with snow, they admitted the security breach themselves on their blog! SY

  • Jez

    Ive never liked Aweber and it does not surprise me that they have not appologised, to be frank, I doubt they are that bothered about the recipients of the mails. For a company like this to lose its lists, or rather their customers lists twice is really bad.

    I like MailChimp, I think its a good service, somehow more “pleasant” than Aweber.

    I have never been into harvesting lists, but am about to embark on that process, and had already decided on the Chimp, this post just seals that decision.

  • James

    Hi SY, I found your blog having had to search for, “aweber spam,” as I had an email address compromised in this last attack.

    I read Mark’s comment above and I must admit, I’d be quite tempted to go down the route of reporting spam if I was sure that more people were doing the same, but as you say, you *could* end up just making yourself (or your domain’s server) a target.

    As a slightly more passive solution, those of us that have a domain name, or an ISP who supply a subdomain for you to use as your own, should simply create a different email address for each form we fill in (use something like {where you’re subscribing to}.{today’s date}@{your domain}). It doesn’t matter whether you’re filling in an insurance quote form from a reputable company, a competition entry where you’ve been careful to check the, “don’t sell my address,” box, or a random blog that you’ve not heard of before 😉 If you use a different address for every form, then you know exactly what has been compromised and who to complain to and ultimately, what address to set to fail (whether you’ve set up the address as a forwarder to one of your main accounts, or as a full account).

    To give you some background, I’d subscribed to a mailing list over the summer and on the 22nd of this month received spam to the address I’d used. A quick check around and I was writing a rather angry email to AWeber support, accusing them of selling the email address, and demanding some compensation. Jeff Crandall, AWeber Customer Solutions Supervisor, replied without directly accepting responsibility for the loss of data (at this point I had not found / read their own blog). I then contacted the list owner, who apologised for the loss of data and promised to look into exactly how the data has been lost. Since reading your blog, and AWeber’s I’ve given him plenty of pointers as to what has happened.

    I actually do feel that it’s AWeber who is in the wrong here, just as much as the hackers. When it comes to handling personal information, there are not only laws, but just plain and simple due diligence that should keep our information safe. AWeber’s privacy statement, not only states that they keep your information safe, but gives links to the various laws that they adhere to with regards to marketing emails. Effectively, not only has this spam come from AWeber, it’s also information that can be used in a far more sinister way, such as a phishing campaign. I think compensation is in order, and I for one will be contributing to taking AWeber to court if it’s at all possible.

    Thank you for blogging about AWeber, I do hope they get removed from the internet gene pool by this last incident.

    • hospitalera

      Hi James, I follow the same system as you. That was the reason why I became suspicious in the first place. If you get the same spam email send over and over again and only the email address used to send it to you, it becomes clear that the breach of security is on the level of the administrator / service provider for many email list and that it is not one black sheep of internet marketer that sells email addresses on. I agree that Aweber should have been far more careful with personal data, exactly for the risk of pishing / identity theft attacks you mentioned. But I don’t agree with your last sentence. I think, despite all, Aweber is a honest company, everybody can make mistakes and not everybody deserves being ‘shot’ for their mistakes. SY

  • Maitena Hospedaje

    He is really admirable to see that people who are at the same intellectual level of cybernetic delinquents, they take the time to inform and to let know and include/understand the crimes of these people. Thanks!

    • hospitalera

      Not sure that I understand what you want to say, are you speaking of Aweber, the hacker(s), me? SY

  • Hi SY,

    I’ve only had a good experience with AWeber. They aren’t perfect and they admit their mistakes. They are very helpful too.

    As for the spammers there must be other ways for them to get hold of people’s email addresses.

    The reason I say that is that whenever I get an email address, without ever signing up to any email list, spam very soon appears out of nowhere.

    And the real spammers never provide an unsubscribe link in their unwanted emails.


  • hospitalera

    Vance, Aweber admitted both times that they had been hacked and that personal data, including email addresses, of email list subscribers were now in the hand of the hackers, SY

  • Trinity

    Sorry to hear about this. Must be really tough for Aweber customers. Personally I use GetResponse and I’m very happy. Thankfully I haven’t run into such an issue in 6 years as a GR customer. The two companies must do things differently when it comes to security. Getting hacked twice in less than a year doesn’t say much good about Aweber.

    • hospitalera

      Yes, Trinity, I have also heard good things about GetResponse, seems to be a great alternative, SY

  • Jesse

    Aweber needs to step up their security so this type of thing doesn’t happen again!

    • hospitalera

      Very true, one time can happen, second time is really bad, they have enough money to employ top people. I really wish they would care more about the people affected, the list subscribers, and less about the list owners, but that are the ones that pay them, so … SY

  • This is what happens when things get big. Aweber must have a massive database of emails and these scammers can not resist trying to hack in. I was with aweber up till july just gone but found a great alternative called Imnica mail. I think its only been going for about 2 years so not as big but great price and i could even transfer my lists from aweber to them so that was cool.

  • I also found this blog using the key phrase aweber spam. You give some great tips, thank you

  • Promotional Shopping Bags

    The reason I say that is that whenever I get an email address, without ever signing up to any email list, spam very soon appears out of nowhere.And the real spammers never provide an unsubscribe link in their unwanted emails.

    • hospitalera

      Any reason why you just re-post what another commentator wrote? Will not get you a back link, sorry, please refer to my comment policy to see why, SY

  • One of my subscribers also reported the leak. This is scary!

  • It sounds like they have quite lapse security if it’s happened twice.

    For a start, it sounds like they must keep un-encoded sensitive data on-line, which is never a good idea.

    As a slight aside, I do think that email spam does at least seem to be decreasing in recent years (albeit because spammers have moved onto using Social Media!)