Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@.

Search
  • FIRST POST
    • DonnyDave
    • By DonnyDave 20th Mar 11, 2:20 PM
    • 1,568Posts
    • 438Thanks
    DonnyDave
    Spam from "GSN" to e-mail address registered on Play.com
    • #1
    • 20th Mar 11, 2:20 PM
    Spam from "GSN" to e-mail address registered on Play.com 20th Mar 11 at 2:20 PM
    I have just received a spam message to play@mydomain which has only ever been given to online retailer Play.com:


    From: GSN - Play Every Day <GSNnews@email.gsn.com>
    Subject: Get more done, much faster, with Acrobat X PDF Reader. Upgrade Available Now
    __________
    GETTING MORE DONE AT WORK NOW COMES IN A CONVENIENT BOX

    See how Adobe Acrobat X Reader is a step above anything you've experienced before, so you can be even more productive.

    Upgrade now: <spam link removed>

    Just how much faster can you work with Adobe Acrobat PDF Reader
    software? Fast enough to stay on top of last-minute changes, connect
    with key decision makers, and share updates with co-workers.

    You'll discover how easy it is to reuse content by exporting PDF files
    to Microsoft Word or Excel formats. And how quickly you can automate
    multi-step tasks with new, guided Actions. No wonder PC Magazine
    says, "There's a lot to like in Acrobat X PDF Reader." See for yourself at :

    <spam link removed>

    Copyright 2011 Adobe Systems Incorporated. All rights reserved.

    Adobe Systems Incorporated
    343 Preston Street
    Ottawa, ON K1S 1N4
    Canada
    I am concerned that this may be as a result of a security breach at Play.com.
    Last edited by DonnyDave; 20-03-2011 at 11:09 PM. Reason: Link removed
    Dave
    Say no to 0870!
Page 2
  • dragonmeat
    I too received the email this morning. I use a unique email address for each website using the plus addressing feature of gmail; in this case the phishing attack was sent to myemailaddress+play@gmail.com. This is pretty compelling evidence that play.com are at fault.
  • Kilty
    Got this too to enquiries@mydomain - also a play.com customer account.
  • halfer
    @VariousArtists - I thought of using a fake credit card number, but one has to be careful with that sort of thing. It may be picked up by an automated system, and may look like you are intending to purchase goods on a fake number.

    Perhaps if you do it, email them to say you're doing it (and why), so they cannot later complain.
    • lizards
    • By lizards 20th Mar 11, 5:50 PM
    • 219 Posts
    • 62 Thanks
    lizards
    I caught BT out in the same way too years ago! Glad it's not just me. Other culprits over the years are Ticketline, ThisIsLondon, Frontier Canada, Bunches by Post and Days Out Guide (the 2 for 1 attraction tickets if you travel by rail scheme)

    Definitely not a dictionary attack or I'd see stuff more often. Occasionally I do get things like this to a username I've never used, but it's not a company name ever - just random letters. This was clearly associated with Play - "play@" and "play247@".

    I'm not so sure there is a reduction in security as "bad people" would also have to know my domain name too. Most people use exactly the same email address for every company so that's less secure than a different one for each company even if part of it is based on the company name! So what I am saying is that if they were in a position to know my domain name, they'd also know my full hotmail etc address if I had one too.

    Not great PR for Play - never had a problem with them as a company, they've always been fine with me, so I'm a bit saddened by this.
  • halfer
    Not great PR for Play - never had a problem with them as a company, they've always been fine with me, so I'm a bit saddened by this.
    Originally posted by lizards
    Yeah, I agree. I switched to Play from Amazon recently, just at same time as my demand for music is expanding greatly (I am now a last.fm convert ). But I'll have to find another supplier if they can't even look after their customer data properly.
  • halfer
    Btw, a whois on the sender IP of the spam reveals - tah dah! - a marketing company, exacttarget.com. However a browse of their website suggests they're a legit outfit, so I wonder if their services may have been abused on a "try before you buy" temporary sign-up.
  • shadowcode
    Hello all,
    it seems like there is more going on.

    What *may* have happened is that play.com's database has been hacked and has been sold illegally. I'm also afraid that the passwords were stored in plaintext, or very poorly encrypted.

    The reason therefore is that it seems that Gold Farmers also gotten their hands on the account info, as this morning my Battle.net account was compromised and my World of Warcraft account was taken over and used for spam. Since I haven't played/logged in for 5 years and my credentials for play.com and World of Warcraft happen to be the same, this is a little bit too coincidental to my taste. I think they are related.

