To those of you who may have been affected by the hacking of our mass-email services provider late last weekend, the following information is everything that we are currently up to speed on:
Our mass-email services provider,
Campaign Monitor had their had a large portion of their database hacked into last weekend (which continued through the middle of this week) and many of their clients email lists were compromised, including Threadless. As a result, an number (still unknown exactly how many as of this post) of our community members and newsletter subscribers email addresses were compromised and as a result those addresses have been hit with spam.
We can assure you that we always take your privacy very seriously and we sincerely apologize for any inconvenience this unfortunate incident may have caused. This is a vendor that we are no longer utilizing and we hope that we don't incur problems like this in the future.
This is a post from earlier this week with some details, we'll provide the update shortly thereafter:
Hey everyone - I wanted to clear up a few points before some rumors and speculation start becoming confused with what is actually happening.
Why does this vendor even have an email list to begin with?
Because this vendor provided mass-email messaging services for us (namely sending out newsletters, upcoming sale info, etc.) When we send out our weekly newsletter, keep in mind it goes to hundreds of thousands of subscribers - the process isn't as simple as typing in "to: everyone" then clicking send. As our community grew, it became very difficult to send out our newsletters and updates in house, thus the need for a third-party vendor to provide these services.
So why do they still have the list if you haven't used them in 6 months?
Because when you walk away from a vendor that provides these services, it's not just a clean break. These vendors are required to keep these lists for some time because of opt-out lists - Community members opt-out/unsubscribe from old emails all the time - emails that were sent through the old vendor. This is really common practice and above all, it keeps us compliant with the spam laws regarding the ability of recipients to opt out of our communications (i.e. CAN-SPAM Act of 2003).
So what really happened?
The vendor in question, (I am purposely not giving their name at this point because their site is still under attack as of this message) is being aggressively attacked by some evil hackers who not only gained access to our mailing list, but gained access to at least a few other of their clients email databases as well.
We are currently working with this vendor to assess the damage and find out how many email addresses were actually obtained, once we have this information we will be contacting those people who were affected by this unfortunate incident.