Update Your Barnes & Noble Password Right Now

From Lifehacker:

In a recent email, Barnes & Noble informed its customers of a security breach on October 12 that may have exposed email addresses and other account information.

The hack affected store systems, reportedly rendering cash registers unusable for a time, and also affected Nook apps and devices. Users were unable to view their collections, load past purchases, or buy new books, and Nook-related web pages were temporarily inaccessible for a few days this week. Most Nook functionality seems to be restored by now, but the full severity of the leak is unclear.

. . . .

In the email, Barnes & Noble confirms user email addresses, shipping and billing addresses, and phone numbers were vulnerable, but found no evidence any of this information was stolen. The email also says financial data is encrypted and safe—or at least, that’s how it looks for now.

. . . .

The company says the worst users should expect is that they may receive unwanted spam emails or phone calls. However, some users have reported unauthorized account access and purchases in the days since B&N systems were compromised.

While it’s possible hackers stole and decrypted password and payment data, it’s equally likely the affected users had poorly secured bank accounts that use the same email address as their Barnes & Noble profile. It’s not hard to break into an account using credential stuffing, especially if users re-use a password that’s been compromised in other leaks and they don’t have extra account security enabled, such as two-factor authentication (2FA).

Either way, there’s more risk than just the spam emails and calls Barnes & Noble suggests. Even if the hack exposed only email and phone numbers, these can be used to phish passwords and other security information from unsuspecting victims—that’s why your bank says it “never asks you for your password.”

So if you get an email asking for your account number, credit card info, or password, don’t provide it. And don’t click on any links or email attachments, either.

Link to the rest at Lifehacker

Typically, PG doesn’t include links in the excerpts from items he posts.

The original of this Lifehacker article includes links to lots of information that may be of help to Barnes & Noble online customers.

These links provide detailed information concerning what Barnes & Noble customers should be doing with their Barnes & Noble account information, sign-on credentials, etc., to avoid problems that may be caused if those who attacked the Barnes & Noble computer system were able to access credit card or other personal information.

At a higher level and for any website that asks for credit card numbers, personal information, etc., it is a good idea to use a unique and complex password.

Of course, if you have id/pw credentials for more than a half-dozen websites, you may have difficulty remembering if your bank password is )NpZLfmY’?6m'{:\ or @X(wfS6f;m-.+wEJd”Gc

There are computer programs to help you with that and make it as easy to insert NFsEu9GDLn8W3hhd3rUK into the password blank as it is to type mydogisrover.

PG uses LastPass and has done so for a long time with zero problems.

PG knows others who use 1password and are quite happy with it as well.

PC Magazine has a review of The Best Password Managers for 2020 which provides details on a whole bunch of password managers.

If you don’t like spending money, PC Magazine also has a review of The Best Free Password Managers for 2020 as well.

James Daunt, Fearless Leader, a Continuing Saga

PG just learned that James Daunt had a video interview with an editor at Publishing Perspectives on October 14, four days after the first announcement PG saw of the Barnes & Noble Crash of 2020, in connection with the Frankfurt Book Fair.

Due to firewalls for publications PG doesn’t necessarily want to pay to read, PG hasn’t been able to access any details of what Daunt may or may not have said about the Barnes & Noble computer crash. He hasn’t seen any third-party reports based on the interview that provide much detail.

However, PG speculates that, had Daunt been asked about the Barnes & Noble computer crash that, among other things, took down BN’s Nook business and reportedly locked up Nook readers in many places, Daunt’s response would have been newsworthy enough to show up somewhere PG can access.

PG speculates that, perhaps, the interviewer didn’t know about the BN crash, the interviewer was told before the interview that the crash was a no-go zone, Daunt’s comments about the crash were off the record, the interviewer asked Daunt about the crash and Daunt replied with the British equivalent of “No Comment” or something else entirely.

PG continues to be puzzled by the apparent lack of any public comment by Daunt about a major problem Barnes & Noble experienced.

Barnes & Noble is no longer a public company, having been acquired and taken private by an investment group, so it doesn’t have the legal obligation to disclose information about a problem that would have sent the public company’s stock into a steep decline.

Here’s some pure speculation on PG’s part.

Repeat – Pure speculation with no secret factual basis:

Perhaps Daunt is in hot water with the current owners of Barnes & Noble or was in hot water even before the crash due to Barnes & Noble’s performance, and has decided to keep silent or had been ordered to keep silent by his bosses.

End of pure speculation.

PG is a lawyer, not a reporter. He usually waits for news to come to him via various email subscriptions, persistent Google searches, tips, etc.

If any visitors to TPV see anything online, have any reliable information, etc., about what has, at least for PG, has become a more and more puzzling response by Barnes & Noble to a really big problem, he would appreciate hearing about them in the comments to this post or via the Contact link up toward the top of the blog.

