B&N Closed a 3 Month Old Security Leak Last Weekend
It turns out that I was slightly wrong Monday when I posted about B&N’s expansion plans. Barnes & Noble didn’t actually plan to sell ebooks in South America; they neglected to make sure that their firewall was working.
As you probably know, B&N doesn’t sell ebooks outside the US or Canada. They enforce this rule by checking the IP address of the customer (this can give a good idea of the location). If anyone wants to buy an ebook from outside the US, they generally have to engage in a small mount of tech-jitsu (using a VPN or IP proxy, for example).
I now have evidence that, for at least the months of December 2011 through February 2012, Barnes & Noble wasn’t checking IP addresses.
It took me few days to reach someone who would go on the record. My original source wasn’t in a position to tell me anything, not even off the record, but I found someone who would.
Simplíssimo Livros, the Brazilian digital publishing firm. He confirmed that he bought an ebook from B&N back in December. He was in Brazil at the time, and he reports that he did not have to use any trickery.works in ebook production at
I was just clicking and worked (the book was sold and the download was started). So, in a conversation with a friend, I tried again (in Buenos Aires, that time) and, again: downloaded.
Finally, 3 days ago (I think), my status changed (credit card invalid or something like) and the books cannot be bought from my nook touch or, first edition.
The two books that I acquired was brought without proxy or any "hacker" thing. The second was bought in a book store with open network.
Did you catch the part where he could still buy ebooks from B&N as of late last week?
It’s not clear how my original source heard about it, but she did. She tried it and then tweeted about her success. She has since deleted the tweet, so you might not put as much weight on it as I do.
So why is this such a big deal? Well, what looks to you like a few mistaken ebook sales might be contract violations and potentially copyright infringement (it depends on how you look at it). Barnes & Noble doesn’t have the rights to sell ebooks outside the US (with the exception of Canada).
So besides being incredibly sloppy, this incident has the potential of pissing off publishers. Lawsuits would seem unlikely, given that B&N would prefer to settle this matter quietly. But it is still a facepalm moment for B&N.
I have queried B&N on this story, and they issued a denial:
Not sure where you are getting your information, but this is not accurate.
I’ll let you take that as you will.
To be honest, this story is so fantastic I’m not sure anyone is going to believe me. But I am posting this story because I believe my sources.
Update: Please read the comments. This isn’t B&N’s first leak.