Talk

Advanced search

Site attacks, hackergate and resetting passwords - here's what we know, what we're doing about it and what we think you should do. PLEASE READ! PART TWO

(1000 Posts)
RebeccaMumsnet (MNHQ) Wed 19-Aug-15 07:31:49

Hi all,

This thread is about to max out please continue here and we will update with info as an when we have it.

We will get to all emails and reports but it may take some time Huge apologies.

Here is Justine's OP from the previous thread:

On the night of Tuesday 11 August, Mumsnet came under attack from what's known as a denial of service (DDoS) attack. Our servers were bombarded with requests, which required our internet service provider to massively increase server capacity to cope. We were able to restore the site at 10am on Wednesday 12 August. Meanwhile a Twitter account, @DadSecurity, claimed responsibility, saying in various tweets "Now is the start of something wonderful", "RIP Mumsnet", "Nothing will be normal anymore" and "Our DDoS attacks are keeping you offline".

To add to the 'fun', it seems @DadSecurity also resorted to Swatting attacks. Swatting is a criminal practice in which someone makes an emergency call to the police claiming that a crime is taking place at the house of the intended victim, in order to get them to send a swat team to the address.

An armed response team turned up at my house last week in the middle of the night, after reports of a gunman prowling around. A Mumsnet user who engaged with @DadSecurity on Twitter was warned to "prepare to be swatted by the best" in a tweet that included a picture of a swat team, after which police arrived at her house late at night following a report of gunshots. Needless to say, she and her young family were pretty shaken up. It's worth saying that we don't believe these addresses were gained directly from any Mumsnet hack, as we don't collect addresses. The police are investigating both instances.

@DadSecurity also claimed that he had access to Mumsnet user data. Later on 12 August, it became apparent that someone/ones had hacked into some of Mumsnet's administrative functions, at which point they were able to redirect our homepage to the @DadSecurity Twitter profile page, as well as to edit posts from two users' account and an MNHQ account on our forums.

Someone claiming to be the hacker also posted on the thread on which users were discussing the site outage. We immediately locked down all access to our admin functions and reported the attack to the police. We were confident that users' passwords had not been accessed, because MNHQ doesn't hold them as plain text; they're all encrypted, so that no one - not even us - can see them.

However, over the weekend, a user reported that posts had been made under her name which weren't by her, and we spotted two other cases where this had happened. This clearly suggested that the hacker had nonetheless been able to get hold of some users' passwords.

Our best guess at this stage (and it is just a best guess) is that this has been done via a form of phishing, in which the hacker creates a fake Mumsnet login page to which users are directed when clicking on our login button. The page would have had a different url but otherwise would look just like the usual page. The hacker would have been able to see passwords in plain text when they were typed in.

We take great care to protect the information you give us and not to ask for or store any more information than we need to run the site, but though we can't know how many accounts have been affected, there have been enough breaches for us to ask all Mumsnet users to change their passwords. As a result, you'll no longer be able to log in to Mumsnet with your current password, and will need to create a new one, here.

This will mean that any passwords the hacker has been able to harvest up to this point will be useless. We are looking into what we can do to strengthen our defences against phishing, but in the meantime we need to ask you to be vigilant, and to check the URL of the login page for the foreseeable future. The correct URL is www.mumsnet.com/session/login and it reads https:// rather than http:// at the beginning. We will place a warning on the login page reminding you to do this.

Alternatively use the social login option (ie Facebook/Google) as then you won't be required to enter a password. And if you log into any other sites using the same password that you use on Mumsnet, it makes sense to change your password on those sites, too.

We're really sorry for the alarm and inconvenience this might cause, and we realise you're likely to have further questions about what's been happening, so here's a summary of answers to the most obvious questions.

You say the hacker was able to access Mumsnet users' data: was data from my personal account accessed?
We have no way of knowing how many Mumsnetters were affected - so far we have evidence of 11 user accounts being hacked but it's an ongoing investigation. Those users have been informed, and their passwords have been reset. We think it prudent, however, that everyone reset their passwords - which in any case is a sensible thing to do from time to time.

What data could the hacker see?
By using your password and login, he would have been able to see the data on your profile - so that includes your username or email plus your password, your postcode if you've supplied it, your username history and your Mumsnet inbox.

Now that I've changed my password, can you guarantee that my data is safe?
Unfortunately, we can't give you a cast-iron guarantee of this - no site can. By forcing a password reset the hacker won't be able to log in as you; however, if phishing was the cause, the page could be phished again, which is why it's important that you check the URL of the login page when you enter your details, or use your social login. If the URL is anything other than www.mumsnet.com/session/login, don't use it.

Final thoughts
The internet is of course brilliant, but it's not 100% safe and secure. Whenever you share anything on the web, either publicly (such as on a Mumsnet thread) or privately (such as the data you give to a website when signing up), have a think about how happy you'd be for that information to fall into the hands of someone else. Make your passwords as secure as possible and change them every few months. Use different passwords for different accounts. Close redundant accounts that you no longer use.

And if you read nothing else...
I do realise this post is long, so here's a quick summary:

DO reset your Mumsnet password
DO make passwords really strong to reduce the risk of them being guessed
DO check the URL of any login page to reduce risk of phishing
DO verify that https:// is being used on login pages
DO use social login to avoid typing passwords
DON'T give out information to any organisations without verifying they are who they say they are (such as the fake @mumsnetsupport twitter account that had also been started but has now been removed by Twitter)

Please post here or mail us on contactus@mumsnet.com with any questions or thoughts. As you can imagine our inbox is fairly voluminous at the moment but we'll get back to you as quickly as we can.

