Online retailer Play.com has been accused of leaking its customers’ email addresses to spammers.
Many customers reported receiving a spam email yesterday, offering an Adobe Reader upgrade which requires registration and payment. Some of these emails were sent to unique email addresses that have only been used at play.com, suggesting that the spammer had access to private customer details.
Most complaints relate to an email with the subject line “Get more done, much faster, with Acrobat X PDF Reader. Upgrade Available Now“
Read more on Netcraft.
Play.com has now acknowledged the breach. Patrick Goss reports:
Play.com, one of Britain’s best known online retailers, has suffered a security breach that has compromised customer’s email addresses and names.
Play has issued an email to customers admitting the problem and blamed its third-party marketing communications company for the leak.
Read more on TechRadar. The marketing firm was not named.
There seems to a goodly number of complaints concerned hacked or leaked names email addresses (and in some cases, passwords!) these days. I haven’t covered most of them on DataBreaches.net, but this is the second complaint I’ve received like this this just this week involving people who used site-specific email addresses receiving spam and suspecting a leak or breach.
The other complaint I received this week was from a reader who has been receiving a number of spams and 419 attempts to an address that he created specifically for ProFlowers.com. ProFlowers.com did not respond to a request I sent them last week asking to speak to someone about the concern, and I have no idea if that situation could possibly be related to a breach involving SilverPop, a company that handles businesses email marketing lists, or if it’s wholly unrelated as SilverPop never released a list of affected clients after their breach. But we’ve seen a number of brick-and-mortar as well as online businesses like dating sites have their user lists or customer lists seemingly compromised in the past few months. Some of them may have been for personal reasons (e.g., Gawker was specifically targeted to teach them a lesson), while others may have been compromised for purposes of spamming.
Whatever’s going on, this is a good time to change passwords on accounts that you care about. Using site-specific passwords and usernames is also a good idea, as it will help you contain any damage should a user list be compromised and it will help you identify which company had the breach.
Thanks to “thesecuregolfer” for alerting me to the Play.com breach.
Update: It now appears that it was SilverPop that’s responsible for the Play.com incident. Now to find out if ProFlowers.com is also SilverPop-related.