Mumsnet site attacks: FAQs and live updates

As you probably know, Mumsnet has recently come under attack from hackers. We're posting answers to some of the questions you might have here - and will be keeping the page regularly updated, so check back again soon.

Start by reading up on the full background to the attacks. We've now reset all passwords again, so if you haven't done so already, you'll need to change yours.

Share this on Facebook and talk about what's been going on.


Update 2pm Thursday 27 August:

In the wake of the recent hacking and DDoS attacks, we've been considering the security of entry points to Mumsnet. Because the current Talk app uses http, rather than https, we can't guarantee it is 100% secure, so we've taken it offline.

We've been developing a new iOS app using https for a while and we'll be launching it in a few weeks' time; obviously we'll let you know as soon as it's out. We hope to follow this up with an Android app in due course. In the meantime, though, we'd suggest app users move over to our mobile site. Sorry for the inconvenience; hope to see you on the new one very soon.


Update 2pm Tuesday 25 August:

Yesterday evening we were hit by another denial of service attack which meant we were offline until this morning; as soon as we got back up we were attacked again. 

This attack was double the size of the previous one and was distributed across many servers but we have no reason to believe that any security breaches occurred, the intention was to take the site offline rather than to hack into it.

We are contracting external DDoS protection providers to help deal with future issues. Many thanks for your understanding - apologies again for the interruption in normal service.

The police are continuing their investigation.


Update 3pm Monday 24 August:

All was reasonably quiet at the weekend so happily very little has changed since the end of last week. We've no evidence of further attacks on Mumsnet, or indeed further swatting attacks. 

As we've said, we patched the hole used to access user login details in the middle of last week and forced a password update. The site is currently undergoing stress testing via an external security firm, which should be completed this week. Meanwhile, the tech team are reviewing every bit of code to make sure it's as robust as can be. 

Obviously we can't be complacent though - please do report anything that looks at all dodgy, and we'll investigate straight away. 

I know some users are still awaiting replies to mails you sent us last week. Thanks so much for your patience, if that applies to you - we're very much hoping to get through the backlog in the next couple of days.

The police take these attacks seriously and are conducting a full investigation. We will, of course, update you with any news on that front as soon as we have any.

Once again, many thanks for you support and virtual (and in one case, actual) provision of gin and many apologies, again, for any undue stress/ anxiety caused.


Update 3pm Friday 21 August:

This afternoon we have been alerted to another swatting incident that took place last night. According to the poster who was targeted, the police believe the hacker got her info from Twitter, not Mumsnet. Thankfully she wasn't at the address in question.

Both swats on Mumsnetters have come after they've engaged with @dad_sec on Twitter - so clearly this looks like something to avoid.

If you are worried about Twitter:

  • You can make your tweets private (to just those following you) - support.twitter.com/articles/20169886#www.wikihow.com/Make-Your-Twitter-Account-Private
  • Remove any photos of you on your profile - you can image search with photos - and put up a generic image not tied to you elsewhere
  • Don't use Twitter etc to log into other websites - you may be giving more of your Twitter information to them than you provide on Twitter, and they may not respect your privacy to the same level
  • Use a boring and not too unique username where possible - you can track usernames across social networking, eg namechk.com/ (green shows what is free, ie doesn't have the username registered)
  • Consider using different usernames across different platforms to avoid any obvious links

Update 11am Thursday 20 August:

If you haven't been logged out and forced to set a new password - this is a bug affecting about 10% of users. If you haven't been forced to log out please do so yourself and update your password.


Update 10am Thursday 20 August:

Yesterday afternoon the tech team found the hole that was accessed to capture user login data via phishing and patched it. Then, as you probably know, we forced another password update requiring higher security passwords last night (once we'd rebutted a further DDoS attack).

We are undergoing full security testing by external experts over the next few days to determine if there are any other weaknesses that might be exploited. We'll update you when that process is completed.

Many thanks for your patience and understanding. The best advice remains to update your password here and any passwords used on other sites that are the same as ones you've used on Mumsnet before yesterday.

We're really sorry for any extra bother and anxiety caused.


Update 9am Thursday 20 August:

To clarify, the new password requirements are as follows:

  • 10 characters
  • A mix of letters and at least one symbol or number
  • Not a previous password (only applies to the last two you've used)

We're looking into why some of you mightn't have been booted out and forced to set a new robust password right now - thanks very much for letting us know.

If you've been allowed to reset your password to one that either doesn't meet the new security standards or is one of the two old passwords you used most recently, please email techtest@mumsnet.com with details, and they'll look into it as soon as possible.


Update 11pm Wednesday 19 August:

Thanks to everyone who's raised concerns about the strength of passwords on Mumsnet. We've now built new code that will oblige anyone logging in to create a new, complex password that conforms to higher security standards, the requirements for which are as follows.

In the next hour, we're going to force all users to be logged out. Then we'll change all users' passwords so they MUST reset their password to log back in. To make absolutely certain that everyone has a new, secure password, you'll be logged out even if you've already changed your password in the last two days.

We're sorry this is the second mass password-reset in the space of a couple of days, but now we have code in place to strengthen security, we want to implement it as soon as possible.

Please don't worry when you're logged out: it's MNHQ, not the hacker, behind it.

 

Update 10pm Wednesday 19 August:

It looks as though more hacked data has been posted online tonight - this time relating not to Mumsnet users but to brands and partners Mumsnet has worked with.

There haven't been any new breaches of our normal user data, and contrary to what they claim, we DON'T pass on our user data to commercial clients without express permission.

We believe they were able to access this information via their original hack - but as a precautionary measure, we've restricted access to all services we use where we store additional data.


What's happened?

