This year, NetGalley, the website that provides avant-garde e-copies of books to reviewers, sent its season’s greetings in a altered tone. In an email to its users before Christmas Eve, the aggregation declared: “It is with great regret that we inform you that on Monday, December 21, 2020 NetGalley was the victim of a data aegis incident.”

According to the company’s advisory, “What initially seemed like a simple birthmark of our homepage has, with added investigation, resulted in the crooked and actionable access to a backup file of the NetGalley database.”

The database in catechism included acute user information, including usernames and passwords, names, email addresses, commitment addresses, birthdays, aggregation names, and Kindle email addresses.

Unfortunately, many users took to social media and started discussing the adventure after cerebration about what they are putting up for anybody to see. And in their haste to be the first to tweet about the breach, many users made awful mistakes, which could added accommodation their security.

The afterward is conceivably the worst way to tweet about the incident. The user admits using his NetGalley countersign for several other accounts.


While that tweet might have been a joke, this next one absolutely isn’t. The user posted an image of the NetGalley advising email that independent her full name (covered in image). Since the Twitter annual name is pseudonymous, the user just appear the full name of the person behind it.


There were other milder tweets, in which users accepted that their NetGalley annual wasn’t under their real name. Less alarming tweets were by users who accepted they had a NetGalley account, and they had just abstruse of the hack and had either afflicted their countersign or deleted their accounts.

At first glance, many of these tweets might look controllable because NetGalley doesn’t store very acute advice such as bank annual and credit card data. But the NetGalley breach was already bad, to begin with.

When absolute aegis breaches, most companies absolutely state the measures they have taken to assure users’ data. For instance, many organizations bound point out that leaked passwords were encrypted or hashed, which makes it hard (but not impossible) for the attackers to access the accounts. There is no acknowledgment of encryption in neither the aboriginal advising nor the adapted adaptation appear on NetGalley’s website on Sunday, which suggests the hacked database stored user passwords and other advice in plain text.

On December 23, when NetGalley sent the first advisory, the aggregation invalidated all login accreditation and notified users that they will have to reset their passwords the next time they try to log in. But by then, the damage had already been done. The hackers defaced the website on December 21, as users had acicular out on Twitter and the aggregation accepted in the advisory. And there’s annihilation to prove they didn’t have access to the data much sooner.