Due to a security breach we are resetting all passwords across Mumsnet

(730 Posts)

MNHQ have commented on this thread. Read here.

RebeccaMumsnet (MNHQ) Sat 12-Apr-14 17:32:34

Following the recent security breach related to Heartbleed we are reseting the passwords of all users.

On Saturday 12 April, we will remove all passwords from our system and to use the site, you'll need to reset your password by clicking on the password reset link.

Type in your email address and click the 'Request reset' button and you will receive a mail to your Mumsnet registered email account. (You will need to click on the link in the mail within 30 minutes of receiving it, without changing the device you're using i.e swapping from phone to laptop, or you'll need to request a further reset).

If you do not receive a mail, please check you spam folder. The password reset mail will come to the email you used when you first registered with Mumsnet.

If you don't receive or can't access your reset mail, please contactus@mumsnet.com for help.

We are very sorry for all the fuss. We want to assure you that we followed all the published steps to protect members' security as soon as we became aware of the heartbleed security risk, but it seems that the breach occurred prior to that risk becoming known.

Most importantly, if you use the same password here as elsewhere, we strongly recommend you change your password on the other sites too.

Thanks,

Justine & the MNHQ team

KateSMumsnet (MNHQ) Tue 15-Apr-14 10:39:18

sunbathe

Kate - no. Still logged in!

Ah, sorry we've confused ourselves here. The forced log out would have only happened to those who hadn't done their password reset after the passwords were wiped. So we're guessing you must have done yours sunbathe!

KateSMumsnet (MNHQ) Tue 15-Apr-14 10:47:20

Maryz

Justine, can I ask whether you thanked or banned the person who did the demonstration -caszko I think - both in your name, and on the "Justine's thread" thread.

I think we were all lucky it was brought to our attention, even if it might have been simpler for them to just contact you. Doing it this way we've all had a boot up the arse for internet safety in general.

And no, it wasn't me. I'm a technowuss sad

Hm, the lady doth protest too much methinks wink

Things are all still a bit up in the air (understatement of the century), and we can't be sure whether people who appear to take credit for the hacking were genuine or not, so we're not making any hasty decision.

We do totally see what you mean though, and it does seem that it was done to highlight the problem, rather than to be overtly malicious.

KateSMumsnet (MNHQ) Tue 15-Apr-14 11:02:12

To folks who can't reset, but are able to post here.

Anyone who hadn't reset their password before 13:49 (ish) yesterday would have been forcibly logged out, so you had to reset, else you wouldn't have been able to log in.

Sooo, if you're able to post here, you must have been able to reset your password, hurrah!

However, if you didn't reset your password before yesterday, and you haven't been forcibly logged out, and have just stayed logged in, something has gone wrong - so please shout!

sunbathe Tue 15-Apr-14 11:09:48

Er no. I haven't logged in in months. One long MN session. grin

I couldn't have reset because my MN email is an old one, that's been deactivated through lack of use.

I've emailed you with my new email, asking for help.

sunbathe Tue 15-Apr-14 11:32:35

I am on the mobile site if that makes any difference.

<clueless>

thecatfromjapan Tue 15-Apr-14 11:52:39

I'm in again on the mobile app!

Poor old Minhq.

Paintyfingers Tue 15-Apr-14 11:56:25

I have deleted my account but never received a confirmation email and can still post?

sisterofmercy Tue 15-Apr-14 12:33:04

Yes! It worked. Rather embarrassingly I couldn't remember the correct email login until this morning and I sent all sorts of panicky emails to MUMSnetHQ about the wrong email.... Sorry Tech people.

Lucked Tue 15-Apr-14 12:33:05

Never logged out, never changed my password (link won't work).
I definitely haven't had a forced log out.

JustineMumsnet (MNHQ) Tue 15-Apr-14 12:54:06

nsld

nsld
The bigger concern with this is that if Mumsnet has removed all passwords and is telling people to reset passwords on other sites then this probably means that the passwords where stored in an unencrypted format or the encryption keys for the password files where stored with them.

Either way its a monumental security error on the part of the site, even with full admin rights the passwords should not be viewable and the database of those passwords should be properly secured.

Given the magnitude of the breach have you reported it to the ICO yet?
==

No, that's not right, our passwords are encrypted but the heartbleed bug allowed access to live login pages (temporarily until we patched the site). We have no way of knowing how many login pages were accessed but obviously more than one was.

===

So if the passwords are encrypted as you say why do a mass delete?

The key questions are:

1: Has someone copied the user list from the site along with the passwords?

2: How good is the level of encryption used?

3: Where the encryption keys compromised?

4: Do you have no form of server logging to see whats happening?

5: Why do you not force https for all connections to your site? As I write this I can see that the connection to your servers is unencrypted.

