back to article Play.com spam points to malware downloads

Multiple Reg readers were annoyed at receiving junk mail messages on Monday from addresses they had only registered with online retailer Play.com. Several of these junk mail sites pointed to black hat controlled domains that served up malware, heightening complaints on online forums (discussion on MoneySavingExpert here) and …

COMMENTS

This topic is closed for new posts.
  1. DPWDC
    Thumb Up

    I'm one of those nerds

    That uses a different address for each website - very useful for seeing who your spam comes from, but more useful for seeing the attitude of the company when you tell them "wasn't our fault, you must be mistaken", and the tech ability of the staff when you have to actually speak to them...

    "Are you SURE your email address is sky@*****.co.uk".

    1. Leona A
      Headmaster

      another Nerd(ette?)

      Another Nerd(ette?) here, I use the same system, it doesn't cost much to buy your own domain, then you can use unique addresses for each website. I do this, and once its breached, change the address and you can force the old one to bounce, you also know which site has had its security breached (or sell your details Without your consent) and you can then make a choice whether to continue using that site since they don't seem to take security (or your privacy) seriously. Words (and excuses) mean nothing, actions speak louder, if they're selling your email addresses, what else are they doing, ie do you store your card details with them? Food for thought.

      1. This post has been deleted by its author

        1. Anonymous Coward
          Anonymous Coward

          Re Amazon

          Yup - I have noticed the same from Amazon - must have been a marketplace purchase :-(

    2. Code Monkey
      Thumb Up

      I didn't think I was a nerd for doing that, but...

      ...if the cap fits...

      Another "me too" but it is dashed useful. And having a Demon account means I can do it without running my own domain. Actually I s'pose having a Demon account in 2011 is quite nerdy. Well I can live with that.

    3. Wild Bill

      Can't be bothered with all that

      I've used one Yahoo email address for everything for ages. I don't get any spam.

  2. JakeyC
    FAIL

    Spam 'from' GSN?

    I received this lame apology from Play too. Really annoyed, because I'd kept my address 'clean' for years and now through no fault of my own it's going to get a ton of spam and I need to change passwords etc.

    Interesting that you mention the GSN link because I got spam yesterday purporting to be *from* GSN (offering Acrobat X PDF Reader). I've never been to GSN.com in my life let alone signed up.

    I haven't bought anything from Play in a couple of years now, but certainly won't be again after this!

    1. Slasher
      Paris Hilton

      GSN again

      I got one from GSN as well. I've never been there so emails from them are now blocked. At least now I know why. I have bought from Play, but never again. If you value your customers privacy and their details why outsource to another company? Well? Care to answer that one Play? Obviously profit comes before privacy. I shall be telling play to delete my acount forthwith. Yes, I use different addresses for different sites as well, so another nerd here and proud of it:-)

      Paris. Well why not:-)

  3. Whitter
    Thumb Down

    Shoddy excuse

    A 3rd party breach is still their responisbility.

    1. Anonymous Coward
      Anonymous Coward

      Really?

      And how do you suggest they police or mitigate that?

  4. John Tappin
    WTF?

    GSN spam

    I got the GSN spam but I have never registered with the site - its not so clear cut...

  5. En_croute

    Apology email received

    Dear Customer,

    Email Security Message

    We are emailing all our customers to let you know that a company that handles part of our marketing communications has had a security breach. Unfortunately this has meant that some customer names and email addresses may have been compromised.

    We take privacy and security very seriously and ensure all sensitive customer data is protected. Please be assured this issue has occurred outside of Play.com and no other personal customer information has been involved.

    Please be assured we have taken every step to ensure this doesn’t happen again and accept our apologies for any inconvenience this may have caused some of you.

    Customer Advice

    Please do be vigilant with your email and personal information when using the internet. At Play.com we will never ask you for information such as passwords, bank account details or credit card numbers. If you receive anything suspicious in your email, please do not click on any links and forward the email on to privacy@play.com for us to investigate.

    Thank you for continuing to shop at Play.com and we look forward to serving you in the future.

    Play.com Customer Service Team

    1. umacf24
      WTF?

      No credit cards?

      "At Play.com we will never ask you for information such as passwords, bank account details or credit card numbers. "

      So how do you buy stuff without telling them the credit card number?

  6. lansalot

    me too

    Got the email from Play (regular customer, doesn't sound like it's their fault tho), and got the Acrobat X spam from GSN (never been there before, never heard of that site) as well...

    1. Leona A
      Unhappy

      it IS their fault

      as they passed your details on, hence its down to them, their responsibility.