    If it's true that play.com has been hacked and that they have been stupid enough to store the username/password combination in plaintext, then it is truly grave news.

    (note: I tried linking some of the keywords above to Wikipedia, just in case someone is not familiar with the wonderful world of computer games, unfortunately the forum does not allow me to use links)
  • halfer
    Hmm, I think I will request a new card from my bank tomorrow - my registered play.com card was a debit card, not a credit card. Still, no evidence that credit card details have leaked - just emails at the mo, as far as I know.
  • halfer
    Aha, over here too:

    http:// rockpapershotgun.com/rpsforum/topic.php?id=4282

    (Remove space to get the URL working again - can't post links here, boooh!)
  • Internet Pawn
    Got the same email to playcom@[mydomain]. Play.com were totally unconcerned about it. Here's their reply to me:

    "
    Thank you for your email.

    Please be advised that our database is maintained on a secure internal server that is not connected to the internet. No unauthorised access of any kind is available to the network.

    In addition to this our website is a BT Trust Services Secure Site. All information sent to this site while in an SSL session is encrypted, protecting against disclosure to third parties. Please be aware the Verisign Secure Sign is an independent recognition of our security, and Play.com offers a totally secure shopping environment.

    If you have any further queries please consult the FAQ section of our Help pages. Alternatively you can contact our Customer Support Team on 0845 800 1020 (UK only) or +44 (0)1534 877 595 (outside UK). Our opening hours are 9am - 8pm Monday to Friday and 9am - 5pm Saturday and Sunday.

    We hope you find this information reassuring and useful.

    Kind Regards,

    Customer Support Team
    Play.com"

    I'm not impressed, to say the least, particularly as it now seems I'm not the first to let them know. We need to keep this thread updated, if we want Play.com to take this seriously.
  • garb
    Please be advised that our database is maintained on a secure internal server that is not connected to the internet. No unauthorised access of any kind is available to the network.
    Originally posted by Internet Pawn
    if it's not connected to the internet how do they authorise a log in from the website? Squirrels running back and forth with post-it notes?

    If the server is secure from the outside.. then they may have been attacked from the inside. Guess we'll find out tomorrow!
    • JimmyJim
    • By JimmyJim 20th Mar 11, 7:27 PM
    • 3 Posts
    • 0 Thanks
    JimmyJim
    I also had the email sent to me and I have a separate email address only used for Play.com. Only good thing is that my credit card has expired on there system
    • Shuttle
    • By Shuttle 20th Mar 11, 7:48 PM
    • 2 Posts
    • 0 Thanks
    Shuttle
    Got the same email to playcom@[mydomain]. Play.com were totally unconcerned about it. Here's their reply to me:

    "
    Thank you for your email.

    Please be advised that our database is maintained on a secure internal server that is not connected to the internet. No unauthorised access of any kind is available to the network.

    In addition to this our website is a BT Trust Services Secure Site. All information sent to this site while in an SSL session is encrypted, protecting against disclosure to third parties. Please be aware the Verisign Secure Sign is an independent recognition of our security, and Play.com offers a totally secure shopping environment.

    If you have any further queries please consult the FAQ section of our Help pages. Alternatively you can contact our Customer Support Team on 0845 800 1020 (UK only) or +44 (0)1534 877 595 (outside UK). Our opening hours are 9am - 8pm Monday to Friday and 9am - 5pm Saturday and Sunday.

    We hope you find this information reassuring and useful.

    Kind Regards,

    Customer Support Team
    Play.com"

    I'm not impressed, to say the least, particularly as it now seems I'm not the first to let them know. We need to keep this thread updated, if we want Play.com to take this seriously.
    Originally posted by Internet Pawn
    I received exactly the same reply from play.com (re: the GSNnews e-mail), and i too am not impressed.

    Lets hope that they are now starting to take things seriously!

    mb
  • halfer
    if it's not connected to the internet how do they authorise a log in from the website? Squirrels running back and forth with post-it notes?
    Originally posted by garb
    This is possible to achieve - some companies don't permit any connections to their db server from the internet, and then only database connections, not login connections, from their local network (including the web server). This does make things more secure.