Barnes & Noble cyberattack exposed customers’ personal information

From CNN:

A day after Barnes & Noble solved its Nook outage, the bookstore revealed a far more serious problem: A massive cybersecurity attack breached the company’s data, exposing information about customers, including email addresses and other personal information.On Monday, Barnes & Noble sent customers an email to notify them about the cyberattack. The company made clear that customers’ financial information had not been exposed. Their transaction history, however, was potentially exposed. The company said “transaction history, meaning purchase information related to the books and other products that you have bought from us” were retained in the systems that were impacted by the cybersecurity attack.

Customer’s email addresses, were also potentially leaked in the cybersecurity attack, according to the company.
“It is possible that your email address was exposed and, as a result, you may receive unsolicited emails,” Barnes & Noble said.
While the bookstore chain doesn’t know if other personal information was exposed during the attack, Barnes & Noble acknowledged that customers’ billing and shipping addresses as well as their phone numbers stored in the systems were included in the attack.
Although not worth much to hackers on their own, personally identifying data like addresses, phone numbers, names and email addresses are valuable on the black market. It can be combined with other information, including credit card information and Social Security numbers, to create full profiles of people. Hackers can use that information to steal people’s identities and money.

Link to the rest at CNN

PG notes that the drip-drip-drip method of revealing information after a company disaster is something many public relations professionals regard as a classic example of the wrong way for a company to handle such an event.

The recommended strategy is to tell everything you know right away, upfront and to be very transparent about what you are doing to resolve the problem and protect your customers from harm. Quite often, a consumer-facing company will offer a credit-protection program at no cost to its customers.

As mentioned before, you can send any other information you think might be of interest to TPV visitors via the Contact link.

PG is particularly interested in hearing about any indications of intelligent life inside Barnes & Noble’s management ranks.

Barnes & Noble hit by cyberattack that exposed customer data

From Bleeping Computer:

U.S. Bookstore giant Barnes & Noble has disclosed that they were victims of a cyberattack that may have exposed customers’ data.

Barnes & Noble is the largest brick-and-mortar bookseller in the United States, with over 600 bookstores in fifty states. The bookseller also operated the Nook Digital, which is their eBook and e-Reader platform.

. . . .

Since October 10th, users have been complaining on Nook’s Facebook page and Twitter that they could no longer access their library of purchased eBooks and magazine subscriptions. When attempting to do so online or on their Nook, the library was coming up blank or could not log into bn.com.

. . . .

In a statement given to FastCompany earlier today, Barnes & Noble said that they suffered a severe network issue and were in the process of restoring their server backups.

“We have a serious network issue and are in the process of restoring our server backups,” Barnes & Noble told Fast Company in a statement. “Our systems are back online in our stores and on BN.com, and we are investigating the cause. Please be assured that there is no compromise of customer payment details, which are encrypted and tokenized.”

. . . .

In an email sent to customers late Wednesday night and seen by BleepingComputer, Barnes & Noble has disclosed that they suffered a cyberattack on October 10th, 2020.

As part of this attack, threat actors gained access to corporate systems utilized by the company.

“It is with the greatest regret we inform you that we were made aware on October 10, 2020 that Barnes & Noble had been the victim of a cybersecurity attack, which resulted in unauthorized and unlawful access to certain Barnes & Noble corporate systems.”

“We write now out of the greatest caution to let you know how this may have exposed some of the information we hold of your personal details,” Barnes & Noble stated in their email.

. . . .

In a list of frequently asked questions, Barnes & Noble states that no payment details have been exposed but are unsure at this time if the hackers accessed other personal information.

They do admit that email addresses, billing addresses, shipping addresses, and purchase history were exposed on the hacked systems.

. . . .

While it has not been confirmed, Barnes & Noble’s cyberattack has all characteristics of a ransomware attack.

Ransomware operators commonly conduct their attacks on the weekend, when there is less staff present who could detect the attack — Barnes & Noble were attacked on a Saturday.

The bookseller also stated that they had to restore server backups, which is another indicator of a ransomware attack.

Finally, cybersecurity intelligence firm Bad Packets told BleepingComputer that Barnes & Noble perviously had multiple Pulse VPN servers that were vulnerable to the CVE-2019-11510 vulnerability.

This vulnerability is popular among ransomware threat actors as it allows them to gain access to user credentials stored on the VPN device.

A recent leak of Pulse VPN credentials gathered using this vulnerability contained accounts belonging to Barnes & Noble.

. . . .

Unfortunately, if they did suffer a ransomware attack, it is likely that much more data was exposed than Barnes & Noble is disclosing.

When ransomware operators attack a network, they first steal unencrypted files to use as leverage to get a victim to pay the ransom. If the victim refuses to pay, the ransomware gang leaks the unencrypted data on data leak sites.

Link to the rest at Bleeping Computer and thanks to DM for the tip.

When anyone hears of the first class-action suit filed against Barnes & Noble on behalf of its online customers based upon the leak of personal information and damages arising therefrom, you can let PG know via the Contact Link at the top of the blog.

To be fair to Barnes & Noble, there may be a non-negligent explanation for all of this, but the Barnes & Noble CEO has been surprisingly silent about this matter, particularly in comparison to his ready availability to any journalist likely to produce yet another puff piece about him.