  7. TeeCee Gold badge
    Grenade

    "....a fake Adobe update that actually contained a Trojan."

    As opposed to a real Adobe update that actually contains yet another bloody browser toolbar then?

    I prefer the fake ones, at least the sodding AV tools don't let the unwanted bits through....

    1. BristolBachelor Gold badge
      Joke

      Fake adobe

      Maybe it will do less damage to your computer too!

      (Still hurting after spending 2 days recovering a PC after a "routine update" to Bridge.)

  8. groovyf

    Hmmmmmm

    Also got the fake mail from GSN, and it's a site I've never been to, nor even heard of before.

    No email from Play.com though as yet.

  9. ahnlak
    Thumb Down

    "Please do be vigilant with your email and personal information when using the internet"

    Presumably as part of "being vigilant" with my personal information, I should avoid doing any business with a company that manages to hand it over to a third party who promptly gets it nicked.

    While I'm sure that's just their standard boilerplate privacy crap, they probably should have thought about leaving out the instructions to be careful with our personal information when sending out an email telling us they've just lost our personal information.

  10. Kevin 43
    Grenade

    How often

    do we see the words "marketing" and "security breach" in the same sentence...

  11. Rich Wood

    Not just limited to marketing lists?

    Several copies of the spam seen here, one to an account that is specific to Play, and one used with Play but which isn't on their newsletter/marketing lists.

    Either it's more widespread than just Play, or as I suspect it's not just limited to their marketing lists.

    After 11 years, looks like it might be time to close my Play account.

  12. BristolBachelor Gold badge
    Coat

    We take privacy and security very seriously...

    ...and that's why we sent all your email addresses to some marketing scum who don't give 2-hoots about privacy, security, ethics....

  13. Fuh Quit

    Hmm

    I use throwaways for each registration but don't actually read anything coming from Play.com

    Looking at my deleted emails in gmail from Play, I see no apology but my gmail decided the email from GSN was spam.

    I assume Play.com hashing the stored passwords with something decent and don't share that with GSN? There's no need to share that field of a database.........

  14. Andrew Moore
    Unhappy

    No play.com apology for me...

    And I only ordered something from them last Wednesday...

  15. Tech monkey
    Grenade

    Great

    They also save the creditcardnumbers so it would be safer to assume thats also out on the street.

    1. Juillen 1

      Now why...

      would you think a company that employs a PR company do to its marketing would furnish them with all the credit card details of all the subscribers?

      Do you hand over your date of birth, address, phone number and national insurance details when you buy a pint of milk with cash?

      1. Anonymous Coward
        Linux

        Credit cards

        The credit cards wont be given to the marketing agency. This would a breach of many things and their merchant accounts would be removed.

        Play.com doesn't store actual card numbers but an merchant token that allows them to process transactions. Even this if stolen is useless.

  16. AndrueC Silver badge
    Thumb Down

    Me too

    Yeah I got one of these last night claiming to be an Adobe Acrobat update. The thought of Play and Adobe working together over anything meant I was never going to follow the link even if I'd been tempted.

  17. probedb

    Nothing here?

    No spam emails or messages from play and I've been registered for years.....with a play specific email address as well.

  18. RJ

    Wow

    They really want me to be assured don't they.

    If they really want me to be assured don't partner with muppet companies that give out my details through incompetence!

  19. Smudged
    FAIL

    Rubbish apology

    I don't care if it was an external company, they were acting on behalf of Play so as far as I am concerned it is Play who are responsible. Plus, they don't need to tell me to be careful with my info, they need to tell themselves.

  20. groovyf
    Thumb Down

    SMS spam now (coincidental?)

    Oh, and just got a marketing text message from Optical Express (07537 400712)

    Again, someone who I've never dealt with - wonder if it's connected to this.

  21. F Cage

    Also got the spam

    Also a play.com customer - I got the GSN spam but spotted it as such straight away.

    Not had any apology from play.com though

  22. Anonymous Coward
    Grenade

    Great news

    They also store the credit card numbers of customers so it would be safer to assume that those

    are also on the street.

  23. Richard Boyce
    Thumb Down

    Paying someone else to take control is often unwise

    If the security breach is restricted to a third party company, then we should expect many more clients of that company to be affected. It's possible that GSN is not directly related. If/when we start seeing a large number of companies affected, all using the same marketing company, then we can let Play.com off the hook a little, but only a little.

    Retail companies have to remember that the buck stops with them, legally and morally, and also financially when customers vote with their feet. Outsourcing must never be out of sight and out of mind and a way to blame someone else.

