Dymocks Booksellers is warning customers their personal information was exposed in a data breach after the company’s database was shared on hacking forums.

Dymocks is a bookstore chain operating 65 stores in Australia, New Zealand, and Hong Kong, and also an online shop that sells printed books, e-books, stationery supplies, games, and digital media.

The company was informed that its customer data was stolen on September 6th, 2023, by Troy Hunt, the creator of the data breach notification service ‘Have I Been Pwned’ (HIBP), after a threat actor released it on a hacking forum.

In a notice posted to Dymocks’ website, the book retailer explains that they see no evidence of penetration on its computer systems, and they’re currently investigating a potential security breach on third-party partners.

As such, how the data was obtained, the duration of unauthorized access, the extent of malicious activity, and the exact scope of the impact of this incident remain unclear.

The investigation carried out by Dymocks and contracted experts has so far confirmed that the following types of customer information have been compromised:

• Full name
• Date of birth
• Email address
• Postal address
• Gender
• Membership details (gold expiry date, account status, account creation date, card ranking)

Dymocks clarified that it does not store customer financial information, so no such details have been exposed.

Have I Been Pwned has confirmed that the data leaked online consists of 1.2 million user records for 836,120 unique Dymocks accounts.

All relevant authorities have been notified about the incident, and Dymocks is currently working towards completing its investigation and implementing additional security measures to prevent such incidents from occurring in the future.

Also, Dymocks assures clients that it is still safe to make purchases on its online shop. However, it recommends that users change their account password.

Data already widely circulated

Troy Hunt reports that Dymocks customer data has been circulated in various Telegram channels and hacking forums since at least June 2023.

That said, cybercriminals had plenty of opportunity to exploit the leaked dataset in phishing and scamming attacks targeting the bookstore’s clients.

BleepingComputer has found a post on one of the BreachForums hacking forum’s latest reboots posted on September 3rd, 2023, offering access to the stolen database to other forum members for a few dollars.

What Dymocks customers should do

While it does not appear that passwords were exposed in the Dymocks data breach, it is strongly advised that users change their passwords on the site to be safe.

Furthermore, if the same password was used at other sites, it should also be changed there.

When changing your passwords, use a unique and strong password at every site so that a data breach does not affect your account at other companies.

A password manager can make it much easier to use unique passwords at every site and is highly recommended.

Finally, as this data was essentially released for free, Dymocks customers should be on the lookout for emails asking for a credit card or login information, as it could be targeted phishing scams resulting from this data breach.