NetGalley breach: Publishing industry website forces password reset after ‘security incident’

Adam Bannister, 24 December 2020 at 16:53 UTC

Latest update: 24 December 2020 at 16:57 UTC

The attackers damaged the home page and accessed a database backup file containing passwords

NetGalley – a website that gives reviewers access to publish new titles – has warned users of data breaches that may expose their passwords and other personal information.

“What initially seemed like a simple corruption of our homepage, further investigation resulted in unauthorized and illegal access to a backup of the NetGalley database,” the company said in a data breach warning released yesterday (December 23rd).

Users who sign in from yesterday must reset their passwords to access their NetGalley account.

Publishing imprint

NetGalley said the compromised backup file contains user profile information, including login and password, first and last name, email address, and country.

Applicable to users who provided relevant information, the file also contained postal addresses, telephone numbers, dates of birth, company names, and Kindle email addresses.

“Currently, we have no evidence of the exposure of any of this data, but at this stage we cannot rule out the possibility,” the breach notice said.

Bart Simpson's website on NetGalley is brokenThe NetGalley website was apparently crashed as part of the same incident

Daily Swig contacted NetGalley asking for clarification on whether all (or some parts) of the user profiles are exposed – we will update the article if and when we get a response.

The company said no financial information, such as bank account numbers or credit cards, was disclosed.

They also added “some profile photos” from the system.

Follow the latest news about data breaches

NetGalley said the breach occurred on Monday (December 21st). “Once we found the cause of the violation, we were able to rule it out within an hour of the violation being determined,” it said.

The company said it “re-secured” its test sites, updated security protocols, “revised” their “database backup process” and “changed any inherited passwords that had access to any NetGalley system or data” in response to attack.

Numerous NetGalley users have transferred to Twitter to criticize the company for what they assumed was the storage of passwords without encryption.

Stolen usernames and passwords are often used in automated ‘credential filling’ attacks on independent site login pages, a tactic that works because many users reuse the same password on multiple accounts.

RELATED A Swedish university has fined $ 66,000 for violating the GDPR