Suspected Data Security Breach at iContact.com

I suspect iContact.com has suffered a data security compromise.

I have received four nearly-identical spams to four different addresses known only to myself and four distinct websites. These four websites all use iContact.com for newsletter mailing. I have also received this spam to a spam-trap address, but importantly, to no other unique addresses that I use with other websites. The evidence points strongly to a data breach at iContact.com.

Four addresses known only to four websites and myself have begun receiving spam today. Each address below links through to the spam in question.

• photonlight
• slimes
• macheist.com
• bloomsbury.com

All four websites in question (photonlight, slimelight, macheist and bloomsbury) have sent me emails via iContact. Extracts of the beginning headers of legitimate emails are as follows:

Received: from drone15.ral.icpbounce.com ([::ffff:66.192.165.135])
  by mx10.faelix.net with esmtp; Wed, 30 Dec 2009 19:16:37 +0000
  id 0000C014.4B3BA715.00001A1E
Received: from localhost.localdomain (localhost [127.0.0.1])
by drone15.ral.icpbounce.com (Postfix) with ESMTP id CA9D776C0CC
for <photonlight@maz.nu>; Wed, 30 Dec 2009 14:16:36 -0500 (EST)
Date: Wed, 30 Dec 2009 14:16:36 -0500
To: photonlight@maz.nu

Received: from drone5.rtp.icpbounce.com ([::ffff:74.202.227.45])
  by mx10.faelix.net with esmtp; Mon, 27 Jul 2009 10:17:55 +0000
  id 00006005.4A6D7ED3.000023ED
Received: from localhost.localdomain (localhost [127.0.0.1])
by drone5.rtp.icpbounce.com (Postfix) with ESMTP id A13E6438A76
for <bloomsbury.com@maz.nu>; Mon, 27 Jul 2009 06:17:50 -0400 (EDT)
Date: Mon, 27 Jul 2009 06:17:50 -0400
To: bloomsbury.com@maz.nu

Received: from smtp8.icpbounce.com ([::ffff:216.27.93.118])
  by faelix.net with esmtp; Sun, 15 Mar 2009 01:02:05 +0000
  id 000013D9.49BC538D.0000767F
Received: from localhost.localdomain (localhost [127.0.0.1])
by smtp8.icpbounce.com (Postfix) with ESMTP id 6E1AF97161
for <macheist.com@maz.nu>; Sat, 14 Mar 2009 21:01:44 -0400 (EDT)
Date: Sat, 14 Mar 2009 21:01:44 -0400
To: macheist.com@maz.nu

Received: from smtp3.icpbounce.com ([::ffff:216.27.93.123])
  by mx10.faelix.net with esmtp; Thu, 14 Jan 2010 17:59:02 +0000
  id 0000C00A.4B4F5B66.0000129A
Received: from localhost.localdomain (localhost [127.0.0.1])
by smtp3.icpbounce.com (Postfix) with ESMTP id 4124C596396
for <slimes@maz.nu>; Thu, 14 Jan 2010 12:58:58 -0500 (EST)
Date: Thu, 14 Jan 2010 12:58:58 -0500
To: slimes@maz.nu

The only other addresses to receive the junk-mail in question are spam-traps, known to receive large amounts of spam: my Debian consultant email address. No other addresses I use (there are several hundred) has received this spam today. Therefore I do not feel that a virus on my laptop or a compromise of my mail servers has leaked these addresses.

I feel it is highly unlikely that four different websites would all have their mailing list databases separately compromised. Applying Occam’s Razor, the simplest explanation is that the common element — iContact.com — is the source of these email addresses of mine.

It is my belief, having read their website and spoken to customer services, that iContact do abide by their strict privacy and anti-spam policies. I do not believe they have sold their address database to spammers. I fear they have been victims of an attack against their database servers, or possibly an disgruntled insider has leaked their database.

Their abuse team has been notified, and I await their feedback.