SFWA's Inside Job: Member Leaks Directory Data

SFWA's annual Nebula Awards week has been marred by both scandal and controversy; not only was Mercedes Lackey censured for using a racial slur during a panel (and oh, we'll get to that), it's recently come to light thanks to the kids on  SF/F's short bus that  someone with organization credentials "accessed the members-only directory, copied the member-facing data, and released it publicly."

And while SFWA tries to put out this fire, its members are barred from one of the biggest perks that was supposed to make that $100 membership fee worth it. The statement, which does not appear on the organization's website or blog, mentions that their immediate response was to bar everyone access to the directory:

"The individual who scraped these profiles has since released them publicly. Upon becoming aware of this release, we immediately removed all member access to the directory."

At the time of this post, the source of where the data was leaked to has not been revealed. So what's the damage?

What got leaked, what didn't

SFWA's statement stresses that while no financial, confidential or legal data was ever in danger, plenty of information that could potentially be weaponized against its members did get out, like email addresses, phone numbers and social media accounts among them:

"We recently became aware that someone using SFWA membership credentials logged into our members-only directory and ran a specialized script to scrape the directory of any member-facing data. This would have been anything you chose to share with your fellow SFWA members including email, telephone, websites, social media accounts, and mailing addresses in your member profile. Members who opted out of sharing information in the directory were not affected.

The individual who scraped these profiles has since released them publicly. Upon becoming aware of this release, we immediately removed all member access to the directory. No financial data, confidential, or legal information was scraped from the directory as those have always been set to “no access” by our admins or held in entirely different places within our infrastructure."

The Potential Fallout

For all the good any of that will do now. As Cora Buhlert points out, SFWA's made more than a few enemies, and the list of suspects isn't exactly short:

"This is a bad enough in itself and made worse by the fact that we know that there are multiple groups of trolls and bad actors out there who’s sole purpose in life seems to be harassing SFF authors and critics. And the SFWA doxxing has just given those trolls and bad actors more information about existing victims as well as access to other potential victims. In short, this has the potential to be very bad indeed".

Very bad indeed. The coming months could lead to a tsunami of potential problems for SFWA's exposed members; phishing scams, swattings and harassment are just some of the things that are possible with the kind of information that got leaked; whether or not SFWA itself could potentially be on the receiving end of litigation from the resulting damage, if any, remains unclear. For now they're advising members change their passwords and avoid opening suspicious emails claiming to be from them.

If you're reading this and were thinking about joining SFWA, you might want to take a moment to give the IASFA a look; you won't have to surrender any sensitive info beyond an email address, membership is free, and they have lots of resources to help indie authors market themselves and get their stuff out there.

One has to wonder if all those people who voted for the recent downgrade in membership requirements might be regretting their vote right about now?