    I've found that even large companies like Sainsbury's can lose control to marketing companies, so that customers effectively lose the ability to opt out and have to rely on filtering.

  24. AndrueC Silver badge
    Thumb Up

    It's sad...

    I also give everyone their own address. What I've noticed is that it's usually the smaller retailers that go bad. But it isn't always my Avast address when bad a while back but I didn't get anywhere trying to explain it on their forums:

    http://forum.avast.com/index.php?topic=49786.0

    Admittedly I could perhaps have used a less contentious subject title but it was sad that no-one could see what I was getting at. Interestingly a quick look at my server logs show that I don't get spam for that address any more. Other addresses do still generate spam (including some that are many years older) so my theory now is that it was marketing material and they were able to pull the address.

  25. Elmer Phud

    Acrobat?

    Ah well, those of us who won't touch Acrobat with someone elses barge-pole would have just ignored yet another 'update now' message.

    And those who do need to use thier own shedule for updates (sunday mornings is quite good while recovering from saturdays) or use something like Secunia.

  26. squilookle

    I got the apology email from play

    And I got the GSN Adobe Update email.

    I won't be closing my account with play, but I think a strongly worded email demanding no more marketing and no passing of details onto third parties for marketing might be in order.

    I don't recall what options there were for marketing when signing up with play (I signed up a long time ago), but I'm always careful to opt out of marketing when signing up to things in general.

    1. Vometia

      Re: I got the apology email from play

      "I don't recall what options there were for marketing when signing up with play (I signed up a long time ago), but I'm always careful to opt out of marketing when signing up to things in general."

      I've noticed that whether or not the options are given, as often as not they subscribe you to their newsletters anyway: as someone pointed out a few comments back, unfortunately the smaller etailers seem to be worse for doing this sort of thing.

      As for Play, I complained to them when I received the GSN email and received an apology of sorts for their apparent marketing gaffe, but nothing to say that the contents were a bit dodgy. Just as well I binned it in the spam folder anyway, I suppose...

  27. paulb42

    GSN Spam

    I also got the Play apology, and GSN fake Adobe update spam - though interestingly the GSN email passed both SPF and DKIM tests, so it would appear may well be either involved or compromised.

  28. JamieL
    Thumb Down

    So who leaked it then?

    Why not tell us who this "3rd party company" is - then we can all be careful not to do business with them. And any other retailers who use them can kick them off their supplier list.

  29. Anonymous Coward
    Anonymous Coward

    Similar problem with SVP

    I had a similar problem with SVP (www.svp.co.uk - formerly BlankDiscShop). Tried reporting it, got a brush off (couldn't be us otherwise more customers would be complaining). Still getting some low volume spam addressed to the unique address assigned to them.

    1. Bob the ubsubsidiser
      Unhappy

      SVP too

      Sounds like me.

      SVP lied and LIED and LIED about taking me off their lists.

      Only after legal threats did they remove me... only for random spam to appear of that address a few months later.

      Thanks for this post, I'll restart legal proceedings now I know it isn't just me.

  30. Cameron Colley

    So, another company I'll not deal with again.

    Now that they've admitted to selling my email address to a bunch of incompetent marketing scum, I'll not be buying anything from them again and shall ensure that anyone who mentions them hears of this.

    Shame, their prices were OK.

  31. Shakje

    Saw the apology this morning

    I've had a look through their T&Cs and can't find anything about marketing firms. I also can't find anything in my account settings to do with marketing (I'm pretty sure you have to provide an easy way to remove yourself from it if you don't untick the box when you join [something I always do anyway]), so isn't passing my details on to a marketing company kind of, well, illegal?

  32. The Infamous Grouse
    Alert

    Compromise: accidental or otherwise?

    No sign of any GSN or other junk mail yet but Mrs. Grouse did get the weakly apologetic and pathetically vague e-mail sent to her unique Play.com address.

    I can't help but notice the timing of this 'accidental' information leak. We're in a global recession with profits down almost everywhere, at the end of a financial year in which the traditionally bumper Christmas consumer spending spree was a lot lower than many expected. There have been rumours for months that Play have had problems that might result in the closure of PlayUSA. And it's quite possible George Osborne will use the upcoming Budget to change the rules on VAT-free traders operating from the Channel Islands and from outside the EU.

    Against this backdrop, a chunk of customer information of great monetary value to the bad guys is unexpectedly purloined from Play.com via an unnamed third party? I don't know about anyone else, but I detect something distinctly piscine wafting from the direction of Jersey and it's not the Beresford Fish Market.

