Play.com Hack Exposes Customer Data

Jersey-based online retailer Play.com has suffered a data breach, or, more accurately, one of its service providers has been hacked. The thieves made off with an unspecified number of Play.com’s customers’ names and email addresses.

In an email to customers, the company wrote: “We are emailing all our customers to let you know that a company that handles part of our marketing communications has had a security breach. Unfortunately, this has meant that some customer names and email addresses may have been compromised.”

Hackers May Have Gone Phishing

Although credit cweb metrics company Netcraft say that some Play.com customers have contacted them claiming to have been the targets of spam emails. One customer blames the Play.com breach as the source of a phishing attempt.

“I use a unique email address for each website using the ‘plus’ addressing feature of GMail; in this case the phishing attack was sent to myemailaddress+play@gmail.com. This is pretty compelling evidence that Play.com are at fault,” the customer wrote. If this were an isolated case, it could have been possible that the spammer guessed the address based on GMail’s simplistic address generator.

The emails appear to be sent by Adobe and offer Adobe Acrobat X Reader with hyperlinks. If it was an official Adobe message, the product would probably be referred to as Adobe Reader X and the links contained in the message lead to a blacklisted site – many recent browser releases would flag this up as being a dubious site.

The Buck Stops With Play.com

Mark Harris, vice president of SophosLabs, commented: “Even though Play.com has stated that the breach occurred with a third party, they are ultimately responsible for the security of their customers’ data.”

The danger is that the names and email addresses have been circulated to spam lists. This puts customers at risk.“The hackers could now use the addresses and target the customers with phishing emails and obtain such things as bank details by persuading them to open a malicious attachment which may then install malware or Trojans on to their PC,” said Ash Patel, country manager for Stonesoft.

Research into customer attitudes to security breaches by log analysis and event management specilaist LogRhythm shows that Play.com could be in for a rough time ahead.

Ross Brewer, vice president and managing director for LogRhythm, said, “Our findings show that, when people hear about the loss of confidential information, they will actively avoid the organisations involved – 66 percent stated they would try to avoid future interactions, while 17 percent were adamant they definitely would not have anything more to do with the guilty party.”

In its Naked Security blog, Sophos advises: “Play.com customers should exercise additional caution when accessing their emails, even if they appear to come from trustworthy sources. Sophos advises users of Play.com to err on the safe side and change their passwords on Play.com.”

In November 2009, Play.com was involved in an ordering fiasco when it sent order confirmations to the wrong customers. This revealed names, addresses and payment details – but not any significant credit card information.

Play.com was rated as the most-visited UK site for music, video and games purchases in the 2010 Experian Hitwise chart of ‘Shopping and Classified’ sites. The company also sells books, gadgets and limited ranges of leisurewear.

Eric Doyle, ChannelBiz

Eric is a veteran British tech journalist, currently editing ChannelBiz for NetMediaEurope. With expertise in security, the channel, and Britain's startup culture, through his TechBritannia initiative

View Comments

  • In a second email, they were named as 'Silverpop': "We believe this issue may be related to some irregular activity that was identified in December 2010 at our email service provider, Silverpop. Investigations at the time showed no evidence that any of our customer email addresses had been downloaded. We would like to assure all our customers that the only information communicated to our email service provider was email addresses."

Recent Posts

Australia Rejects Elon Musk Claim About Social Media Ban For Under-16s

Government minister flatly rejects Elon Musk's “unsurprising” allegation that Australian government seeks control of Internet…

49 mins ago

Northvolt Files For Bankruptcy Protection In US

Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…

3 hours ago

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

18 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

20 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

22 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

22 hours ago