how to embed constant contact without site getting hacked

[wildbelonging]

hi all, i injected the code provided by constant contact into my site so that people could sign up for my newsletter and their information would go directly into my constant contact account. however, my site was hacked and in following up with squarespace, they said that this often happens for people who embed codes into their pages. has anyone navigated this before? are there any strategies to minimize the risk of hacking?

[Wolfsilon]

Hello,

I'm sorry to hear about your issue, If I remember correctly, Constant Contact was effected by the SolarWinds hacking attack that took place earlier this year. Apparently (according to your post), still taking place, which is crazy to me. Your site or CC account was most likely accessed because of a leak stemming from Constant Contact. That seems to be the known common denominator here. If your sites server was accessed and not your actual Squarespace account, there's not much you can do and the damage is done, whatever that may be. I would recommend changing your password and enabling two factor verification for your SS account. You should use a trusted authorization app to generate your passkeys. If you have clients hosted or signed up on your site, or use your website, you should notify them. 

A general rule of thumb for the future -- The more lines of code and injections from third party sources, the higher the risk of being attacked. You didn't do anything wrong here though, as this wasn't in your control. Embedding content is usually safe, unless the source of the embedded app is compromised. In this case, you also should've been notified by Constant Contact about the scope of the attack, when it happened, and what you should do. If not directly notified, there are usually briefs that are made available to users.

Hope this helps, and good luck,

-Dan