  33. Martin Lyne
    FAIL

    Play

    I receive quite enough bloody mail from them as it is. Amazon too. Now they're giving my address out. Fun. Times.

    Seriously companies. One email per week should be your limit, unless it's a serious sale going off.

  34. Anonymous Coward
    Anonymous Coward

    It *is* Play.com's fault

    So they say "We take privacy and security very seriously and ensure all sensitive customer data is protected. Please be assured this issue has occurred outside of Play.com", which is a contradiction in itself. If they take security very seriously and ensure data is protected, then they wouldn't be giving it out to third parties in the first place.

    Goodbye play.com.

    1. Sarah Bee (Written by Reg staff)

      Re: It *is* Play.com's fault

      Hi folks - just to say please don't name possible third parties out loud on here. Email any thoughts on that to the author. Ta.

  35. Derichleau
    Stop

    Play.com well known to the Jersey Information Commissioners Office

    The Jersey ICO has received many complaints about Play.com but they never seem to do anything about them. The best thing to do is to submit a section 11 DPA98 request for Play.com to cease processing your personal data for direct marketing purposes.

    www.mindmydata.co.uk

    1. Andy Livingstone

      Jersey ICO

      From experience all I can say is the the Jersey ICO does a really good job. Actually does what is required. Makes the UK one look like the bunch of muppets that similar experience tells me that they are. Who else but them can write 3 pages to say "Yes"?

      As for Play.com, experience with them tends to suggest that their sales have grown larger than their systems and management can cope with. Wednesday's Budget might ease that problem a little for them.

  36. Anonymous Coward
    Anonymous Coward

    BandCD and others spam like mad

    I'm another one who uses separate email address to track who spam.

    grumbletext

    play.com

    svp

    applausestore

    guitarherofreesongscompetition

    icq (yes, that old!)

    cheapsmells (perfume retailer)

    prepaymania

    telephonepreferenceservice (ironically!)

    and bangcd are the ones of the top of my head who have leaked my address and spammed me.

    Bangcd in particular are funny. The denied it was them (email was only ever used with them), then they denied the unsubscribe wasn't working (it wasn't) then they said I had been removed from a mailing list I never asked to go on and six months later started spamming me again.

    I asked why they had lied and got told "

    We have become a victim of Industrial Sabotage using Spam email.

    Bang CD did not send, or authorise the sending of, this email.

    This mail was sent as a malicious attempt to have Bang CD de-listed due spamming.

    We have taken legal advice and are currently issuing proceeding to prevent this happening again."

    So these Saboteurs have cleverly copied their newsletter in its entirety including the domain it was sent from .. in an attempt to delist band cd for spamming.

    NO BANGCD. *YOU* SPAMMED ME YOU LYING CU*TS.

    1. AndrueC Silver badge
      Thumb Up

      My list

      These are the big names from my blacklist:

      T-Mobile, Readers Digest, Maplin, Empire Direct, ShopAcer, Pixmania, Friends Reunited, Avast, MBNA, Ovi Marketing

      Plus a dozen more mostly small business. Ironically no personal addresses at all.

      The Reader's Digest address went bad last week despite the fact I hadn't had any business with them for over four years. It's vaguely interesting checking my server logs out. One of the most requent 'sources' is an address that's been blacklisted for nearly seven years. That disproves the idea that not replying will cause the spam to stop. I guess when I'm long dead and buried at least some trace of me will remain in the interwebs :)

    2. Rich Wood

      BangCD = Spammer

      BangCd "launched" themselves by spamming. I've never ever used them, and despite the source address having been blocked for years, they still try to spam me a couple of times a week.

  37. Lord_Tubz
    Flame

    Marketingfail.com

    I received the rubbish play.com email this morning, but nothing from GSN, and no Adobe update... will check it out later, but suspect that the ejjits have released more to the ether than they are telling us...

  38. Compact101

    Also BangCD

    BangCd also have something similar.

    BCD News [bcdnewsletter@bangcd.com]

    When i email them, they replied that someone is sending out their emails to discredit them/get them on a banned list.

    I receivea a couple a day.

    Since they replied to my email quickly, I'm not going to cry over a few emails, espeically when they are aware of the problem and trying to go something about it.

  39. Anonymous Coward
    Anonymous Coward

    Marketing subscription

    Funnily enough, I had cause to set up two Play.com accounts recently and I unsubscribed from marketing emails in only one of the accounts. I received an apology email to the subscribed account, but not to the unsubscribed one, so perhaps there is some logic to their mailings...

