Barnes & Noble databases hacked

[pdurrant]

Barnes and Noble have been the victims of a cyber attack where the attackers gained access to some of their databases.

This means that the names, email addresses, postal addresses, telephone numbers and purchase history of some or all Barnes & Noble customers have probably been obtained by the attackers.

It's unlikely that the attackers have obtained credit card numbers (Barnes & Noble say they have not) but it can't (IMO) be ruled out at this stage.

They have sent out an email to customers:


Dear Barnes & Noble Customer,

It is with the greatest regret we inform you that we were made aware on October 10, 2020 that Barnes & Noble had been the victim of a cybersecurity attack, which resulted in unauthorized and unlawful access to certain Barnes & Noble corporate systems.

We write now out of the greatest caution to let you know how this may have exposed some of the information we hold of your personal details.

Firstly, to reassure you, there has been no compromise of payment card or other such financial data. These are encrypted and tokenized and not accessible. The systems impacted, however, did contain your email address and, if supplied by you, your billing and shipping address and telephone number. We currently have no evidence of the exposure of any of this data, but we cannot at this stage rule out the possibility. We give below answers to some frequently asked questions.

We take the security of our IT systems extremely seriously and regret sincerely that this incident has occurred. We know also that it is concerning and inconvenient to receive notices such as this. We greatly appreciate your understanding and thank you for being a Barnes & Noble customer.

Barnes & Noble

FAQ

1. Have my payment details been exposed?
No, your payment details have not been exposed. Barnes & Noble uses technology that encrypts all credit cards and at no time is there any unencrypted payment information in any Barnes & Noble system.

2. Could a transaction be made without my authorization?
No, no financial information was accessible. It is always encrypted and tokenized.

3. Was my email compromised?
No. Your email was not compromised as a result of this attack. However, it is possible that your email address was exposed and, as a result, you may receive unsolicited emails.

4. Was any personal information exposed due to the attack?
While we do not know if any personal information was exposed as a result of the attack, we do retain in the impacted systems your billing and shipping addresses, your email address and your telephone number if you have supplied these.

5. Do you retain any other information in the impacted systems?
Yes, we also retain your transaction history, meaning purchase information related to the books and other products that you have bought from us.

[Quoth]

Reporting here:
https://www.theregister.com/2020/10/..._noble_hacked/

I know hackers are clever, but actually ANY company getting hacked has been negligent. Either with staff passwords if internal, training if it's by social engineering (even a free mouse in the post to a senior person with malware, that's real) or poor internet facing security.

There is zero excuse.

Also past experience shows many companies are slow to admit the extent of hacks.

NEVER use the same password for more than one site. Write them in an address book never stored with computer. Only store non-financial passwords in your browser password manager.
Do not let Amazon, Google, Microsoft etc store WiFi or site passwords, other than the login you use with them.

[fjtorres]

Most hacks just take data quietly.
This one crashed the entire system.
At last report (wed Oct 14) the stores were up, Nook wasn't.
Five days and counting.

The drama went unreported by everybody but Reddit until the fourth day, make of it what you will.

Check the comments here, where a couple of people have reported suspicious activity on their B&N-linked credit cards:

https://the-digital-reader.com/2020/...n-all-of-them/

https://the-digital-reader.com/2020/...aturdays-hack/

Not something any company wants to experience, much less one as troubled as B&N, but their user side response has been...less than desirable?

Edit:

With the tech media finally noticing, details are emerging and they're not good.


ZDNET is reporting:

Quote:

“As noted by The Register, the outage also spread to physical outlets, where it appeared that some cash registers were also “briefly” unable to function.

This prompted speculation that the disruption could be due to a malware infection, as when Point-of-Sale (PoS) systems become involved, the issue may not merely be due to a backend or server glitch. ”

“While the details of the cyberattack are yet to be made public, it is possible that ransomware could be at the heart of the incident. Bad Packets told BleepingComputer that the bookseller’s VPN servers were previously vulnerable to CVE-2019-11510, an arbitrary read vulnerability.

