Jersey-based online retailer Play.com has suffered a data breach, or, more accurately, one of its service providers has been hacked. The thieves made off with an unspecified number of Play.com’s customers’ names and email addresses.
In an email to customers, the company wrote: “We are emailing all our customers to let you know that a company that handles part of our marketing communications has had a security breach. Unfortunately, this has meant that some customer names and email addresses may have been compromised.”
“I use a unique email address for each website using the ‘plus’ addressing feature of GMail; in this case the phishing attack was sent to myemailaddress+play@gmail.com. This is pretty compelling evidence that Play.com are at fault,” the customer wrote. If this were an isolated case, it could have been possible that the spammer guessed the address based on GMail’s simplistic address generator.
The emails appear to be sent by Adobe and offer Adobe Acrobat X Reader with hyperlinks. If it was an official Adobe message, the product would probably be referred to as Adobe Reader X and the links contained in the message lead to a blacklisted site – many recent browser releases would flag this up as being a dubious site.
The Buck Stops With Play.com
Mark Harris, vice president of SophosLabs, commented: “Even though Play.com has stated that the breach occurred with a third party, they are ultimately responsible for the security of their customers’ data.”
The danger is that the names and email addresses have been circulated to spam lists. This puts customers at risk.“The hackers could now use the addresses and target the customers with phishing emails and obtain such things as bank details by persuading them to open a malicious attachment which may then install malware or Trojans on to their PC,” said Ash Patel, country manager for Stonesoft.
Research into customer attitudes to security breaches by log analysis and event management specilaist LogRhythm shows that Play.com could be in for a rough time ahead.
Ross Brewer, vice president and managing director for LogRhythm, said, “Our findings show that, when people hear about the loss of confidential information, they will actively avoid the organisations involved – 66 percent stated they would try to avoid future interactions, while 17 percent were adamant they definitely would not have anything more to do with the guilty party.”
In its Naked Security blog, Sophos advises: “Play.com customers should exercise additional caution when accessing their emails, even if they appear to come from trustworthy sources. Sophos advises users of Play.com to err on the safe side and change their passwords on Play.com.”
In November 2009, Play.com was involved in an ordering fiasco when it sent order confirmations to the wrong customers. This revealed names, addresses and payment details – but not any significant credit card information.
Play.com was rated as the most-visited UK site for music, video and games purchases in the 2010 Experian Hitwise chart of ‘Shopping and Classified’ sites. The company also sells books, gadgets and limited ranges of leisurewear.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
In a second email, they were named as 'Silverpop': "We believe this issue may be related to some irregular activity that was identified in December 2010 at our email service provider, Silverpop. Investigations at the time showed no evidence that any of our customer email addresses had been downloaded. We would like to assure all our customers that the only information communicated to our email service provider was email addresses."