Hiya,
NobleGiraffe has actually answered a lot of your questions very ably already but by way of further reassurance:

Our passwords are stored in encrypted form in the database, but like most other sites our login form sends the username and password in plain text, wrapped in an encrypted SSL envelope to avoid eavesdropping in transit. When they arrive at our server, the envelope is decrypted. The Heartbleed bug allowed access to this data as it arrived at our server.

The hackers did not copy passwords from the database, they obtained them from the web server’s RAM via Heartbleed - two very different scenarios.

It’s impossible to say how many usernames and passwords were accessed via Heartbleed, but what we can say is that we re-booted all our servers 57 days ago, so we're confident that anyone who hasn't logged in since then wouldn't have been affected by this.

The Heartbleed bug has in fact made us revisit our use of https (SSL) across the site. Previously we only used it on the login page. However we are now in the process of using https on all pages where the user’s password is entered.

We agree that this is best practice and improves the security of the site overall (but let's be clear, not following this practice had no bearing on this security breach).

JustineMumsnet (MNHQ) Tue 15-Apr-14 12:58:10

JustineMumsnet

TigerSmoke

our passwords are encrypted but the heartbleed bug allowed access to live login pages

I haven't actually logged in for months (lurker supreme); does that mean I am safe? I.e. does "live login pages" refer to profiles that have been logged in more recently than I have logged into mine?

Thank you.

I hesitate to post because I'm not 100% on this, but I think it might mean you're safe - then again it's possible something (eg to do with cookies) means you're not. I will check with Tech, but want to reiterate that there's no evidence this hack was done with anything other than the intention to raise awareness at this stage.

Hi again TigerSmoke,
As said, whilst it’s impossible to say how many usernames and passwords were accessed via Heartbleed, we have checked and we re-booted all our servers 57 days ago which would have wiped the memory, so we're confident that anyone who hasn't logged in since then wouldn't have been affected. Hope that helps.

KateSMumsnet (MNHQ) Tue 15-Apr-14 13:30:53

Lucked

Never logged out, never changed my password (link won't work).
I definitely haven't had a forced log out.

Curiouser and curiouser - are you using the app or the site?

PirateJones Tue 15-Apr-14 13:35:08

could it be that people who aren't getting the emails / can’t change the password are the ones still logged in on the app?

MrsUggy Tue 15-Apr-14 14:04:29

With regards to not using HTTPS throughout the site, this means that an attacker can steal the users session cookie.

I highlighted the issues with HTTPS (or the general lack of it on mumsnet) back in 2011. It took years to add even HTTPS and then not everywhere.

sigh

LalaO2014 Tue 15-Apr-14 14:35:42

Changed mine smile finally shocked this has happened........ I keep thinking what can they gain? lol xx

KateSEggMumsnet (MNHQ) Tue 15-Apr-14 15:00:39

MrsUggy

With regards to not using HTTPS throughout the site, this means that an attacker can steal the users session cookie.

I highlighted the issues with HTTPS (or the general lack of it on mumsnet) back in 2011. It took years to add even HTTPS and then not everywhere.

sigh

Hi MrsUggy - we've actually just introduced https on every page that requires you to enter your log in details.

vonnyh Tue 15-Apr-14 15:02:22

Just testing to see if I can still post

momscribe Tue 15-Apr-14 15:10:27

Hello, is it necessary to change the nickname as well ? or it is just okay with the password reset?

MrsUggy Tue 15-Apr-14 15:49:15

This wouldn't prevent an attacker stealing the session id (the
rootsess cookie) and posting messages as another users and reading a users 'inbox' (all the non https pages basically).

I don't see any good reason why one wouldn't just make the site 100% HTTPS.

nsld Tue 15-Apr-14 16:49:18

cozietoesie Tue 15-Apr-14 08:52:59
But before the coffee.....

nlsd

It's wrong to bring the DP registration into play here. I've done innumerable registrations and a quick statement (as you've done) may not bear any relation to the data actually held or processed. The registrations are general statements which aim to encompass all possibilities for a data controller and don't necessarily reflect the holdings or processing of individual organizations.

Best not to quote that again, I think.

========

The registration is accurate and given the information people share both publicly and within private messages I would say its an accurate reflection of whats contained in the site.

Not sure why you think its wrong to bring the Data Protection registration into the equation when dealing with a data breach, after all thats what the Data Protection Act is for.

nsld Tue 15-Apr-14 17:14:17

noblegiraffe Tue 15-Apr-14 09:36:56
Nsid, I see you've done a bit more reading since your last post.

Yes if the encryption keys were stolen then MN need to generate new encryption keys. All vulnerable websites should be doing this anyway, because of the theoretical possibility that it could have been done.

1. If we know that they have stolen a potentially large amount of unencrypted username and password data using heartbleed, then I don't understand why stealing encrypted login and password data would make the situation any different. We know the login and password data has been compromised, which is why all passwords have been deleted and all users alerted to change their passwords on other websites if the same as MN.

But 4. Do you really think a hacker would hack under their own IP address?

