234x134gawkerhack1

Play.com Hack Exposes Customer Data

Following a breach, Play.com has shifted the blame onto an unnamed third-party market comms firm

On by Eric Doyle, ChannelBiz 1

Jersey-based online retailer Play.com has suffered a data breach, or, more accurately, one of its service providers has been hacked. The thieves made off with an unspecified number of Play.com’s customers’ names and email addresses.

In an email to customers, the company wrote: “We are emailing all our customers to let you know that a company that handles part of our marketing communications has had a security breach. Unfortunately, this has meant that some customer names and email addresses may have been compromised.”

Hackers May Have Gone Phishing

Although credit cweb metrics company Netcraft say that some Play.com customers have contacted them claiming to have been the targets of spam emails. One customer blames the Play.com breach as the source of a phishing attempt.

“I use a unique email address for each website using the ‘plus’ addressing feature of GMail; in this case the phishing attack was sent to myemailaddress+play@gmail.com. This is pretty compelling evidence that Play.com are at fault,” the customer wrote. If this were an isolated case, it could have been possible that the spammer guessed the address based on GMail’s simplistic address generator.

The emails appear to be sent by Adobe and offer Adobe Acrobat X Reader with hyperlinks. If it was an official Adobe message, the product would probably be referred to as Adobe Reader X and the links contained in the message lead to a blacklisted site – many recent browser releases would flag this up as being a dubious site.

The Buck Stops With Play.com

Mark Harris, vice president of SophosLabs, commented: “Even though Play.com has stated that the breach occurred with a third party, they are ultimately responsible for the security of their customers’ data.”

The danger is that the names and email addresses have been circulated to spam lists. This puts customers at risk.“The hackers could now use the addresses and target the customers with phishing emails and obtain such things as bank details by persuading them to open a malicious attachment which may then install malware or Trojans on to their PC,” said Ash Patel, country manager for Stonesoft.

Research into customer attitudes to security breaches by log analysis and event management specilaist LogRhythm shows that Play.com could be in for a rough time ahead.

Ross Brewer, vice president and managing director for LogRhythm, said, “Our findings show that, when people hear about the loss of confidential information, they will actively avoid the organisations involved – 66 percent stated they would try to avoid future interactions, while 17 percent were adamant they definitely would not have anything more to do with the guilty party.”

In its Naked Security blog, Sophos advises: “Play.com customers should exercise additional caution when accessing their emails, even if they appear to come from trustworthy sources. Sophos advises users of Play.com to err on the safe side and change their passwords on Play.com.”

In November 2009, Play.com was involved in an ordering fiasco when it sent order confirmations to the wrong customers. This revealed names, addresses and payment details – but not any significant credit card information.

Play.com was rated as the most-visited UK site for music, video and games purchases in the 2010 Experian Hitwise chart of ‘Shopping and Classified’ sites. The company also sells books, gadgets and limited ranges of leisurewear.

Eric Doyle, ChannelBiz
Author: Eric Doyle, ChannelBiz
Editor, ChannelBiz
Eric Doyle, ChannelBiz Eric Doyle, ChannelBiz Eric Doyle, ChannelBiz

White Papers

Techweekeurope for mobile devices
Android-App Google Currents App for iOS

Last comment




One reply to Play.com Hack Exposes Customer Data

  • On March 23, 2011 at 8:48 am by Connor

    In a second email, they were named as ‘Silverpop’: “We believe this issue may be related to some irregular activity that was identified in December 2010 at our email service provider, Silverpop. Investigations at the time showed no evidence that any of our customer email addresses had been downloaded. We would like to assure all our customers that the only information communicated to our email service provider was email addresses.”

Leave a Reply

  • Required fields are marked *,
    Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>