Industry News

Ouch! Security expert writes book about hackers, then his publisher is hacked

Award-winning investigative reporter Brian Krebs has a book coming out next month called “Spam Nation”, exploring the underbelly of the cybercrime world.

It’s bound to be a brilliant book because, well.. frankly, everything Krebs does is brilliant.



But if you’re one of the eager followers of Krebs’ blog who has pre-ordered his book, or other products, from his publisher Sourcebooks then you may want to keep a close eye on your credit card statements.

Because, in a twist of immense irony, Brian Krebs’s publisher has been hacked.


Details of the security breach arrived via a blog post from Brian Krebs, which linked to a disclosure made by the publishing firm to the California Attorney General’s office.



Sourcebooks recently learned that there was a breach of the shopping cart software that supports several of our websites
on April 16, 2014 – June 19, 2014 and unauthorized parties were able to gain access to customer credit card information.
The credit card information included card number, expiration date, cardholder name and card verification value (CVV2).
The billing account information included first name, last name, email address, phone number, and address. In some cases,
shipping information was included as first name, last name, phone number, and address. In some cases, account password
was obtained too. To our knowledge, the data accessed did not include any Track Data, PIN Number, Printed Card
Verification Data (CVD). We are currently in the process of having a third-party forensic audit done to determine the
extent of this breach.

Disappointingly, there is currently no mention of the security breach on Sourcebooks’ home page, or on its blog – two places where you would expect the firm to take the opportunity to inform and warn its customers.

An examination of Sourcebooks’s website suggests it is running the CS-Cart ecommerce software, although it is unclear whether it was running the same online store code at the time of the security breach.

No details of the precise nature of the vulnerability in the Sourcebooks shopping cart software has been released, but there will no doubt be questions asked to whether the firm had kept their online store properly patched and configured to deflect attackers.

If your website relies upon third-party code and software then it is essential that you ensure it is doing the very best job possible of securing data – particularly if it might be responsible for protecting the personal information of your customers.

Of course, it’s important to underline that none of this is the fault of Brian Krebs – who has in past blog postings been encouraging his readers to pre-order his book from better known outlets such as Amazon and Barnes & Noble. I bet he’s grateful now he wasn’t actively pointing people in the direction of his publishers.

He, no doubt, is as disappointed with what has happened as the rest of us.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.


Click here to post a comment