Your passwords are vulnerable. Change them.

(47 Posts)
Edw4rdSnowden Sat 12-Apr-14 14:53:14

Dear Mumsnet

Your 'tech support' (ha) have taken you for a ride. This site's security response to the Heartbleed exposure ( heartbleed.com/ ) has been woeful and anyone with slightest know-how of OpenSSL has been able to grab the logging-in details of Mumsnet users (including administrators). I could post screencaps of the board where this geezer has been posting up how funny he is messing around with mumsnet but that's by the by.

This is especially dire news if you've been daft enough to use the same password for mumsnet as you had for your email addresses and amazon accounts etc.

Change all your passwords immediately, ESPECIALLY if your mumsnet password is one you foolishly use for other services.

Finally I urge you to reconsider whether this website and its administrators take your security seriously.

BoreOfWhabylon Sat 12-Apr-14 14:55:30

Maryz Sat 12-Apr-14 15:03:59

Were you EdwardSnowden before?

The one who was banned?

SnakeyMcBadass Sat 12-Apr-14 15:08:11

It's all gone Pete Tong <wails>

Hate to say it, but he's right. I'm a tech and this had had everyone, right up to the CEO running around fixing shite since Wednesday.

If there had been battle stations alarms available, we'd have set them off.

Change your passwords, but only when the vulnerability had been resolved, as otherwise your new passwords are also vulnerable. Don't worry too much about your online banking, they do not upgrade to the latest versions too quickly (to avoid new bugs) and it's version 1.0.1 to 1.0.1f of OpenSSL that is affected.

Do worry about your passwords if you use the same one across everything!

Maryz Sat 12-Apr-14 15:16:41

That's what I thought Cat.

No point in changing MN password now, but worth changing others if they are the same.

EdithWeston Sat 12-Apr-14 15:17:32

It's easy to find google hits for Mumsnet and Heartbleed, which may or may include the one OP refers to.

I was just fascinated to see on the highest ranked hit the ad with the nearly naked man towards the bottom of the page ("lose you belly fat"). I've had various (tailored - sob) weight loss ads before, but never one offering a lightly oiled man with a 6pack as the 'after'

topknob Sat 12-Apr-14 15:17:49

So have tech added the patch as we are not meant to change any passwords until that is done.

cozietoesie Sat 12-Apr-14 15:20:17

They've said that they have.

The situation has been treated as trivial as though they can be sure it's okay now and no one else got in. As I understand it there is no way for anyone to know that.

I'm not too worried as I don't use a shared password or even email address for MN.

InspirationFailed Sat 12-Apr-14 15:32:34

I can't change my password or read PMs, I just get this every time....

comicsansisevil Sat 12-Apr-14 15:37:40

Message withdrawn at poster's request.

Maryz Sat 12-Apr-14 15:40:27

I've reported your post for you Inspiration.

stretch Sat 12-Apr-14 15:40:31

I have no idea what any of this is about. Not tech-savvy at all.

enormouse Sat 12-Apr-14 15:43:34

Could someone techy from hq come this thread and advise us when to change our passwords?

EdithWeston Sat 12-Apr-14 15:46:22
enormouse Sat 12-Apr-14 15:46:22

*come on

sillymillyb Sat 12-Apr-14 15:46:23

If you look at the Justines account thread then Rebecca have commented near the bottom

sillymillyb Sat 12-Apr-14 15:46:43

Cross posts, sorry!

enormouse Sat 12-Apr-14 15:46:55

Thanks edith

RandallFloyd Sat 12-Apr-14 15:49:17

Yes, I didn't know whether to change my password or not but RebeccaMN told me to so I have.

I'm powerless in the face of authority. I'd be shit in a coup.

mrstigs Sat 12-Apr-14 15:58:07

I use that many passwords I don't actually know what the password is for here. Bummer. Anyone know how many chances you get?

So have I got to change my passwords for everything?

<cries>

<hard>

Worth considering that this thread could be an attempt to make everyone log in and change their passwords now while they are snooping on the data in the MN server's memory! Heartbleed doesn't access stored user accounts but exposes what data is being processed now.

Maybe hang fire on the password changes. It's pointless changing password now anyway until this site has upgraded to the fixed version without the Heartbleed vulnerability. Anyway MN might not use the relevant, vulnerable version of OpenSSL.

This is from DH who works in the field, not me!

InspirationFailed Sat 12-Apr-14 16:12:27

Thanks Maryz :-)

yourlittlesecret Sat 12-Apr-14 16:14:01

Postman Ahh now you tell us after I spent ages thinking up an inspired new PW. So do I change it back now?

