Barnes & Noble Customers Urged to Change Passwords After Data Breach

The world's largest brick and mortar bookshop, Barnes & Noble, reported a security breach in its digital platform. The company was made aware of the issue on October 10.

Barnes & Noble customers received an e-mail informing them about the cyber attack. The message from the retailer says "some of the information" the company stores about its customers may have been exposed. Thankfully, no financial data such as bank accounts or credit card numbers was involved in the incident. According to Barnes & Noble, this sort of information is encrypted and tokenized and is not available in a readable format.

The vulnerable part of the retailer's network stored shipping addresses, e-mails and phone numbers provided by customers. As is always the case with similar data breaches, the company stated that they have no direct evidence that bad actors stole any data, but a Barnes & Noble representative said they "cannot at this stage rule out the possibility".

The attack had other effects as well. The company's Nook e-book reader platform was down for several days, with customers unable to access new content and download books. The cash registers in Barnes & Noble brick and mortar stores were unusable for a couple of days as well.

There are some customers reporting unauthorized purchases made after the data breach. However, those could potentially be users who reuse passwords across their accounts. Having their password published online as part of a previous leak, combined with the leaked e-mail addresses from the Barnes & Noble breach could provide credential stuffers with everything they need to get into someone's bank account as well.

What if you are affected?

Of course, the best thing you can do if you have a Barnes & Noble account is to immediately change your password and hope for the best. Additionally, to prevent any tangential damage and security issues with other accounts, always exercise good password practices. This includes never reusing passwords across different services and platforms and always making sure to enable two-factor authentication of the platform has that option.

Two-factor authentication is arguably one of the best and easiest to implement layers of extra security that a service can offer. It's a bit confusing that there are still so many large platforms with hundreds of thousands of customers who still do not use 2FA but hopefully this method of protection will see much wider adoption in the future, driven by the large number of high-profile breaches that took place in 2020.

October 20, 2020