Dymocks Buyer Data Could Land on Darknet Shelves

Dymocks Bookstores Warns Customers About Personal Data Breach

Dymocks bookstores has issued a warning to its customers after their personal information was disclosed due to a data breach. The incident came to light when the company’s database was discovered on hacker forums. Dymocks operates 65 stores across Australia, New Zealand, and Hong Kong, in addition to its online store which sells printed and e-books, stationery, games, and educational products.

Troy Khant, the founder of ‘Have I Been Pwned’, a service that monitors such incidents, informed Dymocks about the breach on September 6, 2023. Dymocks has stated that their internal security systems were not compromised. However, it is still unclear whether the breach occurred through a partner organization.

The following information is believed to have been stolen:

  • Full name
  • Date of birth
  • Email
  • Mailing address
  • Gender
  • Membership details (Account status, creation date, and level of privileges on the client’s card)

Dymocks representatives have clarified that customers’ financial data is not stored in electronic databases, therefore it remains secure. The ‘Have I Been Pwned’ service has confirmed that 1.2 million records belonging to 836,120 unique Dymocks accounts were accessed during the breach.

The relevant authorities have already been notified about the incident, and Dymocks is currently conducting an investigation. The company has assured its customers that it is taking all necessary measures to enhance the security of its online store.

Troy Hunt, the founder of ‘Have I Been Pwned’, has revealed that the customers’ data has been circulating on various Telegram channels and hacker forums since at least June. This suggests that the stolen information may have already been used for phishing attacks or other fraudulent activities.

Although passwords were not exposed, users are strongly advised to change their passwords as a precautionary measure. If the same password was used on other websites, it is recommended to change it there as well. Customers are also urged to exercise caution when receiving emails requesting credit card or account information.

/Reports, release notes, official announcements.