Confirmed: Barnes & Noble hacked, systems taken offline for days, miscreants may have swiped personal info

Nook, line and sinker: Servers restored from backups, punters unable to download purchased e-books

26 Reg comments Got Tips?

Updated Barnes and Noble tonight confirmed it was hacked, and that its customers' personal information may have been accessed by the intruders. The cyber-break-in forced the bookseller to take its systems offline this week to clean up the mess. See our update at the end of this piece. Our original report follows.

Bookseller Barnes and Noble’s computer network fell over this week, and its IT staff are having to restore servers from backups.

The effects of the collapse were first felt on Sunday, with owners of B&N's Nook tablets discovering they were unable to download their purchased e-books to their gadgets nor buy new ones. That is to say, if they had bought an e-book and hadn't downloaded it to their device before B&N's cloud imploded, they would be unable to open and read the digital tome. The bookseller's Android and Windows 10 apps were similarly affected.

It soon became clear the problem was quite serious when some cash registers in Barnes and Noble’s physical stores also briefly stopped working.

One Register reader told us that as a result of the downtime:

You can see all of your purchases on your Nook, but you can't download any of them if you haven't already. This includes purchases you might have made during the outage. When you try, you see an error: "Internal error: Exception executing the command." This is consistent, whether it is the app for Android phones, the app for Windows 10, or Nook devices themselves.

In other words, none of the books you've bought from today back to the day you signed up for a Nook account are available for you to download and read.

When you go to your account on the Nook website, your library is empty. 100 per cent empty – and there is usually a free thing or two in there when you first sign up, but now it's nothing. In some cases, the cover images of books etc don't download. In some cases, you can't use the online store, either.

B&N has yet to confirm any details of the ongoing network collapse – which has spanned at least three days now – though it is whispered that malware may have taken hold of the bookseller's machines and spread to stores and the Nook cloud. The company told The Register it has “a network issue and are in the process of restoring our server backups,” which sounds like a ransomware attack.

The book flogger also said it is “investigating the cause,” though stressed there has been “no compromise of customer payment details which are encrypted and tokenized.”

A person holding a burning book

This weekend you better read those ebooks you bought from Microsoft – because they'll be dead come early July

READ MORE

That feels like a carefully worded statement and leaves open the possibility other customer records may have been compromised or meddled with – such as usernames, passwords, and contact details – but that payment information was protected.

Pressed for more detail on whether malware was responsible or whether user data had been compromised, a Barnes & Noble representative noted only that it was “working urgently to get Nook repaired," and was investigating.

The length of time that the network has been down and the lack of communication from the company points to a more serious problem than a simple network failure. Initially the biz said the system would be back up within a few hours of the first reports of problems.

Partial restore

On Tuesday, some parts of the network reappeared, with cash registers and the BN.com website largely back up on Wednesday, although some webpages still showed problems and the Nook e-book system has been up and down all day, and at the time of writing is still suffering problems.

It wasn’t until Wednesday afternoon that a notice finally appeared on the Nook site announcing: “We're very sorry - NOOK Books are currently unavailable due to a system issue. We'll have this fixed as soon as we can.”

The Nook twitter account also finally acknowledged the problem mid-morning on Wednesday: “We are continuing to experience a systems failure that is interrupting NOOK content. We are working urgently to get all NOOK services back to full operation. Unfortunately it has taken longer than anticipated, and we sincerely apologize for this inconvenience and frustration,” it tweeted.

A second tweet continued: “Please be assured that there is no compromise of customer payment details which are encrypted and tokenized. We expect NOOK to be fully operational shortly and will post an update once systems are restored. Thank you for your patience.” ®

Updated to add

Shortly after this article was published, Barnes & Noble confirmed in an email to customers that it was hacked. The biz said it found out over the weekend, on October 10, that miscreants had broken into its computer systems, adding that customers' personal information stored on file may have been accessed or taken by the intruders. This info includes names, addresses, telephone numbers, and purchase histories.

Here are the salient portions of the message sent out this evening:

It is with the greatest regret we inform you that we were made aware on October 10, 2020 that Barnes & Noble had been the victim of a cybersecurity attack, which resulted in unauthorized and unlawful access to certain Barnes & Noble corporate systems.

Firstly, to reassure you, there has been no compromise of payment card or other such financial data. These are encrypted and tokenized and not accessible. The systems impacted, however, did contain your email address and, if supplied by you, your billing and shipping address and telephone number. We currently have no evidence of the exposure of any of this data, but we cannot at this stage rule out the possibility. We give below answers to some frequently asked questions.

Your payment details have not been exposed. Barnes & Noble uses technology that encrypts all credit cards and at no time is there any unencrypted payment information in any Barnes & Noble system. No financial information was accessible. It is always encrypted and tokenized. It is possible that your email address was exposed and, as a result, you may receive unsolicited emails.

While we do not know if any personal information was exposed as a result of the attack, we do retain in the impacted systems your billing and shipping addresses, your email address and your telephone number if you have supplied these. We also retain your transaction history, meaning purchase information related to the books and other products that you have bought from us.

We'll update this story again as more information arrives.


Biting the hand that feeds IT © 1998–2020