  40. MrOddwire
    FAIL

    Not the first time

    Play.com hold two unique e-mail addresses of mine (due to technical glitch creating the first account) and I've seen this happen last year (Mon 13/12/2010 21:21) when I received the spam written up here:

    http://www.webologist.co.uk/internet-security/scam-adobe-announces-new-version-upgrades-for-adobe-acrobat-2011

    It hit both addresses within seconds of each other. G*ts

  41. david wilson

    Disappointing

    Since a useless ISP had a security breach years ago where all my email addresses then being used ended up in the hands of junk mailers (though the ISP techs lied through their teeth despite overwhelming evidence, and denied a breach on their systems was possible), most of my main email addresses are already on various spam mail lists(*), so I'm not sure that play.com handing out one of them to someone who managed to let it escape is meaningfully increasing my personal exposure, even though it's a bit disappointing.

    *Though either spam filtering these days is awesomely effective, or continual failure to respond (or to have an enthusiastic email client touching any included weblinks) causes the spammers to lose interest over time.

    Years ago, I used to get dozens of spam mails every day, but the rate has dropped hugely - though it happened slowly enough to not be that obvious, I think I'm now down to well under one general sales spam per week getting through, and maybe a bank phising mail every month, and that was before most of the recent botnet takedowns.

  42. Anonymous Coward
    Anonymous Coward

    OK, who's got a legit email from play.com recently??

    I'm just curious to know what ESP (email service provider) they usually use...not that they'd be connected to this in any way, just pure idle curiosity...

    If anyone has got a recent legit marketing email from play and could do a full header lookup, you'd make me a less curious man.....

    1. This post has been deleted by its author

  43. Anonymous Coward
    Jobs Halo

    Simples

    Stop trying to cream every last penny and keep things inhouse.

  44. Anonymous Coward
    Jobs Halo

    HAHA,

    Their website has the following

    1.No appology

    2.A Verisign tick mark

    So we all safe and valued punters then

  45. Anonymous Coward
    Stop

    O2 Breached Imho Too

    I have been receiving emails to the email address I use only with O2 for a number of months now. The latest being this same adobe rubbish. I wonder if they share a marketting company? I will be blacklisting the O2 address as I am now with Vodafone.

  46. Anonymous Coward
    Anonymous Coward

    How can I get rich off this?

    Long ago I decided to stop dealing with Play.com, probably because of their spammy attitude. No, I remember now, they used to be really good, but then something changed there and they just became another faceless company who clearly didn't give a shit.

    It used to be the case that if you ordered an album that was to be released on a Monday, it would arrive the Friday or Saturday before every time. At some point this stopped happening, and in fact deliveries got slow - when I queried it once they just hid behind their T&C. Bollocks to that nonsense. Play ruined themselves, and it became more convenient to just go to a normal shop!

    At least with normal shops, they don't need your name and address which will end up inevitably being abused.

    At some point play stopped viewing customers as customers, and started dealing with them as if they were consumers. Consumers are a useful device for describing markets. but they are not the same as humans.

    The average consumer has one and a bit legs and arms, one and a bit balls, one and a bit boobs, etc.. Consumers do not exist, customers do. And if I feel I am being treated like a number, I stop dealing with the company and never go back.

    Long ago I told Play to delete all my personal data and remove all records that I had ever done business with them. They continued to spam, and I thought about grassing them up to the data protection lot, but did not.

    But now I find out they have been using 3rd party companies to spam people? I do not do business with companies that share data, but from what I saw on Netcraft's blog the 3rd party also spammed people who had told play not to spam them. Play had shared personal data of those who had specifically said they do not want spam with a spammer.

    I am wondering if I can beat some money out of play over this. They have broken the law (I told them to delete my data, and they did not), I would never have allowed them to share any data with any one else, ever, under any circumstances. OK, the email address I have registered with them does not work any more, so I happened to dodge this bullet, but that isn't the point.

    Can I just send them a letter of complaint, mentioning "without prejudice", and a fee schedule? And if they do not compensate me I can sue in small claims in accordance with the fee schedule, and presumably get them done criminally by the data protection office too?

    Yes, this is the nasty shit that I don't like about the US-style sue culture. But if you can't beat them, join them! Once companies cross that metaphorical line where they change from being something like a person's business persona to a non-human profit animal they just can't be trusted, so I have no qualms about fucking them over: they would do it to me given half a chance!

This topic is closed for new posts.

Other stories you might like