Play.com Hack Exposes Customer Data

Following a breach, Play.com has shifted the blame onto an unnamed third-party market comms firm

Jersey-based online retailer Play.com has suffered a data breach, or, more accurately, one of its service providers has been hacked. The thieves made off with an unspecified number of Play.com’s customers’ names and email addresses.

In an email to customers, the company wrote: “We are emailing all our customers to let you know that a company that handles part of our marketing communications has had a security breach. Unfortunately, this has meant that some customer names and email addresses may have been compromised.”

Hackers May Have Gone Phishing

Although credit cweb metrics company Netcraft say that some Play.com customers have contacted them claiming to have been the targets of spam emails. One customer blames the Play.com breach as the source of a phishing attempt.

“I use a unique email address for each website using the ‘plus’ addressing feature of GMail; in this case the phishing attack was sent to myemailaddress+play@gmail.com. This is pretty compelling evidence that Play.com are at fault,” the customer wrote. If this were an isolated case, it could have been possible that the spammer guessed the address based on GMail’s simplistic address generator.

The emails appear to be sent by Adobe and offer Adobe Acrobat X Reader with hyperlinks. If it was an official Adobe message, the product would probably be referred to as Adobe Reader X and the links contained in the message lead to a blacklisted site – many recent browser releases would flag this up as being a dubious site.

The Buck Stops With Play.com

Mark Harris, vice president of SophosLabs, commented: “Even though Play.com has stated that the breach occurred with a third party, they are ultimately responsible for the security of their customers’ data.”

The danger is that the names and email addresses have been circulated to spam lists. This puts customers at risk.“The hackers could now use the addresses and target the customers with phishing emails and obtain such things as bank details by persuading them to open a malicious attachment which may then install malware or Trojans on to their PC,” said Ash Patel, country manager for Stonesoft.

Research into customer attitudes to security breaches by log analysis and event management specilaist LogRhythm shows that Play.com could be in for a rough time ahead.

Ross Brewer, vice president and managing director for LogRhythm, said, “Our findings show that, when people hear about the loss of confidential information, they will actively avoid the organisations involved – 66 percent stated they would try to avoid future interactions, while 17 percent were adamant they definitely would not have anything more to do with the guilty party.”

In its Naked Security blog, Sophos advises: “Play.com customers should exercise additional caution when accessing their emails, even if they appear to come from trustworthy sources. Sophos advises users of Play.com to err on the safe side and change their passwords on Play.com.”

In November 2009, Play.com was involved in an ordering fiasco when it sent order confirmations to the wrong customers. This revealed names, addresses and payment details – but not any significant credit card information.

Play.com was rated as the most-visited UK site for music, video and games purchases in the 2010 Experian Hitwise chart of ‘Shopping and Classified’ sites. The company also sells books, gadgets and limited ranges of leisurewear.