Marketing’s Weekly Dose of the Truth

Ken Magill

About Us

What Really Motivates List Thieves


Silverpop was put on the defensive again last week when CEO John Perkins claimed that spam his customers received was probably the result of a months-old data breach at the email service provider.

Silverpop received a slew of negative press in the tech trades when the breach was first revealed last year. And's recent warning to its customers has prompted a new round of less-than-favorable press for Silverpop.

But while it has had the honor of getting the most press over stolen email files, Silverpop isn’t remotely alone.

The entire industry has been under attack for more than a year. Clearly, clean email lists are valuable enough for someone to want to steal them. But with spam filters likely to identify messages resulting from the thefts as spam and block them, what is it about these lists that makes them so valuable?

A plausible answer from an expert appears below.

First, some background: On March 20, some customers reportedly received spam at addresses they only used at

“We reacted immediately by informing all our customers of this potential security breach in order for them to take the necessary precautionary steps,” stated Perkins. “We believe this issue may be related to some irregular activity that was identified in December 2010 at our email service provider Silverpop.”

This latest development led Silverpop to release the following statement: “Silverpop was among several technology providers targeted as part of a broader cyber attack that occurred in the fall of 2010. At that time, we very quickly stopped the attack, notified all customers impacted by the activity and began working with law enforcement and third party security experts to help identify those responsible and take any additional steps necessary to ensure this did not happen again. We are confident that the breach last year remains an isolated incident.”

Meanwhile, TripAdvisor has also issued a recent warning to its customers that its email list has been stolen.

“We discovered that an unauthorized third party has recently stolen part of TripAdvisor's member email list. We're taking this incident very seriously,” said a statement on the site. “We've identified the vulnerability, shut it down and are vigorously pursuing the matter with law enforcement. We sincerely apologize for this inconvenience.”

TripAdvisor signed on with email service provider ExactTarget in 2008.

ExactTarget did not immediately return a call for comment.

Last November, Return Path CEO Matt Blumberg published a post on CircleID saying the email-service-provider industry had been under attack for almost a year leading to multiple systems breaches and that Return Path’s systems had also been breached.

Email service provider AWeber suffered a breach in late 2009.

Clearly, the entire industry is under sustained attack.

But why?

Laura Atkins, principal at email deliverability consultancy Word to the Wise, has a plausible answer.

“The simple answer is that the list thieves are after valid email addresses that are deliverable. They can then sell them to other companies,” she wrote in an email exchange with The Magill Report. “They never have to send the mail to make money. If the victims/customers end up getting blocked, who cares?”

Author’s note: There’s a lesson here for marketers: Don’t buy email lists. Purchased email lists are worse than worthless. They’re dangerous. If Atkins is right—and I suspect she is, given it’s the only plausible answer I’ve heard so far—it means if marketers stop buying lists, the market will dry up for list thieves.


Show: Newest | Oldest

Post a Comment
Your Name:
Please type the letters in the image above

Terms: Feel free to be as big a jerk as you want, but don't attack anyone other than me personally. And don't criticize people or companies other than me anonymously. Got something crappy to say? Say it under your real name. Anonymous potshots and personal attacks aimed at me, however, are fine.

Posted by: Neil Schwartzman
Date: 2011-04-04 05:34:00
Subject: Sorry, but Laura is incorrect

The MO of these criminals has *always* been to immediately 'monetize' the stolen lists by sending fake advertisements for Adobe and Skype, by way of the cracked client account at a given ESP. Now that major banks' customer lists have been stolen, it is a game changer. Customer lists of Capital One, CITI, JP Morgan Chase, and U.S. Bank were ripped-off from Epsilon last week, along with at least 25 other brands by my count, thus far. This means HUGE spear-phishing attacks are imminent. Also, while your advice to not buy lists is sage, these lists won't be for sale to non-criminals. You can bet your bottom dollar these actual lists of bank customers will be up for a LOT of money on one of the carder sites, probably when the heat dies down, if not sooner. the ESP industry has been lax across the board in protecting PII on behalf on consumers, and their customers, major brand marketers. This needs to change, starting today. CAUCE will be posting a series of actual technical suggestions to help start the process.
Posted by: Dave Hendricks
Date: 2011-04-02 11:52:48
Subject: An easy way to do avoid this

email companies routinely transfer non-encrypted data via encrypted 'secure' FTP. It would make more sense to transfer data (i.e. email addresses) in a hashed format. Right now I am guessing that email addresses at ESPs are largely stored in simple flat tables in their original format (i.e. instead of in an encrypted format. By using a simple lookup table (containing the hashed counterpart) generated as the addresses are collected/stored, it might be possible to store email addresses at an ESP with lower risk of their being pirated. I am simplifying the architecture for this, but basically this is the same kind of thing that suppression vendors do to satisfy their clients' needs.
Posted by: Jordie van Rijn
Date: 2011-03-30 05:02:51
Subject: Attacks

Ken, there where any more attacks and thefts over the past year. Security is definitely an issue in the email industry. I would advise anyone selecting an emailvendor to consider the security measures they take to guarantee that your data is as safe as possible. Because a theft breaks down all that you have been working on: Trust. And accounts for a lot of negative PR around your brand. But how to measure / check if this issue is on the top prio list at your ESP, being just a single sender? Once i figure that out, i will definitely post it on, any suggestions / ideas on the matter are welcome.