Online retailer Play.com has been accused of leaking its customers’ email addresses to spammers.

Many customers reported receiving a spam email yesterday, offering an Adobe Reader upgrade which requires registration and payment. Some of these emails were sent to unique email addresses that have only been used at play.com, suggesting that the spammer had access to private customer details.

Most complaints relate to an email with the subject line “Get more done, much faster, with Acrobat X PDF Reader. Upgrade Available Now“:

One Play.com customer commented yesterday:

“I too received the email this morning. I use a unique email address for each website using the plus addressing feature of gmail; in this case the phishing attack was sent to myemailaddress+play@gmail.com. This is pretty compelling evidence that play.com are at fault.”

Although it does seem that Play.com’s customer details have been breached, it is not yet clear how this may have happened, or indeed whether Play.com are at fault. In particular, Play.com’s privacy policy reveals several other places where leaks could have occurred. Play.com shares data with other business and technical partners to handle orders, process credit and debit card payments and for fraud protection.

Another recipient of the spam was advised the following by Play.com:

“Please be advised that our database is maintained on a secure internal server that is not connected to the internet. No unauthorised access of any kind is available to the network.”

Fortunately, most browser software has already blocked the spammer’s website as a web forgery:

If the user chooses to ignore this warning, the site offers a download link for PDF Reader/Writer software:

The user is then taken to a third-party site, secureonline-form.com, which requires registration:

Finally, the user must pay for membership in order to obtain the software:

Play.com did not respond to Netcraft’s request for comment before this article was published.