The online media retailer Play has e-mailed customers notifying them that a company they use has suffered a security breach. This has led to the compromise of some personal data – Names and e-mail addresses.
Play have sought to reassure customers that the breach happened outside of Plays systems and that no other data has been compromised.
The most likely use for the compromised data would be marketing, but it could also be used to help lend credibility to any phishing emails the attacker may send. Given the source of the data, any unsolicited mail is likely to purport to be a Play.com communication.
Users should be aware that such e-mails may be received, and that they should verify the legitimacy of any e-mails received. As Play.com’s email states, Play will never ask users (by email, at least) for passwords, banking details or credit/debit card numbers.
Play have asked that any suspicious emails be forwarded to firstname.lastname@example.org so that they can investigate and then (if necessary) alert other users that a targeted campaign is underway.
The Register is reporting that users have been receiving e-mails pushing malware from an address usually used by Play. I’ve not received any such emails myself, so can’t confirm.
Play have given the name of the company who suffered the breach, it was Silverpop. They're no stranger to this kind of breach, having had similar in 2010. What's equally aggravating is that there's no mention of the breach on their site, much less an apology!