NetGalley Member Login Data

On December 23, 2020, the advance book review site NetGalley sent a message to its members informing them that the NetGalley login data for members had been compromised:

Notification of Data Security Incident – December 23, 2020

Dear NetGalley Member,

It is with great regret that we inform you that on Monday, December 21, 2020 NetGalley was the victim of a data security incident. What initially seemed like a simple defacement of our homepage has, with further investigation, resulted in the unauthorized and unlawful access to a backup file of the NetGalley database.

It is with an abundance of caution that we wanted to let you know this incident may have exposed some of the information you have shared with NetGalley.

The backup file that was impacted contained your Profile information, which includes your login name and password, name and email address. Also, if supplied by you, your mailing address, birthday, company name, and Kindle email address. We currently have no evidence of the exposure of any of this data, but we cannot at this stage rule out the possibility. We expect that you may have many additional questions – below are the questions we would have if we received this email.

I’ve had a NetGalley account for 6 years. On December 21, I received a notification from Google that someone had attempted to access one of my Gmail accounts using my password. Fortunately, I had 2-factor identification enabled on that account, which meant that any login attempt from a new device would require me to confirm with a 6-digit verification code sent to my cellphone. Apparently, after no verification code was entered within a certain period of time, Google had decided that it was an incident of a compromised password, and I was prompted to change that password immediately.

I wracked my brain for any other websites where I might be using that e-mail address/password combination, and came up with only one. I immediately changed my password on that site, and enabled 2-factor authentication on a couple of other different Gmail accounts, but I was mystified as to how my password had been obtained. Then 45 minutes ago I received this e-mail notification from NetGalley – and realized that I had forgotten that I was using that same login combination on that site, too.

If you are a NetGalley member, you need to go change your password there now. If you discover that you are unable to do so, the notification message linked above contains information on how to contact them to resolve the problem. And if you have any logins at any other websites using the same e-mail address/password combination as your NetGalley account, you will need to go change that login information immediately.

I also encourage you to consider enabling 2-factor authentication on any websites which enable that capability. It saved me from a great deal of grief here, and is well worth the extra effort. And I know that it’s a huge pain to have to use different passwords for different sites (as I mostly do these days), but it’s something you can do to protect yourself further.

If you have used NetGalley to obtain works from the Hugo Voter Packet, you will be affected by this.

10 thoughts on “NetGalley Member Login Data

  1. Thanks for this. I have been a NetGalley member since 2012 (my profile tells me), and I did not receive any information about this breach. (I regularly check my spam too because Gmail can be too aggressive with its filters — except when it occasionally lets obvious spam through.) When I went there after seeing this, I was immediately required to update my password upon signing in. I have been using unique passwords everywhere for many years now though.

  2. Just got the email a few minutes ago; posted in the regular pixel scroll. (Then I saw this thread. Oops. Still, I suppose that it doesn’t hurt to have the notification in more than one place.)

  3. @GiantPanda: well they don’t actually say the passwords were stored as plain text, but I’m sure that you are right as they would otherwise be reassuring everyone that they were salted and encrypted using a strong encryption scheme.

    The lessons from this seem to be the normal ones: you can’t trust any organisations you deal with to keep your data safe, always use 2 factor authentication for important accounts like Google and never, never re-use passwords (unless you have a “throw away” one for accounts you don’t care about and will probably never visit again). As normal, most users will ignore such security advice until it comes back to bite them (possibly because the best solution is to get a password manager and update all your accounts to have unique and strong passwords and this can be quite an effort given the number of accounts one has now).

  4. Thanks for the heads up, @JJ!

    I never got a notification of this, despite having an account there. Nothing in my spam filter from them, either. I wonder if it was an old backup or did it not include all accounts or something. (My spam filter’s very good; few false positives and I always check it closely just in case.) Huh. Anyway, off to check/change passwords.

    And ditto on the OMG they store passwords as plain text?! (Clearly. Ahem, so to speak.)

    ETA: It says I’ll get a password change prompt on login, but I didn’t. I got a notice and link about the breach is all. Their page doesn’t give me warm fuzzies about what they’re doing (e.g., changing how passwords are stored).

Comments are closed.