NetGalley discloses data breach after website was hacked

The NetGalley book promotion site has suffered a data breach that allowed threat actors to access a database with members' personal information.

NetGalley is a website that allows authors and publishers to promote digital review copies of their books (galleys) to book advocates, influential readers, and industry professionals in the hopes that they will recommend the books to their audience.

On Monday, December 21st, NetGalley's website was hacked and defaced. After further investigations, it was determined that the threat actors also accessed a backup for the site's database containing members' data.

"It is with great regret that we inform you that on Monday, December 21, 2020 NetGalley was the victim of a data security incident. What initially seemed like a simple defacement of our homepage has, with further investigation, resulted in the unauthorized and unlawful access to a backup file of the NetGalley database," NetGalley disclosed in a data breach advisory.

This backup database included NetGalley members' personal information, including their login name, password, name, and email address. Other optional information that could have been in the database includes users' mailing address, birthday, company name, and Kindle email address.

NetGalley states that there was no financial information stored in the database. In response to the breach, NetGalley requires all users to reset their password when they next log in.

BleepingComputer has reached out to NetGalley with questions on whether the passwords were hashed in the database but has not heard back.

What should NetGalley users do?

If you are a NetGalley member, you should immediately log in to the site and change your password.

If you use the same NetGalley password at other sites, you should also change the password at those sites to a unique and strong one for that site.

Using unique passwords at every site you have an account prevents a data breach at one site from affecting you at other websites you use.

It is suggested that you use a password manager to help you keep track of unique and robust passwords at every site.