There are several different issues in my opinion.

The first is the actual breach of confidential data. ANY program can have an exploit or vulnerability to hacking, and so NATS is far from unique for having hackers find an exploit. If this were a simple exploit, with a responsive company immediately notifying everyone and taking every possible step to secure things, people would be complaining, but people wouldn't be after blood.

In my humble opinion, the thing that has so many people so angry with TMM is the evidence (which I have not personally taken the time to investigate, but appears, simply from the dates on various postings on GFY, to be pretty solid) indicating that TMM knew there was a problem at least as far back as October, and possibly as far back as August, and not only did not notify program owners running NATS, but allegedly took action (lawsuit threats) against OC3 Networks, who originally identified the problem as a probable hack affecting more than one of their customers... and then, when OC3 didn't respond to the threats, TMM (according to reports by OC3) allegedly started threatening the OC3 customers who were affected, and pressured them to get OC3 to shut up on the topic.

If these allegations prove true, then TMM's action in trying to cover up the problem is far, far worse than the actual damage. And this is not the first allegation that TMM has in the past used legal threats to silence people saying bad things about its program (warranted or not.) I believe that program owners as well as affiliates have a right to be very upset and concerned about a company that allegedly knows of problems and not only covers them up, but takes extra steps to threaten companies that attempt to get out the facts.

Now... in fairness to TMM, their defense is that they believed the problem was limited only to a very small number of programs, which is why the say they took no action to notify affiliates. However, the problem with this claim is that it would not have been difficult to contact, say, a dozen random program owners and ask to check the logs, or even to use the very logins the hackers allegedly used to see if the TMM admin accounts had been accessed other than by TMM. Since it seems a very large number of NATS-based affiliate programs were compromised, it seems very unlikely they took this step, or if they did, they still did nothing once they were aware of a problem. The only reason the problem came out was because a few program owners came forward on GFY, ignored the lawsuit threats, warned other program owners, and more and more people discovered they had been compromised.

As for CCBill, from everything I have heard, this sounds like an absolutely first-rate product, approached the right way, with a competent technical team. The only problem I have with it, which I would have with *any* processor-run program, is what happens if the processor suddenly goes belly-up. I honestly believe that the way CCBill runs its company, they are likely to be on very solid footing in the long run, but for a program that is 100% reliant on membership-based revenues, it is simply not a good strategy to have any single point of failure that does not have an easy recovery plan.

CCBill could (and may already have) remedy this problem by providing some sort of process where program owners can own all of their affiliate data, and can export and backup everything and easily port it over to another program, such as NATS, MPA, or Exec Stats, at any point. They have already taken the brave (and very wise) step of saying that clients using their software can do so even if CCBill is not the primary processor in cascade, thereby winning billing clients through outstanding service rather than locking clients in.

In conclusion, there are still some pretty compelling reasons to use a third-party (non-processor affiliated) billing solution. I am not aware of any affiliate software that is superior to NATS (and we have been looking for a while.) However, there are equally (if not more) compelling reasons to seriously reconsider whether using NATS is the best solution for any program, given not so much the breach itself, but the alleged actions of the company in attempting to cover up the breach. If these allegations prove true, they really should provide any cautious and sensible program owner with good reasons to consider other alternatives.