    That all said, I was already 95% convinced that they've had a data leak when my email address was compromised. Now that a good number of people have stepped forward with the same issue, I am 100% certain. Their automated response is someone without full possession of the facts, and he/she will initially bat complaints away assuming that they're from people who shouldn't be allowed to own a computer in the first place.

    However, once they look into it they won't be able to hold that line for very long. Let's hope they look into it properly tomorrow.
    • Dagobert
    • By Dagobert 20th Mar 11, 8:25 PM
    • 1,615 Posts
    • 538 Thanks
    Dagobert
    I too received the spam email from GSN to an email address which I created specifically for my account at Play.com.

    When I sent a complaint to privacy@play.com I received exactly the same boilerplate response that Internet Pawn received.

    I think there are three ways my email address could have been
    compromised
    1. Lax security at play.com
    2. An employee at Play covertly sold my address (a variation of 1.)
    3. Play Holdings Ltd. knowingly sold my email address.

    If it is (3), then that contravenes their own Privacy Policy, I quote
    We will not sell, distribute or disclose information about you or your personal usage of the Site without your express consent or unless required or permitted to do so by law. **
    I have sent a further email to the privacy email address which I have CC'ed to the Play CEO John Perkins.

    I will not do business with a company who cannot take care of my details.


    ** hxxp://www.play.com/Help.html?page=priv
    Change "hxxp" to "http" for link to work.
    Dagobert
    • Pound
    • By Pound 20th Mar 11, 8:41 PM
    • 2,683 Posts
    • 1,341 Thanks
    Pound
    What *may* have happened is that play.com's database has been hacked and has been sold illegally. I'm also afraid that the passwords were stored in plaintext, or very poorly encrypted.
    Originally posted by shadowcode
    It's common for websites to hash the passwords, but not all websites do this. Even when it's hashed there are programs out there that will try and crack the hashes and will find any weak passwords.

    • Pound
    • By Pound 20th Mar 11, 8:45 PM
    • 2,683 Posts
    • 1,341 Thanks
    Pound
    if it's not connected to the internet how do they authorise a log in from the website? Squirrels running back and forth with post-it notes?
    Originally posted by garb
    I guess it means there's no direct connection to the Internet and it only accepts connections from their web servers which offers some but not complete security. A weakness in the web server could allow access to the database.
  • capate
    Here's their reply to me:

    "
    Thank you for your email.

    Please be advised that our database is maintained on a secure internal server that is not connected to the internet. No unauthorised access of any kind is available to the network.

    In addition to this our website is a BT Trust Services Secure Site. All information sent to this site while in an SSL session is encrypted, protecting against disclosure to third parties. Please be aware the Verisign Secure Sign is an independent recognition of our security, and Play.com offers a totally secure shopping environment.

    If you have any further queries please consult the FAQ section of our Help pages. Alternatively you can contact our Customer Support Team on 0845 800 1020 (UK only) or +44 (0)1534 877 595 (outside UK). Our opening hours are 9am - 8pm Monday to Friday and 9am - 5pm Saturday and Sunday.

    We hope you find this information reassuring and useful.

    Kind Regards,

    Customer Support Team
    Play.com"
    Originally posted by Internet Pawn
    One of the problems I have with customer service departments nowadays is that their main function no longer appears to be helping the customer but to mitigate the companies position.

    Reading the email they have sent you, it doesnít actually say that they havenít been compromised/ hacked.

    It reads more like their standard boilerplate covering or queries raised about online security.
    • GuiltyCol
    • By GuiltyCol 20th Mar 11, 9:55 PM
    • 5 Posts
    • 2 Thanks
    GuiltyCol
    I got their stock (and anonymous!) answer too. Worse, when I replied, it bounced as the info@play.com is an unattended email account. Shambles.
  • Tamlync
    Bah..

    You guys did better than me!.

    I copied the text from GuiltyCol post, went to play.com and found their "report a website fault" area.

    Pasted in the text there and submitted it..


    Few hours later i get this as their reply.

    Dear *my name*,

    Thank you for your email.

    We are sorry to hear you are receiving unwanted emails. We have made a request to remove you from all play.com mailing lists this may take up to 10 days before it can come into effect.

    Once again, please accept our apologies for any inconvenience caused to you in this matter and thank you for your patience and valued custom.

    Kind Regards,

    Customer Care Team

    Play.com
    Fools...
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

3,242Posts Today

9,325Users online

Martin's Twitter