If you have never opted in to our monthly newsletter, this will not affect you. If you have opted in to our monthly newsletter, then you should read this.

A third party newsletter software used to manage our monthly newsletter has been the subject of a cyber attack. After our last newsletter, two users reported that they had started to receive unsolicited emails using email addresses only used with Majestic. As a result, we are investigating a probable compromise of the email system and we believe that the third party software has been compromised.

No passwords or card information have been compromised – we believe only email addresses were taken, but we are provided extra security advice in the event that display names were also compromised.

Is there any Danger to Me?

Whilst the damage is fortunately limited to spammers accessing email addresses, we are sorry that the breach has occurred and felt it was appropriate to inform our users of the theft. Fortunately, the danger is small. Most spam emails are easy to recognize. We ALL get them, because email addresses are inherently insecure. In the unlikely event your display name was compromised, you might be more prone to falling for a Phishing email, because the spammer might use the display name as a “trust signal” to help you believe an email comes from Majestic SEO or from somewhere else where you may have used the same display name. We recommend that you maintain an email spam filter on your emails. Here are a number of free ones if you are not already protected:

Because of the way in which we believe the database to have been accessed, we are reasonably confident that no display name information was actually taken and no other identifiable information was in the system in any event.

Do I have to Change my Password?

The passwords were not part of the newsletter system and indeed this was one of the reasons why we used a third party solution for Newsletter management, so that we did not compromise the main accounts. You are of course welcome to change your password at any time, but it has not been compromised. If you would also like to change your display name, this is also straightforward  to update your details. If you want to change your email address on our system moving forward, please set up a support ticket whilst logged in if you feel this is necessary.

Can I Trust Majestic with my Credit Card details?

We have never directly seen your card details or stored these as we use reputable third party companies, Paypal and Cybersource (which is owned by VISA), to collect these details. We do not keep them even on our most secure systems.

Was the Newsletter System some Freebie Software?

No – it was a commercial and paid for system. The software was up to date and we had a maintenance contract in place. We hosted the system on separate servers to our main systems, which allowed us to manage the newsletters from offsite, with appropriate password protection. This means that every month, we recorded anyone that had unsubscribed and updated the client database, then exported the email addresses of those opted into our newsletter into a CSV file. This CSV file was then uploaded to the software without any personal information (except the display name and email).

We are not aware of our passwords being given away or exposed and we continue to investigate how the software was in fact accessed. We do not believe it was negligence on our part, but we are extremely sorry that it has happened.

How have you fixed the problem?

We have now made the newsletter administration totally inaccessible from outside Majestic SEO. We will decommission it.

How can I Unsubscribe from Majestic’s newsletter?

You can check your newsletter settings when logged in here. We will wait a short while before sending out the next newsletter – which we are still keen to do, to inform those people that do not read our blog.

We Sincerely Apologise.

We want to say that we are extremely sorry that this breach has occurred. We are treating this unauthorized access with the utmost severity.

Have you reported the theft?

Yes, to the British Information Commissioner’s Office (ICO), where we are registered under the UK Data Protection Act. It is their decision as to what action to take next if any.

Complaints and Comments.

Whilst we are keen to be transparent about the breach, we are also more mindful than ever about further compromise of our security. As such, if you have any specific concerns, please set up a support ticket whilst logged in to your account. Being logged in will confirm your email address to us so we can assess whether you have been affected. If you do feel the need to comment below, please bear in mind that we will be moderating these comments and have an ongoing investigation in progress, so not all comments will be published.

Comments

  • Jem Shaw

    Thank you for dealing responsibly and frankly with this problem. As you say, the actual effect of the compromise is unlikely to be anything other than a minor irritation, but it’s encouraging to see that you’re nevertheless treating it with such importance.

    It’s the nature of the Internet that it bites all of us from time to time; it’s the nature of a professional company to respond correctly. I remain impressed by the way you operate.

    August 9, 2013 at 9:46 am
  • J Wilson

    I think it is really irresponsible for you not to publish the name of the system that was compromised.

    August 9, 2013 at 11:38 am
    • Steve Pitchford

      Thank you for your comment.

      Currently we are working with all parties involved to find the root cause of the breach, revealing limited information or accusing any provider prematurely would be wrong in this situation.

      We thank you for your understanding.

      August 9, 2013 at 11:52 am
      • Johnd

        > I agree with you you need to keep a lid on your suspicions on the actual cause of the breach is acertained with complete certainty but I agree with the previous commentator that you should reveal this info in due course.

        August 9, 2013 at 4:48 pm
      • Robbi Drake

        > Thanks for your fast reporting. Incidentally, Breach is the correct spelling. Breech, like you guys have it in your article. is an upside down birth.. :) Give that a look maybe..

        Robbi.

        August 10, 2013 at 6:09 am
      • Steve Pitchford

        Thanks Robbi,

        That is altered now.

        August 10, 2013 at 11:33 am
    • Michael Taylor

      > J Wilson, that could potentially expose MajesticSEO to unwanted legal problems.

      It’s just potential spam delivery. It’s not like the thieves know where you live or what color your underwear is.

      August 9, 2013 at 3:27 pm
  • Albert

    Thanks for being Transparent.

    August 9, 2013 at 3:03 pm
  • Simon T

    The correct way to handle a breach and your candour is to be congratulated.

    Re- J Wilson’s comments regarding irresponsible not publishing the name of the system that was compromised I completely disagree.

    Publishing now, before all the facts are in, would be reckless.

    You have a duty to your company and employees as well as your customers.

    Publishing this further down the line may still leave you open to unnecessary litigation. What would be gained by customers?

    August 9, 2013 at 9:03 pm
  • Drachsi

    Congratulations. This is an excellent example of how to handle a problem.

    Maybe you should all stand as politicians in the next elections, this level of honesty is needed everywhere

    August 10, 2013 at 7:12 am
  • Amy

    Thank you for the heads up. I am certain that this happens more often than we would like to think, but companies do not take the time to inform clients, as you have.

    I applaud your efforts in this matter.

    August 10, 2013 at 10:34 pm
  • Online Marketing Ireland

    Interesting.. hmm password changes in place.

    August 12, 2013 at 3:13 pm

Comments are closed.