After confirming a security breach to its customers yesterday, Play.com today suggested that email marketing company Silverpop may have been responsible for the leak which resulted in spam being delivered to Play.com customers.
In a statement sent to Netcraft, John Perkins, CEO of Play.com, said:
"We believe this issue may be related to some irregular activity that was identified in December 2010 at our email service provider, Silverpop. Investigations at the time showed no evidence that any of our customer email addresses had been downloaded. We would like to assure all our customers that the only information communicated to our email service provider was email addresses. Play.com has taken all the necessary steps with Silverpop to ensure a security breach of this nature does not happen again."
Following the attacks in December 2010, Silverpop posted some details of its forensic investigation on its blog.
Several Play.com customers have speculated whether any other personal data may have been compromised, while the Sophos blog recommended that customers change their passwords. However, Play.com offered some reassurance by confirming that no other personal data has been compromised:
"We would also like to reassure our customers that all other personal information (i.e. credit cards, addresses, passwords, etc.) are kept in the very secure Play.com environment. Play.com has one of the most stringent internal standards of e-commerce security in the industry. This is audited and tested several times a year by leading internet security companies to ensure this high level of security is maintained. On behalf of Play.com, I would like to once again apologise to our customers for any inconvenience due to a potential increase in spam that may be caused by this issue."
In a separate statement, Silverpop confirmed to Netcraft that it had notified all customers impacted by the cyber attack in 2010 and worked with the FBI to help identify those responsible.