Cyber Incident Victim: NetGalley
Date:
Dec 2020
Location:
United States of America
Summary
NetGalley experienced a cybersecurity incident involving unauthorized access to its systems, initially detected through website defacement before further investigation revealed compromise of a database backup containing member information. The breached data included login credentials, names, email addresses, and optional details such as mailing addresses, birthdates, company affiliations, and Kindle email addresses, though no financial data was stored. The company mandated password resets for all users following the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 21, 2020, NetGalley, a platform facilitating digital book promotion between publishers and industry professionals, experienced a cybersecurity incident involving unauthorized access to its systems. The breach initially manifested as a defacement of the website’s homepage, indicating a surface-level compromise. Subsequent forensic analysis revealed a more significant intrusion, with threat actors gaining access to a backup file of the site’s database. NetGalley confirmed the incident three days later on December 24, characterizing it as an "unauthorized and unlawful" data security event. The compromised database contained member registration details, including mandatory fields such as login credentials (usernames and passwords), full names, and email addresses. Optional user-provided information—such as mailing addresses, birthdates, employer names, and Kindle email addresses—also resided in the backup and could have been exposed. The company explicitly stated no financial data was stored in the affected systems, limiting the breach’s scope to personally identifiable information and authentication credentials.
In response to the incident, NetGalley mandated a password reset for all users upon their next login attempt to invalidate potentially compromised credentials. The breach advisory did not specify whether stored passwords were protected through cryptographic hashing, leaving uncertainty regarding the ease with which attackers could exploit them. Impacted members faced heightened risks of credential-stuffing attacks across other online services if they reused NetGalley passwords elsewhere. The company’s public disclosure emphasized the defacement as the initial indicator but did not elaborate on intrusion detection methods, attacker origins, or full containment timelines beyond confirming database access. No information was provided regarding the number of affected accounts or forensic evidence suggesting data exfiltration. The operational consequence centered on forced password resets and user notifications advising vigilance against reuse-related compromises.