On December 23, 2020, the advance book review site NetGalley sent a message to its members informing them that the NetGalley login data for members had been compromised:
Notification of Data Security Incident – December 23, 2020
Dear NetGalley Member,
It is with great regret that we inform you that on Monday, December 21, 2020 NetGalley was the victim of a data security incident. What initially seemed like a simple defacement of our homepage has, with further investigation, resulted in the unauthorized and unlawful access to a backup file of the NetGalley database.
It is with an abundance of caution that we wanted to let you know this incident may have exposed some of the information you have shared with NetGalley.
The backup file that was impacted contained your Profile information, which includes your login name and password, name and email address. Also, if supplied by you, your mailing address, birthday, company name, and Kindle email address. We currently have no evidence of the exposure of any of this data, but we cannot at this stage rule out the possibility. We expect that you may have many additional questions – below are the questions we would have if we received this email.
I’ve had a NetGalley account for 6 years. On December 21, I received a notification from Google that someone had attempted to access one of my Gmail accounts using my password. Fortunately, I had 2-factor identification enabled on that account, which meant that any login attempt from a new device would require me to confirm with a 6-digit verification code sent to my cellphone. Apparently, after no verification code was entered within a certain period of time, Google had decided that it was an incident of a compromised password, and I was prompted to change that password immediately.
I wracked my brain for any other websites where I might be using that e-mail address/password combination, and came up with only one. I immediately changed my password on that site, and enabled 2-factor authentication on a couple of other different Gmail accounts, but I was mystified as to how my password had been obtained. Then 45 minutes ago I received this e-mail notification from NetGalley – and realized that I had forgotten that I was using that same login combination on that site, too.
If you are a NetGalley member, you need to go change your password there now. If you discover that you are unable to do so, the notification message linked above contains information on how to contact them to resolve the problem. And if you have any logins at any other websites using the same e-mail address/password combination as your NetGalley account, you will need to go change that login information immediately.
I also encourage you to consider enabling 2-factor authentication on any websites which enable that capability. It saved me from a great deal of grief here, and is well worth the extra effort. And I know that it’s a huge pain to have to use different passwords for different sites (as I mostly do these days), but it’s something you can do to protect yourself further.
If you have used NetGalley to obtain works from the Hugo Voter Packet, you will be affected by this.