Silverpop Systems, Inc. of Atlanta, Georgia might be what you'd call an extremely juicy target to malicious users.  The company serves a host of top-tier business, officially -- like Air New Zealand, Edgar Online, Encyclopaedia Britannica, Mazda North American Operations,Stamps.com, and USA Financial -- or unofficially -- like McDonald's and Walgreens.  Many of its clients come courtesy of the marketing services arm of Leo Burnett USA, Arc Worldwide.

Sometime over the last few weeks Silverpop went from being a prime target, to being a victim of unwanted intrusion.  If you give out your emails to the businesses you frequent, there's a strong possibility that your email may have been stolen.

"We Were Hacked"

McDonalds posted this week a notice to customers stating:

Unfortunately, a third party was able to defeat the security measures put in place by the email database management firm to protect the information you provided to us.  Law enforcement authorities have been notified and are investigating the matter.

Similar Walgreens posted:

Dear Valued Customer,

We recently became aware of unauthorized access to an email list of customers who receive special offers and newsletters from us. As a result, it is possible you may have received some spam email messages asking you to go to another site and enter personal data. We are sorry this has taken place and for any inconvenience to you.

We want to assure you that the only information that was obtained was your email address. Your prescription information, account and any other personally identifiable information were not at risk because such data is not contained in the email system, and no access was gained to Walgreens consumer data systems.

As a company, we absolutely believe that all customer relationships must be built on trust. That is why we believe it is important to inform you of this incident. Online security experts have reported an increase in attacks on email systems, and therefore we have voluntarily contacted the appropriate authorities and are working with them regarding this incident.

We encourage you to continue to be aware of increasingly common email scams that may use your email address to contact you and ask for personal or sensitive information. Always be cautious when opening links or attachments from unsolicited third parties. Also know that Walgreens will not send you emails asking for your credit card number, social security number or other personally identifiable information. So if ever asked for this information, you can be confident it is not from Walgreens.

If you have any questions regarding this issue, please contact us at 1-888-980-0963. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.

Sincerely,

Walgreens Customer Service Team

And deviantART, another Silverpop customers wrote:

Silverpop Systems, Inc.,  a leading marketing company that sends email messages for its clients, told us that information was taken from its servers.  This was probably part of a sweep by spammers.  As a result, email addresses belonging to deviantART members were copied. Corresponding usernames and birth date may also have been removed.  

We can assure you that nothing occurred on our systems with respect to this incident and no access was gained to private information on deviantART’s servers.   

As a member of deviantART, you certainly have a right to know when an incident of this kind occurs.  Unfortunately spammers are an unavoidable part of living on the Web.  

The likely result of this event might be an increase in spam to your email. Experts have told us that there is an increase in email scams out there on the Internet and you should be cautious. Only click links or download attachments from people you know, particularly if they ask for personal information, and be sure that your email service provider has adequate spam filters.

Because we value the information that members give us, we have decided not to rely on the services of Silverpop in the future and their servers will no longer hold any data from us.

McDonald's alone has over 13 million customers on its e-mail roll, so millions of people may now find their information in the hands of spammers or phishers.  Silverpop stores email addresses, usernames, and birth dates for their clients, so presumably for some individuals all of this information may have fallen into the wrong hands.

Silverpop's CEO Bill Nussey claims that only "a small percentage of customer accounts" were compromised.  He writes:

First, we have confirmed that our quick reaction to reset customer passwords was successful in halting the attack. Second, the specialized monitoring systems run by our outside experts continue to confirm that our existing and enhanced security measures are successfully protecting our application and our customers. Third, we are confident that our application infrastructure, the servers and networks behind our products, was not targeted or compromised as part of this attack.
...

In parallel to our customer and security-focused efforts, we continue to work with law enforcement to identify the criminals that have targeted us and several other companies in our industry. Stephen Emmett, one of the FBI special agents we have been communicating with, allowed me to share the following: “We have been and continue to work with Silverpop and others in the industry who have had criminals attempt to breach their systems and security safeguards. We are focused on identifying those that committed these cybercrimes and bringing them to justice.”

The media has recently been covering the security disclosures of several large brands. It is important to clarify that several of these large brands have never been Silverpop customers. I’m hopeful it is clear that the disclosed attacks cover multiple companies in our space and we, as an industry, need to work together to protect the security of all of our customers.

At this point it is unclear what "several other companies" (presumably database firms) were targeted by this attack.  But this is clearly one of those massive attacks where we may only be seeing the tip of the iceberg.

Who's Responsible?

The bottom line is that no one seems to have a clear idea who's to blame for the massive attack.  In an interview with The Register Agent Emmett comments, "[The attack] appears to be emanating from an overseas location."

Of course the individuals involved are clearly highly sophisticated to be able to pull off such a massive penetration.  Given that, they could easily be anywhere in the world, disguising their true location by rerouting through connections in other countries.

What does seem clear, though is that the attack is ambitious enough that it seems unlikely to have been done out of a motivation to annoy or earn bragging rights.  More likely, whoever stole information from the database was trying to get emails to use as part of a bigger phishing or spam scheme.

Users who did service with Silverpop's customers (or other businesses) should be particularly on the lookout for fraudulent emails in the near future.

It would be very tempting to think that the attack might have come from either of the known perpetrators of other recent major security breaches -- Gnosis or Anonymous.  But that thought would likely be entirely incorrect.

It is highly unlikely that this attack had anything to do with the recent hack on Gawker Media by Gnosis.  Gnosis was very open about its hack on the Gawker sites, but mentioned nothing about Silverpop.  And the attack clearly doesn't seem their style (they hacked Gawker because they perceived its leadership as arrogant).

Similarly, it seems equally unlikely that the hacking was done by Anonymous -- the 4chan image board frequenting group of hackers who were responsible for recent Wikileaks-related distributed denial of service attacks on various financial institutions.  Stealing email addresses doesn't really seem the style of Anonymous, based on their past activity.

There's a faint possibility that the hack was done by security researchers who wanted to call out Silverpop and others on poor security.  Goatse Security used a basic web-interface scraping tactic to grab 100,000+ emails of iPad subscribers, recently.

More likely, however, this is the work of spammers or phishers, who can leverage their newfound wealth of emails for their typical ill purposes.  Russia, China, Nigeria, and Eastern Europe are typical havens for spammers.  And of course, the U.S. also has its fair share of spammers.

Hopefully the FBI will get to the bottom of this one, but in the meantime, beware your inbox.