SFWA Members-Only Directory Info Exposed

Science Fiction and Fantasy Writers of America (SFWA) notified members today that someone using SFWA membership credentials has accessed the members-only directory, copied the member-facing data, and released it publicly.

The announcement understandably did not say specifically where the data had been published.

We recently became aware that someone using SFWA membership credentials logged into our members-only directory and ran a specialized script to scrape the directory of any member-facing data. This would have been anything you chose to share with your fellow SFWA members including email, telephone, websites, social media accounts, and mailing addresses in your member profile. Members who opted out of sharing information in the directory were not affected.

The individual who scraped these profiles has since released them publicly. Upon becoming aware of this release, we immediately removed all member access to the directory. 

No financial data, confidential, or legal information was scraped from the directory as those have always been set to “no access” by our admins or held in entirely different places within our infrastructure. 

SFWA has taken the matter to appropriate authorities, however, the organization’s announcement implies they do not know which specific member login was associated with the data-scraping event.

The SFWA Board of Directors has launched an investigation and will be working with multiple agencies to find which member login was used and when. We have narrowed down the dates to a specific range and will be forwarding that on to the appropriate authorities. 

We have removed access to the SFWA membership directory entirely and are looking at a better solution to help facilitate communication between members. 

Meanwhile, members have been requested to share with SFWA unsolicited messages and other contacts they receive that may relate to the misuse of directory information.

If you receive any unsolicited or harassing text messages, emails, phone calls, website comments, or physical mail, please forward any information you are willing and able to share about these, including screenshots of text or social media messages, pictures or scans of physical mail, to directory@sfwa.org as these may assist us in our investigation.

We recommend that you do not engage with anyone questionable who tries to interact with you via social media or sends you unsolicited communications. Mute and block these senders without responding. If unsolicited communications escalate further, we recommend contacting your local authorities to create a record of the harassment.

Members have also been advised to change the password to their SFWA membership. And the organization says, “once useful tools such as our membership directory need to be reevaluated in light of the ongoing struggle to control our own personal data on the internet.” 

23 thoughts on “SFWA Members-Only Directory Info Exposed

  1. When I was in college the faculty advisor for our SF club was a member of SFWA and he let us use his directory for inviting guests to our convention. Back then it was a hardcopy booklet mailed to members. Maybe it’s time to go back to that method.

  2. You can’t hack paper. You can xerox it, but physical access is needed.

  3. I hope someone’s looking for access patterns in their web server logs that look suspicious. This kind of access generally leaves a pretty distinctive pattern to it, and that might point to who did it.

  4. Walt Boyes on May 21, 2022 at 6:55 pm said:
    I’ve been a member of SFWA for at least 15 years, and I never get any mail from them anymore. I must be an outcast.

    Hi Walt,

    I checked and it looks like your email account is refusing delivery of SFWA emails. I wonder if you have an alternate email account, and if so, we could update your account address and see if that might help? Contact office@sfwa.org if you’d like us to change your email address.

  5. When I joined HWA, I realized the directory was a wonderful resource because I could contact professionals. But I didn’t because I didn’t want to be a boor. I also knew that abusing that information was awful behavior.

    Bad actors like this are going to make members less likely to put their information on directories like this. Organizations might also decide to take down their online directories.

    BTW tthis is the only place where I’ve seen much discussion about this. Was the announcement members-only?

    Even on Twitter, I found one thread where several members hadn’t been told.

  6. I didn’t realize that those directories are considered confidential. I have one that’s 10 or 12 years old and I saw a copy of the 2007 directory and a HWA directory for sale on a Dealer’s table at some convention last year. Those things do get around a little.

  7. Around the time Vox Day was being kicked out of SFWA he showed on his blog screencaps he’d taken of the online index to the SFWA members directory to illustrate that he had made a copy of the whole thing and he threatened to post the contents. That memory came to mind when I read the notice — I don’t think it’s him, but that would be the kind of mentality at work here.

  8. It would never have occurred to me to do that. It’s a complete dick move. Fan or Pro, we are all part of the science fiction community, and you just don’t treat your community that way.

  9. I hope someone’s looking for access patterns in their web server logs that look suspicious. This kind of access generally leaves a pretty distinctive pattern to it, and that might point to who did it.

    True, but someone with ill intent might have used a VPN to hide their IP information.

  10. SFWA recently changed their membership requirements, so a lot of people qualified who did not qualify under the old rules. It is quite possible that one of these new members is a bad actor, though maybe not as high profile as VD or JDA.

    Anyway, I am glad that I did not get around to applying for membership yet, so my details have not been leaked.

  11. Wow this is a new low. Mike, where did the quoted excerpts you included come from? a SFWA email, a post? How did they notify members? I didn’t notice anything immediately on their website. Not on the Blog, at least.

  12. Pingback: Some Thoughts on the 2021 Nebula Award Winners – and Two SFWA Uproars | Cora Buhlert

  13. I’ve still got several of my SFWA Directories—and ones for the Horror Writers, Association of SF Artists—back from when they were on paper. I haven’t been a SFWA member (I was an Associate) since I think 2002. I used to have a whole bunch of other SFWA stuff, but I gave it all to Peter Heck and other now-former SFWA Secretaries a couple of decades ago.

    The used to have good artwork on the covers, too!

    The SFWA Directories were extremely useful, with names, addresses, phone and fax (!) numbers, and e-mail e-dresses, too. Still around here, somewhere…

  14. Pingback: HWA Sends Members Email Scam Alert | File 770

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.