Dear NetGalley Member,
It is with great regret that we inform you that on Monday, December 21, 2020 NetGalley was the victim of a data security incident. What initially seemed like a simple defacement of our homepage has, with further investigation, resulted in the unauthorized and unlawful access to a backup file of the NetGalley database.
It is with an abundance of caution that we wanted to let you know this incident may have exposed some of the information you have shared with NetGalley.
The backup file that was impacted contained your Profile information, which includes your login name and password, name and email address. Also, if supplied by you, your mailing address, birthday, company name, and Kindle email address. We currently have no evidence of the exposure of any of this data, but we cannot at this stage rule out the possibility. We expect that you may have many additional questions--below are the questions we would have if we received this email.
Please be assured that we take the security of our members' information very seriously and we sincerely regret that this incident occurred. We immediately reviewed our security standards and just implemented further means to protect your data. The next time you sign in you will be prompted to change your password.
We appreciate your understanding, and thank you for your support. Please do not hesitate to contact us if you have other concerns. We wanted to provide you with this information as soon as possible, but like most companies, our team will be offline during the holidays--we will absolutely be available to answer your questions on December 28th. We hope you have a wonderful holiday.
The NetGalley Team
Questions you may have:
Was any personal information exposed?
It is possible that your NetGalley Profile information was exposed as a result of this incident. This information includes your login name and password, first/last name, email address, and country. Also, if supplied by you, your Bio, mailing address, phone number, birthday, company name, and Kindle email address.
Does NetGalley store or process any financial data?
No, there are no bank numbers, credit card numbers or any other financial information stored on NetGalley, so none was exposed.
Were the passwords used on NetGalley protected?
Our passwords were not stored in plain text, but rather hashed with a protected "salt" value. While this does not make them unobtainable, it does make it difficult for a hacker to decode. As part of this incident we have changed our password security to use a new encryption algorithm that offers increased security, so all new passwords will use this security method as of December 23, 2020.
Was any of my information lost?
Luckily the loss of information was minimal, with some Profile photos being deleted from the NetGalley system. These are easily replaced within your NetGalley Account (click here for instructions.)
What has NetGalley done to ensure the breach is secured?
Once we found the cause of the breach, we were able to shut it down within an hour of identifying the breach. We re-secured our testing sites and updated our protocols to ensure their security going forward. We also:
- Immediately reviewed our security standards and just implemented further means to protect your data. The next time you sign in you will be prompted to change your password.
- Revised our database backup procedure to ensure this data is never again exposed
- Changed all legacy passwords that had access to any NetGalley systems or data
What are NetGalley’s future plans with regards to security?
- We are continuing to investigate this incident and ensure that no further damage is incurred.
- We are requiring that anyone with an account change their password, as of December 23, 2020.
- Please read more about NetGalley Security Updates here.
What steps can I take?
To better protect your account security, NetGalley is requiring all members to reset their passwords. Starting December 23rd, you’ll be required to reset your password before signing in to your NetGalley account.