NetGalley discloses data breach after website was hacked


Level 69
Content Creator
Malware Hunter
Aug 17, 2014
The NetGalley book promotion site has suffered a data breach that allowed threat actors to access a database with members' personal information.

NetGalley is a website that allows authors and publishers to promote digital review copies of their books (galleys) to book advocates, influential readers, and industry professionals in the hopes that they will recommend the books to their audience.

On Monday, December 21st, NetGalley's website was hacked and defaced. After further investigations, it was determined that the threat actors also accessed a backup for the site's database containing members' data.

"It is with great regret that we inform you that on Monday, December 21, 2020 NetGalley was the victim of a data security incident. What initially seemed like a simple defacement of our homepage has, with further investigation, resulted in the unauthorized and unlawful access to a backup file of the NetGalley database," NetGalley disclosed in a data breach advisory.

This backup database included NetGalley members' personal information, including their login name, password, name, and email address. Other optional information that could have been in the database includes users' mailing address, birthday, company name, and Kindle email address.

NetGalley states that there was no financial information stored in the database. In response to the breach, NetGalley requires all users to reset their password when they next log in.

BleepingComputer has reached out to NetGalley with questions on whether the passwords were hashed in the database but has not heard back.