5. I didn't say https made websites vulnerable, I said https made it vulnerable to heartbleed. And it wasn't out of date versions that were the problem, it was the up-to-date versions. If MN had been using a really old version, they'd have been unaffected by this bug.

====

Where to start?

A few posts back and encryption keys where not relevent, now they are? who knew....

Using heartbleed was the first step to getting access to the data thats held within the site. The site owners account has been compromised which clearly operates at a higher level than an end users account.

Infiltrating webservers is all about getting a toe in the door, once you do that you can then work your way into areas which in theory should be well protected but in practice often are not.

What is clear is that the site owners either have no idea what has gone on aside from some post hijacking or they do know and they are not saying, either way its not a good outcome.

Given that companies like Sony and LinkedIn have been caught out storing sensitive information in an unencrypted format and given the comments about the lack of enforced https amongst other things do you really believe that this site is adopting security best practices across the board?

On 1: Getting a list of usernames and passwords plus any other data from a site allows the hackers to run comparisons to other compromised datasets so that usernames and passwords along with other information can be aggregated across multiple sources. This then allows for an increased risk of identity theft the more data points can be aggregated.

4: You miss the point, if an account is logged in from multiple geographies at the same time it suggests the account is compromised, assuming the hacker used something like TOR then they will appear to be overseas whilst the account holder may well be in the UK. Again this comes down to decent server logging on both the end user side but also for internal users.

5: Heartbleed is an openssl vulnerability and you are only vulnerable if you are using openssl, other standards are not affected.

Hopefully this is restricted to a few end user accounts being compromised and nothing else being lifted from the servers but I am not confident that the site owners can tell if this is the case based on whats been said so far.

RowanMumsnet (MNHQ) Tue 15-Apr-14 17:24:20

MrsUggy

This wouldn't prevent an attacker stealing the session id (the
rootsess cookie) and posting messages as another users and reading a users 'inbox' (all the non https pages basically).

I don't see any good reason why one wouldn't just make the site 100% HTTPS.

Tech's take on this is that the theft of rootsess cookies is practically quite difficult/rare (eg the hacker would have to be sharing an insecure wireless connection with a Mumsnet user in the act of exchanging information with the server), so it's outweighed by the very real effects sitewide https would have on user experience, especially slower browsing. It would also make it difficult for us to operate sub-domains like Mumsnet Local on the same server.

nsld Tue 15-Apr-14 17:26:25

jemjabella Tue 15-Apr-14 10:14:21
nsld - if the admin accounts have access to "use FTP to copy across the username and password data" we have bigger problems here than whether or not MNHQ have been hit by heartbleed... but given that this is not the 1990s and the vast majority of tech companies are not stupid enough to allow that sort of access, I'm going to suggest that with all due respect, you're talking out of your bottom. smile

=====

I guess you missed the Sony PSN or LinkedIn data breaches in the recent past then?

What capabilities do you think admin accounts have on a website? after all they are not end users are they?

Using heartbleed is the first step to get in, once they are inside who knows what they could see, do and take?

noblegiraffe Tue 15-Apr-14 18:22:32

Nsid A few posts back and encryption keys where not relevent, now they are? who knew....

Yes, that's because new information has come to light. The original signs were that encryption keys were most likely safe under heartbleed, but Cloudfare issued a challenge to hackers to try to steal encryption keys using heartbleed. It took them nine hours, and the server they were stealing from was rebooted 6 hours in.

As the MN hack was probably not that sustained or intense, and the servers were rebooted 57 days ago, the probability of the encryption key being stolen using heartbleed is very low.

As for once they are inside what they could see, do and take: look at your account details. Mumsnet isn't going to have any more personal information than you have provided.

MrsUggy Tue 15-Apr-14 18:40:13

@RowanMumsnet

I'd think that the ability for an attacker to catch and use a mumsnet users session cookie and use it to read inboxes would be a security concern?

Thee email from Justine stated "confident Mumsnet is now as safe as we can make it". Also, the privacy policy states... "We are committed to ensuring that your information is secure.". That's doesn't match what is visible on the outside...

The excuse of "slower browsing" might have been an issue for HTTPS in 2001, but this is 2014 and Facebook et al seem to manage it well. It's certainly not "as safe as we can make it".

Where there is HTTPS on Mumsnet, the implementation is (IMO) shoddy, given the amount of 3rd party non-HTTPS content (Mixed mode). This page gives a nice description of why mixed mode is bad. arstechnica.com/business/2011/03/https-is-great-here-is-why-everyone-needs-to-use-it-so-ars-can-too/

Just my opinion, but if this were my site, I'd be spending time getting it HTTPS everywhere and tidying up some of the 3rd party crud that gets loaded in, that probably makes thing slower anyway.

Security issues aside, I love the content. :-)

Join the discussion

Join the discussion

Registering is free, easy, and means you can join in the discussion, get discounts, win prizes and lots more.

Register now