Thanks very much for reading,

Justine

diddl Wed 19-Aug-15 17:29:39

Third thread

diddl Wed 19-Aug-15 17:05:47

Oh I'm fed up!

I just logged in, went to threads I'm on & got the log in page again!

FFS!

akkakk Wed 19-Aug-15 16:16:41

Agree you shouldn't need to use separate email addresses - but it can be helpful to use different ones for private / financial things (e.g. banking) and then public things (e.g. MN) - two to maintain is not usually that difficult - most phones / computers handle that easily - I forget how many I have - lots!

VivaLeBeaver Wed 19-Aug-15 16:15:05

I'm not been funny but I don't think a password reset was enforced for everyone.

This morning my Mumsnet was still logged in automatically with my normal password. It wasn't until I clicked the link today and reset my own password that this was done for me personally.

I'm worried that if some MUmsnetters who no longer come on here, or who are on holiday, haven't checked their emails, etc.......that their old password is still the current password and that people could get that info from the list and use it.

Beeswax2017 Wed 19-Aug-15 16:08:09

Message withdrawn at poster's request.

akkakk Wed 19-Aug-15 16:05:50

Lioninthesun

I doubt it - they can't even reverse the encryption of your current password, so keeping old ones is unlikely...

so even if they did they would be encrypted (unless very old!)

PegsPigs Wed 19-Aug-15 16:05:27

Hopefully we'll all be a bit more careful about password security in future. Maybe a tiny bit of good will come from this.

MeetMeInTheMorning Wed 19-Aug-15 16:03:24

"Use a unique email address for each social media site you use. Use a unique password for everything."

no - why should I have to keep tabs on several different emails because some twattish men are out there?

Lioninthesun Wed 19-Aug-15 16:00:11

Yes, but does MN save old passwords that we may have updated years ago? I think I have changed my password about 5 times and just want to make sure they are deleted and not saved somewhere in case I have used one or a variable for something else...

BakingCookiesAndShit Wed 19-Aug-15 15:30:29

For everyone's peace of mind, please.....

Use a unique email address for each social media site you use. Use a unique password for everything.

These "men" have done all this publicly, because it makes their tiny dicks tingle, most hack/phish attempts happen silently.

Better to be over cautious than sorry, no?

SoupDragon Wed 19-Aug-15 15:24:47

you should change any passwords that are the same as your MN one whether you are on the list or not

howtorebuild Wed 19-Aug-15 15:23:20

Either via here or the Twitter link, a phone has gone now. I know someone who has been locked out of mn, their email for a week and has now had their phone hacked. They were on the thread when the hacker first came on.

diddl Wed 19-Aug-15 15:23:02

Thanks for that.

Had seen the word "target" & panickedblushgrin

akkakk Wed 19-Aug-15 15:18:13

confirmed:

www.mumsnet.com/session/login?target=%2FTalk%2Fwomens_rights%2F2444266-Not-all-men%3Ftrending%3D1

this would send you back to the thread here - 'not all men' in womens_rights

akkakk Wed 19-Aug-15 15:17:19

diddl you may have some other bits:
?target=%2F

however you don't need to worry - that is just variables being collected by mumsnet...

full link should be:
www.mumsnet.com/session/login?target=%2F
or
www.mumsnet.com/session/login

I suspect the ? target bit is so that they can send you back to the page you were on when you logged in...

diddl Wed 19-Aug-15 15:13:01

Could I just check that this is the URL "www.mumsnet.com/session/login"?

And that is absolutely it?

Nothing after "login"?

Lioninthesun Wed 19-Aug-15 15:11:57

I was just wondering MN, do you keep old passwords? Is there any way he could have got a list of changed passwords, just in case any of us use those for something else? Thanks.

Lioninthesun Wed 19-Aug-15 14:58:05

Altinkum they are great aren't they? I can't watch US Netflix on it which has been a bit annoying, but for peace of mind and no slow 'thinking' egg timers and wondering if you are uploading a virus instead of virus protection software, defragging every few months and things like this it has been the best thing and well worth investing in IMO. Even if you just used it for online banking, FB, Mn and anything else with personal info.

akkakk Wed 19-Aug-15 14:52:58

for ease of use the list is here all on its own smile
www.mumsnet.com/Talk/_chat/2452283--THE-LIST-please-dont-post

SirVixofVixHall Wed 19-Aug-15 14:49:10

I am not on the list, but it can't possibly stop at 1000, that is far too neat a number. I re-set my password a couple of days ago and again yesterday having probs logging in so no doubt I have been phished. I now have to try and remember what other sites I may use the password for. Very stressful. And that is aside from all the personal info.

akkakk Wed 19-Aug-15 14:44:49

Ida nope

IdaBlankenship Wed 19-Aug-15 14:44:00

Thanks Alktinkum, at least this has made me up my online security which is no bad thing

Altinkum Wed 19-Aug-15 14:43:56

Message withdrawn at poster's request.

Altinkum Wed 19-Aug-15 14:42:38

Message withdrawn at poster's request.

IdaBlankenship Wed 19-Aug-15 14:40:24

Can someone check to see if I'm on the list pretty please. My computer has gone all buggy in the last couple of days.

This thread is not accepting new messages.