I started a thread on geeky earlier about password managers. This made me think perhaps I don't take enough precautions.

cozietoesie Sat 12-Apr-14 16:14:51

Change it in a week or two as well.

ballsballsballs Sat 12-Apr-14 16:16:07

Fuxache.

firstchoice Sat 12-Apr-14 16:16:17

should we change passwords for paypal etc?
(mine are not the same as for MN but, even so?)

are online banking / paypal ones okay, does any one know???

ItsAllGoingToBeFine Sat 12-Apr-14 16:18:29

Some of you may or may not find this site reassuring:
https://www.pwnedlist.com/

It'll monitor lists of hacked accounts and see if your email address appears.

EatShitDerek Sat 12-Apr-14 16:19:21

Fuck changing passwords. Only emails I get is from Christian Singles wanting to Mingle.

So what of someone hacks my MN account. Not much you can do but abuse random strangers. Its happened without hacking.

yourlittlesecret Sat 12-Apr-14 16:20:19

Not sure I want to put my email into a website about hacking.
<wobble>

cozietoesie Sat 12-Apr-14 16:22:46

They say they're fine, firstchoice.

That's a fair point Derek. We should be reserving worry for sites where problems can seriously impact lives and not necessarily MN. (I'm sure that if you're found to have been hacked and someone starts to 'abuse random strangers' under your MN guise, MNHQ will treat it sympathetically. wink)

EatShitDerek Sat 12-Apr-14 16:25:53

I can give it a go and find out, like an experiment grin

Someone has pretended to be me without hacking.

Plus they are shit as there is so much more you could have done when hacking Justines account. I know what I would have done grin

RandallFloyd Sat 12-Apr-14 16:28:02

Oh I'm not particularly bothered about my MN being hacked.
All that would do is make me a bit more interesting for a while!

It was more for other things. I don't think I use the same email/password combo for anything else except ApprovedFood and MyFitnessPal so they're welcome to go nuts there too but I've changed it anyway. Mainly because Rebecca told me to!

yourlittlesecret no just change it to another new one when the bug is fixed. And don't change passwords for other sites to the same one!

Any site running the relevant version of OpenSSL is vulnerable so your data could be retrieved from various places. It's even more of a problem if you use the same password for more than one site as your password could be retrieved from one site then used in other ones to get into your accounts.

EatShitDerek Sat 12-Apr-14 16:29:56

Guess my pinterest is in danger then grin They could take over the world if they hacked that

RandallFloyd Sat 12-Apr-14 16:30:18

If I'd hacked Justine's account I would be bitch plopping all over the shop grin

cozietoesie Sat 12-Apr-14 16:31:05

Out of interest, has one single instance of the vulnerability being used by bad guys been identified? (Just because someone has found out that it can be done doesn't mean that it actually has been done.)

EatShitDerek Sat 12-Apr-14 16:31:24

Randall I would be banning all the nobbers and then give myself HQ powers.

sillymillyb Sat 12-Apr-14 16:32:15

Someone posted a website with a list of mumsnet usernames and passwords on the other thread. It's been taken down now but there was clearly identifiable posters on there.

RandallFloyd Sat 12-Apr-14 16:32:22

Pinterest! I hadn't thought of that. Imagine what they could do with my vast collection of recipes I'll never make, sarcastic e cards, and texts from the dog shock

cozietoesie Sat 12-Apr-14 16:33:36

Sorry - that would be a 'reliable instance'. I'm sure there are people plopping data from various sources all over the web. Just for badness.

RandallFloyd Sat 12-Apr-14 16:33:54

<dreams of having HQ powers>

MrsWembley Sun 13-Apr-14 22:14:47

<snores>

<mumble mumble splutter cough cough>

Wha??? I was away? Wha's happ'ning? Who did wha'?

<mutters something along the lines of 'that'll teach me for camping somewhere without wi-fi'>

<coughs, splutters, goes back to sleep>

<wakes up long enough to change password, goes back to sleep again>

AmyMumsnet (MNHQ) Mon 14-Apr-14 10:48:48

Hi everyone,

We've responded to what's going on over here.

Apologies for all the inconvenience caused by changing passwords, but it's hopefully less inconvenient than someone using all of your hilar Pinterest memes for evil <--hopes no one asks for examples of how-->.

AmyMumsnet (MNHQ) Mon 14-Apr-14 10:49:20

Oh God, I can't even use strikethrough effectively. HQ powers are clearly squandered on me.

Join the discussion

Join the discussion

Registering is free, easy, and means you can join in the discussion, get discounts, win prizes and lots more.

Register now