Security flaws like this can be used to compromise corporate networks and deploy payloads, including ransomware. In recent months, AG and the Duesseldorf University Hospital have experienced severe ransomware attacks. ”

https://www.zdnet.com/article/barnes...r-data-breach/

The Bleeping News report is more of the same except it adds this ominous bit:

Quote:

“Unfortunately, if they did suffer a ransomware attack, it is likely that much more data was exposed than Barnes & Noble is disclosing.

When ransomware operators attack a network, they first steal unencrypted files to use as leverage to get a victim to pay the ransom. If the victim refuses to pay, the ransomware gang leaks the unencrypted data on data leak sites.

These leaked files can have personal employee information, including passports, drivers licenses, medical information, and salary. ”

Quote:

Finally, cybersecurity intelligence firm Bad Packets told BleepingComputer that Barnes & Noble perviously had multiple Pulse VPN servers that were vulnerable to the CVE-2019-11510 vulnerability.

This vulnerability is popular among ransomware threat actors as it allows them to gain access to user credentials stored on the VPN device.

https://www.bleepingcomputer.com/new...customer-data/

For a retailer, ransomware attacks typically target consumer data rather than doxing employers.

BTW, the cited vulnerability was reported back in April 2019, when a patch was issued.

18 months later, their systems remained unpatched.

[Pajamaman]

Quote:

Originally Posted by fjtorres

BTW, the cited vulnerability was reported back in April 2019, when a patch was issued.

18 months later, their systems remained unpatched.

O.M.G.

[pwalker8]

Quote:

Originally Posted by Quoth

Reporting here:
https://www.theregister.com/2020/10/..._noble_hacked/

I know hackers are clever, but actually ANY company getting hacked has been negligent. Either with staff passwords if internal, training if it's by social engineering (even a free mouse in the post to a senior person with malware, that's real) or poor internet facing security.

There is zero excuse.

Also past experience shows many companies are slow to admit the extent of hacks.

NEVER use the same password for more than one site. Write them in an address book never stored with computer. Only store non-financial passwords in your browser password manager.
Do not let Amazon, Google, Microsoft etc store WiFi or site passwords, other than the login you use with them.

First off, no getting hacked doesn't imply negligence. Every internet site has vulnerabilities, that's just the nature of the beast. Anyone who says otherwise is either ignorant or lying. The only secure computer is one that is turned off and put in a bank vault, but it's also pretty useless. Security is always about trade offs. Perhaps B&N was negligent, perhaps not.

Storing passwords in a book just means that anyone with access to that book has access to your passwords. My sister uses your method of handling passwords. Her kids know where the notebook with the passwords is. For some strange reason, she can't keep them from using the wifi after hours. Gee, I wonder why.

It's correct that you shouldn't use the same password for different sites. Pass that, most individuals don't need CIA level security. Someone who has physical access to your computer is going to get the data off of it. Unless you are at special risk, letting the browser save the password is fine. They store it encrypted. Storing your passwords in an encrypted document or in a good password app is also fairly safe for most people. Using a good VPN when on a public WiFi is also a good idea.

[Sirtel]

I do use the same passwords for less important sites, where there are no financial data stored and I wouldn't care whether the site got hacked. There are just too many of those to use individual passwords for each. For Amazon, Google, Microsoft, PayPal, Adobe etc I use unique passwords.

And I actually use the analog method of storing passwords. But then no other person has access to my things, I almost never have any visitors and I keep the password paper somewhat hidden, so an accidental burglar wouldn't find it easy to grab either. Not that I've ever been burglarized.

[fjtorres]

Quote:

Originally Posted by Pajamaman

O.M.G.

More common than most people realize.
Good IT takes time and money and most non-tech businesses see IT as a cost center. And when companies are financially stressed IT is one of the first things to get whittled to the bone.

Notice how getting the store cash registers was hit first and BN.COM and Nook are still having "issues" into day six. It's triage. They addressed their big cash flow source first which is sensible.

