Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@.

Search
  • FIRST POST
    • DonnyDave
    • By DonnyDave 20th Mar 11, 2:20 PM
    • 1,568Posts
    • 438Thanks
    DonnyDave
    Spam from "GSN" to e-mail address registered on Play.com
    • #1
    • 20th Mar 11, 2:20 PM
    Spam from "GSN" to e-mail address registered on Play.com 20th Mar 11 at 2:20 PM
    I have just received a spam message to play@mydomain which has only ever been given to online retailer Play.com:


    From: GSN - Play Every Day <GSNnews@email.gsn.com>
    Subject: Get more done, much faster, with Acrobat X PDF Reader. Upgrade Available Now
    __________
    GETTING MORE DONE AT WORK NOW COMES IN A CONVENIENT BOX

    See how Adobe Acrobat X Reader is a step above anything you've experienced before, so you can be even more productive.

    Upgrade now: <spam link removed>

    Just how much faster can you work with Adobe Acrobat PDF Reader
    software? Fast enough to stay on top of last-minute changes, connect
    with key decision makers, and share updates with co-workers.

    You'll discover how easy it is to reuse content by exporting PDF files
    to Microsoft Word or Excel formats. And how quickly you can automate
    multi-step tasks with new, guided Actions. No wonder PC Magazine
    says, "There's a lot to like in Acrobat X PDF Reader." See for yourself at :

    <spam link removed>

    Copyright 2011 Adobe Systems Incorporated. All rights reserved.

    Adobe Systems Incorporated
    343 Preston Street
    Ottawa, ON K1S 1N4
    Canada
    I am concerned that this may be as a result of a security breach at Play.com.
    Last edited by DonnyDave; 20-03-2011 at 11:09 PM. Reason: Link removed
    Dave
    Say no to 0870!
Page 3
  • spiffer
    There's another possibility I don't think anyone's mentioned yet, and there's a clue on play.com's site:

    Sharing data

    We have business and technical partners whom we share data with to handle orders, process credit and debit card payments and provide a range of services, including for fraud protection purposes. They are bound by Data Protection covenants and must process the personal information in accordance with this Privacy Policy and the Data Protection Laws of Luxembourg.

    In case any fraudulent activity is detected on the website, or, without limitation, in connection with the breach of intellectual property rights through the use of the website, we may release personal information in order to comply with any applicable regulation or assert our rights as well as our business partners’.
    So a breach at a third party is a possibility. The good news is it would be unlikely to include more sensitive data like passwords or credit card details. Not that this would absolve play.com of responsibility of course.

    Also, the network attack vectors (e.g. compromised web server) already mentioned aren't that likely. A dump of the data handed to someone in the marketing department and then sold on or lost on a usb drive are much more likely (and I know from experience as a db admin that it does happen, even if you try to say "no"). So all this stuff about network security actually doesn't mean much.
    Last edited by spiffer; 20-03-2011 at 10:11 PM.
  • dragonmeat
    Got the same email to playcom@[mydomain]. Play.com were totally unconcerned about it. Here's their reply to me:

    <snip>

    I'm not impressed, to say the least, particularly as it now seems I'm not the first to let them know. We need to keep this thread updated, if we want Play.com to take this seriously.
    Originally posted by Internet Pawn


    I had almost exactly the same response from Play; it contained the additional paragraph
    Upon checking your account on our system, we can confirm that your details are secured and that there are no irregularities that may cause for alarm.

    A very bold statement to make! I wrote back saying I wasn't at all happy with their response (which is at best technically incorrect) and they've sent me a further reply. To be fair, it sounds like the incident is now on its way to someone who might understand security. They're going to have a fun day tomorrow.
  • dragonmeat
    So a breach at a third party is a possibility. The good news is it would be unlikely to include more sensitive data like passwords or credit card details. Not that this would absolve play.com of responsibility of course.
    Originally posted by spiffer
    I agree. If a third-party breach does turn out to be the cause, I hope it makes Play et al. think twice before selling their users' details to 'carefully selected business partners'. Even if they declare this in their privacy policy, they are failing in their duty of care to their customers if the information falls into the wrong hands and ultimately, they will be the ones who will take the resulting reputation hit.
  • olemartinorg
    A dump of the data handed to someone in the marketing department and then sold on or lost on a usb drive are much more likely (and I know from experience as a db admin that it does happen, even if you try to say "no"). So all this stuff about network security actually doesn't mean much.
    Originally posted by spiffer
    I'll confirm that! I once found a full database dump on the public web server for a certain international TV channels web site.. All those passwords were in plain text, and i found more than half a million unique e-mail addresses from a recent competition they hosted.

    So yeah, i found you all via Google - after i came to doubt the same generic reply I got from Play.com after I sent them an email earlier today. Also, my Firefox tells me that official-adobe-acrobatx.com is now listed as a phishing web site - good job folks!

    On a final note; as far as i can tell, a link on the site points in the direction that the marketbay.com affiliate marketing site is involved. I've sent them an email, but I'm still awaiting a reply.
  • halfer
    Bah, at least you lot are getting replies! Not a sausage back from play.com from me

    I'll give 'em to Wednesday, and then will start blogging about it. More coverage the better.
  • halfer
    I've emailed ExactTarget, the marketer whose servers were used; will notify here if I get any juicy info from them. (Did anyone get this spam from a sender other than ExactTarget, out of interest?)
  • halfer
    You gotta love social media. Quick, play.com, do something! Your reputation is dissolving.

    twitter.com/search?q=play.com%20spam
    • aerostar
    • By aerostar 21st Mar 11, 12:13 PM
    • 1,684 Posts
    • 895 Thanks
    aerostar
    I monitor some friends e-mails for Spam etc, and have seen this 4 times, one to my own unique play.com address, I bounced all the e-mails back to the sender.
    • Ghost
    • By Ghost 21st Mar 11, 1:24 PM
    • 301 Posts
    • 164 Thanks
    Ghost
    I recived this spam email yesterday too. It's not an address that I exclusively use for Play but it is an address that I use exclusively for online shopping and is (up to now) 100% spam free. I can only conclude that this breach is the fault of Play as so many other members can prove it's them.
    "He who asks questions cannot avoid the answers"
    • littlerat
    • By littlerat 21st Mar 11, 1:26 PM
    • 1,673 Posts
    • 3,157 Thanks
    littlerat
    I had the email today. But I use the same email for most things, so could've gotten it from any of the comps I've entered etc.

