Strange story.
probably an inside job
I B&N can't prove that their web site was hacked they just made the Swift Boat Vets rich!
This almost has to be an inside job. If the B+N site had this vulnerability, it would have been exploited many times over by now. The HTML is rendered by a web server. You would have to have access to the file system where this image is stored and replace it with the phoney.
Anyhting is possible. But, as with most crimes, look inside the family first, they alwasy have the best opportunity. I suspect someone will get the opportunity to update their resume' over this.