Not emailing customers by sunday and telling then the systems were down, being worked on, and that nothing would be lost (even if not totally true), that wasn't anywhere near sensible.

This was a case of any news being better than no news, a time for transparency or even reassuring lies. Not silence.

At this point B&N's only asset with consumers is their brand. And they failed to protect it. Even if no books are lost, people didn't know they wouldn't and as the comments at Nate's site show people are really scared and affaid of losing their books.

Major brand damage to a business under stress from all sides, especially the pandemic.

Seriously ungood.

[Uncle Robin]

I don't have a Nook or use B&N but this did make me glad I followed a suggestion elsewhere here at MR to download all my Kobo purchases and make them truly mine. Not being able to read a book I'd legitimately purchased would be annoying, losing access to all of them would be an outrage.

[fjtorres]

Quote:

Originally Posted by Sirtel

I do use the same passwords for less important sites, where there are no financial data stored and I wouldn't care whether the site got hacked. There are just too many of those to use individual passwords for each. For Amazon, Google, Microsoft, PayPal, Adobe etc I use unique passwords.

And I actually use the analog method of storing passwords. But then no other person has access to my things, I almost never have any visitors and I keep the password paper somewhat hidden, so an accidental burglar wouldn't find it easy to grab either. Not that I've ever been burglarized.

Sensible.

As is, IT thinking on passwords has been evolving and many are rethinking their user system security policies. Biometrics are filtering down to phones and fairly cheap tablets and PCs. Fingerprint readers and, yes, facial recognition, are replacing passwords as the key authentication systems at the user level, even if PIBS and passwords remain as a "se urity blanket". Even security fobs and keys are coming to PCs.

At the corporate level security fobs, keys, and cards and biometrics are the minimum at most well run places and have been for decades.

There's too much compute power out there for even the hardiest password to be trusted for mission critical security.

[Deskisamess]

And as Data wonders...

[Uncle Robin]

Bitwarden does ok for me - I doubt there's much about my life that interests Five Eyes enough to bother cracking the 12-25 character passwords it generates for each website I use. Remembering the master passphrase is much easier than trying to decipher the drunken spider's scrawl that would be any handwritten list I might create.

[Deskisamess]

I've started letting Apple set the complex password for most sites. They are shared to all 3 of my iDevices, and their security is better than most. I also don't let most shopping sites save my payment info, unless it's a site I use regularly.

We use one credit card for most purchases, and can easily check activity. I don't have our main checking account linked to any shopping sites, we have one account we keep low balances in tied to PayPal. But prefer the safety of using the credit card, and Apple Pay when out and about.

The company hubby works for is very serious about security. They routinely send out fake phishing emails etc. to their employees, and employees who fall for them have to go through "Online Safety" meetings etc. They aren't a retail company, but do have government contracts etc. They've done even more of these since the lock-down and so many people working from home using their VPN and company computers. At one time you could use a personal computer with their VPN but they stopped that years ago.

[gbm]

Quote:

Originally Posted by fjtorres

Sensible.

As is, IT thinking on passwords has been evolving and many are rethinking their user system security policies. Biometrics are filtering down to phones and fairly cheap tablets and PCs. Fingerprint readers and, yes, facial recognition, are replacing passwords as the key authentication systems at the user level, even if PIBS and passwords remain as a "se urity blanket". Even security fobs and keys are coming to PCs.

At the corporate level security fobs, keys, and cards and biometrics are the minimum at most well run places and have been for decades.

There's too much compute power out there for even the hardiest password to be trusted for mission critical security.

Using good passwords is ok but I only use a prepaid debit card online with only what I can afford to lose.

I also have two part verification on all email accounts--yes I have about fine email accounts. When my gmail is accessed from a new IP address or new device I get notification on two email accounts and all of my android devices.


bernie

[fjtorres]

It isn't paranoia if they're really outto get you.

[Uncle Robin]

Quote:

Originally Posted by fjtorres

It isn't paranoia if they're really outto get you.

"‘that’s just perfectly normal paranoia. Everyone in the Universe has that.’" - Slartibartfast.