    There's a topic here: http://www.gsn.com/forums/showthread.php?t=891&page=2&

    It seems GSN is a legitimate company, but this email isn't obviously. Also plenty there haven't used play.. so who knows.
  • Miss Qwerty
    I can confirm it isn't a Dictionary @ Domain search, I received one of these to the email address that I use at work (myname)@(specific company name).

    This is the email address I had given to Play (And I don't use for comps or anything), but luckily I hadn't purchased anything since 2009 so my card details have expired.
  • rocklobster
    I also got one to an address that is my initials and name @ company name - so it's not a dictionary attack or a play@everythingtheycanthinkof attack...

    Interestingly, looks like netcraft aren't getting much joy from them either

    http://news.netcraft.com/archives/2011/03/21/play-com-customer-emails-leaked.html
    • MSE Archna
    • By MSE Archna 21st Mar 11, 6:09 PM
    • 1,874 Posts
    • 6,140 Thanks
    MSE Archna
    Hi all,

    Play has seen the thread and has asked us to post the following message:


    Email Security Message

    We are emailing all our customers to let you know that a company that handle part of our marketing communications has had a security breach. Unfortunately this has meant that some customer names and email addresses may have been compromised.

    We take privacy and security very seriously and ensure all sensitive customer data is protected. Please be assured this issue has occurred outside of Play.com and no other personal customer information has been involved.

    Please be assured we have taken every step to ensure this doesn’t happen again and accept our apologies for any inconvenience this may have caused some of you.

    Customer Advice

    Please do be vigilant with your email and personal information when using the internet. At Play.com we will never ask you for information such as passwords, bank account details or credit card numbers. If you receive anything suspicious in your email, please do not click on any links and forward the email on to privacy@play.com for us to investigate.

    Thank you for continuing to shop at Play.com and we look forward to serving you in the future.

    The Play.com Customer Service Team
    Report inappropriate posts: forumteam@moneysavingexpert.com




  • No1
    "Please be assured this issue has occurred outside of Play"

    Well....that's all right then.

    I too have received this email today to a unique address used for Play.com
    • DonnyDave
    • By DonnyDave 21st Mar 11, 7:08 PM
    • 1,568 Posts
    • 438 Thanks
    DonnyDave
    "Please be assured this issue has occurred outside of Play"

    Well....that's all right then.
    Originally posted by No1
    I think that it's important to quote the sentence in full, so as not to take this comment in red out of context:

    Please be assured this issue has occurred outside of Play.com and no other personal customer information has been involved.

    The assurance is of the fact that no other personal information is involved, something which I think is the issue of greatest concern to Play.com customers.

    This in no way mitigates what has happened, as no one would wish their e-mail address to fall into a spammer's hands. But it does confirm that no other information, such as passwords and credit card numbers, have been compromised.
    Dave
    Say no to 0870!
  • dragonmeat
    Please be assured this issue has occurred outside of Play.com and no other personal customer information has been involved.
    Originally posted by Play.com
    Phew - I was worried for a moment that my personal details had been lost, whereas in reality all that's happened is that my personal details have been lost.
  • Internet Pawn
    Hi all,

    Play has seen the thread and has asked us to post the following message:


    Email Security Message

    We are emailing all our customers to let you know that a company that handle part of our marketing communications has had a security breach. Unfortunately this has meant that some customer names and email addresses may have been compromised. <snip>
    Originally posted by MSE Archna
    This is from play.com's privacy policy:
    "We have business and technical partners whom we share data with to handle orders, process credit and debit card payments and provide a range of services, including for fraud protection purposes. They are bound by Data Protection covenants and must process the personal information in accordance with this Privacy Policy and the Data Protection Laws of Luxembourg."
    I'm not sure a court would agree that passing data to a marketing agency comes within the definition of 'a range of services, including for fraud protection purposes.' Marketing has nothing whatsoever to do with any of the activities listed and their policy can't be interpreted as giving play.com the right to share our data with all and sundry . Far from resolving the issue, all their statement does is confirm their complicity in passing on our email addresses to third parties.

    Oh yeah, and what's with the 'may have been compromised' comment. Do they not yet accept that our data has leaked?
  • Miss Qwerty

    Customer Advice

    Please do be vigilant with your email and personal information when using the internet.
    Originally posted by MSE Archna
    Bah ha ha, would that involve never using your website again?
    • Shuttle
    • By Shuttle 21st Mar 11, 9:38 PM
    • 2 Posts
    • 0 Thanks
    Shuttle
    Hopefully Play.com will name the "company that handle part of our marketing communications" so that we (and hopefully Play) can avoid them in the future

    I await their apology.

    mb
  • jgxenite
    Silverpop handles play.com's email campaigns (Google silverpop play.com). However, GSN's email campaigns are run by ExactTarget. As far as I'm aware, these two companies aren't one in the same so you have to ask, how did a play.com customer email get from Silverpop to ExactTarget?
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

2,429Posts Today

8,354Users online

Martin's Twitter