Confirmed: Barnes & Noble hacked, systems taken offline for days, miscreants may have swiped personal info

Nook, line and sinker: Servers restored from backups, punters unable to download purchased e-books

Updated Barnes and Noble tonight confirmed it was hacked, and that its customers' personal information may have been accessed by the intruders. The cyber-break-in forced the bookseller to take its systems offline this week to clean up the mess. See our update at the end of this piece. Our original report follows.

Bookseller Barnes and Noble’s computer network fell over this week, and its IT staff are having to restore servers from backups.

The effects of the collapse were first felt on Sunday, with owners of B&N's Nook tablets discovering they were unable to download their purchased e-books to their gadgets nor buy new ones. That is to say, if they had bought an e-book and hadn't downloaded it to their device before B&N's cloud imploded, they would be unable to open and read the digital tome. The bookseller's Android and Windows 10 apps were similarly affected.

It soon became clear the problem was quite serious when some cash registers in Barnes and Noble’s physical stores also briefly stopped working.

One Register reader told us that as a result of the downtime:

You can see all of your purchases on your Nook, but you can't download any of them if you haven't already. This includes purchases you might have made during the outage. When you try, you see an error: "Internal error: Exception executing the command." This is consistent, whether it is the app for Android phones, the app for Windows 10, or Nook devices themselves.

In other words, none of the books you've bought from today back to the day you signed up for a Nook account are available for you to download and read.

When you go to your account on the Nook website, your library is empty. 100 per cent empty – and there is usually a free thing or two in there when you first sign up, but now it's nothing. In some cases, the cover images of books etc don't download. In some cases, you can't use the online store, either.

B&N has yet to confirm any details of the ongoing network collapse – which has spanned at least three days now – though it is whispered that malware may have taken hold of the bookseller's machines and spread to stores and the Nook cloud. The company told The Register it has “a network issue and are in the process of restoring our server backups,” which sounds like a ransomware attack.

The book flogger also said it is “investigating the cause,” though stressed there has been “no compromise of customer payment details which are encrypted and tokenized.”

A person holding a burning book

This weekend you better read those ebooks you bought from Microsoft – because they'll be dead come early July


That feels like a carefully worded statement and leaves open the possibility other customer records may have been compromised or meddled with – such as usernames, passwords, and contact details – but that payment information was protected.

Pressed for more detail on whether malware was responsible or whether user data had been compromised, a Barnes & Noble representative noted only that it was “working urgently to get Nook repaired," and was investigating.

The length of time that the network has been down and the lack of communication from the company points to a more serious problem than a simple network failure. Initially the biz said the system would be back up within a few hours of the first reports of problems.

Partial restore

On Tuesday, some parts of the network reappeared, with cash registers and the website largely back up on Wednesday, although some webpages still showed problems and the Nook e-book system has been up and down all day, and at the time of writing is still suffering problems.

It wasn’t until Wednesday afternoon that a notice finally appeared on the Nook site announcing: “We're very sorry - NOOK Books are currently unavailable due to a system issue. We'll have this fixed as soon as we can.”

The Nook twitter account also finally acknowledged the problem mid-morning on Wednesday: “We are continuing to experience a systems failure that is interrupting NOOK content. We are working urgently to get all NOOK services back to full operation. Unfortunately it has taken longer than anticipated, and we sincerely apologize for this inconvenience and frustration,” it tweeted.

A second tweet continued: “Please be assured that there is no compromise of customer payment details which are encrypted and tokenized. We expect NOOK to be fully operational shortly and will post an update once systems are restored. Thank you for your patience.” ®

Updated to add

Shortly after this article was published, Barnes & Noble confirmed in an email to customers that it was hacked. The biz said it found out over the weekend, on October 10, that miscreants had broken into its computer systems, adding that customers' personal information stored on file may have been accessed or taken by the intruders. This info includes names, addresses, telephone numbers, and purchase histories.

Here are the salient portions of the message sent out this evening:

It is with the greatest regret we inform you that we were made aware on October 10, 2020 that Barnes & Noble had been the victim of a cybersecurity attack, which resulted in unauthorized and unlawful access to certain Barnes & Noble corporate systems.

Firstly, to reassure you, there has been no compromise of payment card or other such financial data. These are encrypted and tokenized and not accessible. The systems impacted, however, did contain your email address and, if supplied by you, your billing and shipping address and telephone number. We currently have no evidence of the exposure of any of this data, but we cannot at this stage rule out the possibility. We give below answers to some frequently asked questions.

Your payment details have not been exposed. Barnes & Noble uses technology that encrypts all credit cards and at no time is there any unencrypted payment information in any Barnes & Noble system. No financial information was accessible. It is always encrypted and tokenized. It is possible that your email address was exposed and, as a result, you may receive unsolicited emails.

While we do not know if any personal information was exposed as a result of the attack, we do retain in the impacted systems your billing and shipping addresses, your email address and your telephone number if you have supplied these. We also retain your transaction history, meaning purchase information related to the books and other products that you have bought from us.

We'll update this story again as more information arrives.

Similar topics

Other stories you might like

  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading
  • Confirmed: Broadcom, VMware agree to $61b merger
    Unless anyone out there can make a better offer. Oh, Elon?

    Broadcom has confirmed it intends to acquire VMware in a deal that looks set to be worth $61 billion, if it goes ahead: the agreement provides for a “go-shop” provision under which the virtualization giant may solicit alternative offers.

    Rumors of the proposed merger emerged earlier this week, amid much speculation, but neither of the companies was prepared to comment on the deal before today, when it was disclosed that the boards of directors of both organizations have unanimously approved the agreement.

    Michael Dell and Silver Lake investors, which own just over half of the outstanding shares in VMware between both, have apparently signed support agreements to vote in favor of the transaction, so long as the VMware board continues to recommend the proposed transaction with chip designer Broadcom.

    Continue reading

Biting the hand that feeds IT © 1998–2022