Millions of Barnes & Noble customers received a worrying email around 1 am on Thursday morning notifying them that the company suffered from a cyberattack on Oct. 10, which brought down its Nook services and led to the “unauthorized access” to “certain Barnes & Noble corporate systems.”
“We write now out of the greatest caution to let you know how this may have exposed some of the information we hold of your personal details. Firstly, to reassure you, there has been no compromise of payment card or other such financial data. These are encrypted and tokenized and not accessible,” the company said in its statement.
“The systems impacted, however, did contain your email address and, if supplied by you, your billing and shipping address and telephone number. We currently have no evidence of the exposure of any of this data, but we cannot at this stage rule out the possibility.”
The email follows days of complaints from Nook users who said all of their books and data had disappeared from their devices. Nook has sent out a series of apologies on Facebook and Twitter apologizing for the disruption.
Reports of problems with the Barnes & Noble system started to emerge on Saturday, when GoodEReader reported outages with Nook e-readers as well as the Nook apps for iOS and Android. Since then, users have not been able to load the books in their library, sync it with other devices, read ebooks or even buy new books. Many of people’s lists on their devices were completely erased.
GoodEReader later updated their story to say that a variety of store managers for Barnes & Noble said cash registers at the company’s more than 600 physical stores were also disrupted, with some telling the news outlet that the company’s corporate network was infected with a “virus.”
By Wednesday, Barnes & Noble said the cash registers were back online and other systems were being returned to full service, but GoodEReader’s editor in chief Michael Kozlowski wrote that “some people in the comment section said some of their Nook accounts have been compromised and their credit cards are being used by third parties.”
The company also contacted Fast Company to tell them that it was having a “serious” issue with its network and was “in the process of restoring our server backups.”
While nothing has been confirmed, BleepingComputer said the few details that have been released and the statements from Barnes & Noble imply that the company may be suffering from a ransomware attack. Ransomware attacks, they reported, typically happen on weekends and require the kind of restoration using server backups that the Barnes & Noble statement mentioned.
A cybersecurity firm, Bad Packets, also shared even more details with BleepingComputer that indicate the attack may have originated from the CVE-2019-11510 vulnerability, which can be found in the Pulse VPN servers that Barnes & Noble uses.
Bad Packets wrote on Twitter that, “Barnes & Noble had multiple Pulse Secure VPN servers that went unpatched against CVE-2019-11510 for months. Data from their servers was found in the recent leak as well,” highlighting a ZDNet story written in August about hackers who published a list of plaintext usernames and passwords, along with IP addresses for more than 900 Pulse Secure VPN enterprise servers.
Jeff Hussey, CEO of Tempered, said CVE-2019-11510 was an arbitrary read vulnerability that can serve as a vector for these types of attacks and noted that security teams have to change their traditional mindset.
“Visibility is not security, and VPNs are brittle, 25-year-old technology. They weren’t built to scale to the connected world of 2020 and beyond. And using a security approach based on location, instead of identity, is a bad idea. These outdated approaches need to be modernized and recognizing that is the first step,” Hussey said.
“Know what is on your network–there is a time and place for visibility. Knowing what is on your network, what is connected to what and tracking that for anomalies is essential for network modernization. Incorporate Software-Defined Perimeters into your security strategy. By incorporating an SDP strategy, organizations can effectively micro-segment—if the SDP solution is based on identity, not location.”
Darren Guccione, CEO of password security company Keeper Security, said that while no financial information was released in the attack, the exposure of personal information like email and home addresses is an open invitation to inboxes for many skilled cybercriminals.
“Barnes & Noble customers that may have been impacted should be on high alert. It’s imperative they assess every email that reaches them for suspicious or malicious content—especially now that these cybercriminals likely know where to physically find them,” Guccione said.
“Having access to a person’s email address as well as their home address is the first step to deploying a successful social engineering attack— something U.S. companies have seen a 63% jump in since the start of the pandemic. The more they know about you allows them to target you as an easier and more pervasive target.”
One cybersecurity expert, Point3 Security vice president Chloé Messdaghi, noted that the Barnes & Noble email to customers was strange because it did not ask people to change their passwords.
She said it was helpful that the company informed customers that their payment information was encrypted and not exposed, but said she wished the company provided people with more guidance about how to move forward.
“Barnes & Noble members should be advised to change their account passwords, and they should also be advised to be extra cautious and in fact suspicious moving forward because their billing, shipping, email and phone number can all be used in phishing attacks against them,” Messdaghi said.
“For example, a consumer might get a message saying ‘Thank you for your previous order, we have unintentionally overcharged you and would like to issue a refund. Please reconfirm your payment data,'” she explained.
Consumers may also be on the receiving end of other scams because of the breach, Messdaghi said, describing potential situations involving SMS phishing. Barnes & Nobles may get text messages claiming to be from a bank falsely confirming a large transfer of funds, with a phony number to call if the fraudulent transfer wasn’t authorized, Messdaghi described.
“It’s so much easier to continually upskill cybersecurity professionals and train users to ward against these attacks than it is to clean up after them,” she added.