On the night of Tuesday 11 August, Mumsnet went offline briefly following a denial of service (DDoS) attack.

A Twitter account named @DadSecurity claimed responsibility.

In what's known as a swatting attack, they made hoax calls to the police, resulting in armed response teams arriving at the house of JustineMumsnet and another Mumsnet user. We don't believe these addresses were gained directly from any Mumsnet hack, as we don't collect addresses. The police are investigating both instances.

On Wednesday 12 August our homepage was redirected to the @DadSecurity Twitter account, and someone claiming to be the hacker also posted on the thread on which users were discussing the site outage. We immediately locked down all access to our admin functions and reported the attack to the police.


What have you done to prevent the hacker using the passwords they've stolen to access users' Mumsnet accounts?

On Tuesday 18 August, we reset all passwords. You (or anyone else) can't now log in with an old password. If you haven't already done so, you'll need to choose a new password. Make sure it's strong - there's help here on how to do that, or you can use this automated password generator.

UPDATE: We now have code in place that will force users to choose a complex and robust password. Late on Wednesday night we forced a log-out and obliged everyone to reset their password (even if you had already done so recently). 


Why can't I log in to my Mumsnet account?

All old passwords - in other words, those which were in use before we forced the password reset on Tuesday afternoon - are now invalid, so you won't be able to log in to Mumsnet without setting a new one. You can do that here - just follow the instructions.


I've changed my password - what else do I need to do?

If you use the same password on multiple sites, you shouldn't - but if you do, you'll need to change your password on each one.

It's good practice generally to change ALL your passwords on a regular basis - and to make sure your passwords are strong. There's help here on how to create a strong password, or you can use this automated password generator.

You should always use unique, hard-to-crack passwords - but we know it can be a nightmare trying to remember them all. So we recommend that you use password management software to remember passwords and store them securely - for example, 1Password, KeePass or LastPass.


What about Gmail?

When changing your Gmail password, we'd highly recommend setting up two-step verification on the account. You can do that via the 'My account' page on Gmail and selecting two-step verification.

Never follow a link in an email unless you're 100% sure it's genuine - and always always check the address of where the link takes you.  It may look like a google page, but if it doesn't have google.com as the first part of the address then it's fake.

Here are examples of genuine Google addresses:

https://www.google.com/...

https://mail.google.com/...


And examples of fake addresses:

https://www.google.com.account.co/...

http://google.com.login.uk/


What other information could have been accessed by the hackers?

Once he gained access to the hacked user accounts, the hacker would have been able to see profile data - username, password, postcode if supplied, username history and Mumsnet inbox.


Who has been affected by the hack, other than those whose passwords were published?

Everyone who has logged in in recent weeks should assume their username (or email address if that's what they use to login) and password is on a list, even if not visible on the published one.


Why haven't I received the password reset email you've sent out?

The emails about the password reset are still going out. It takes a while to send out the hundreds of thousands of mails and we're sorry we haven't been able to speed that process up.


Are you going to force users not to use the same password again? Or to use a more secure password?

If a user sets the same password again, it's possible it could be used to fraudulently log in as that user. We're working on something right now to prevent this, we'll also be introducing more forced complexity as part of that.

UPDATE: We now have code in place that will force users to choose a complex and robust password. Late on Wednesday night we forced a log-out and obliged everyone to reset their password (even if you had already done so recently). 


You say that we should make sure that the Mumsnet login page begins with "https://". Should I worry if other Mumsnet pages begin "http://"?

Only the login page is HTTPS. The important point is that when logging in the name should be www.mumsnet.com. Note, some browsers only show mumsnet.com, which is also fine.


Why didn't you force an automatic password reset as soon as the first attack happened?

The attack came in two stages.

Last week, when the DDoS attack and the initial hacking took place, we were confident that passwords were secure. We keep our passwords encrypted and use the recommended algorithms with high-strength settings, which means that if someone somehow obtained the password data from our database, they still wouldn't be able to make any use of them - they wouldn't work on our site or on any other site, even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

There was no evidence until Sunday 16 August that anyone had been compromised, and it was only on Monday/Tuesday that it became obvious there was more than a very small handful of cases. As soon as we thought we might be victims of a phishing attack, we enforced a reset.

We spent Monday 17/early Tuesday 18 investigating and establishing the theory of a phishing attack, and as soon as we felt reasonably confident that had taken place (ie Tuesday 18 afternoon), we forced the reset on the possibility that passwords had been compromised. This was preemptive: it wasn't until after the reset had occurred that the hacker posted the list of passwords and usernames online.

As far as we can tell, the passwords he posted were from prior to the reset, so we hope and believe that all passwords that have been changed since the reset are secure now. We moved as quickly as we could as soon as new information became available to us.


When you win a competition and you give Mumsnet your address so they can send your prize - where are those stored?

These are stored separately and are not linked to your user details. Very few MNHQ staff have access to the user details, to keep security as tight as possible. However, if you have ever used your address in a PM, you should delete it.


Have the hackers accessed addresses provided through product testing, our Insight panel, or Local editor info?

Insight data (including product testing) is kept in a different system and protected with a username/password combination that is changed regularly and set by our tech team. We have no reason to think this system was compromised.

We don't store addresses relating to Local in the part of admin that was breached - they are kept elsewhere and password protected.


Can you provide a 'delete all' button for PMs to expedite the process?

We're looking into how long this would take, and we'll report back ASAP.

UPDATE: We have now introduced a 'select all' button for PMs - to delete all, click 'select all' and then hit the trash can button for each page of your inbox.


How can I deregister as a user?

If you go to the bottom of your account page you'll find a de-reg link there.


I've tried to de-reg, but I'm getting a biscuit page - why is this?

Don't worry, we will have received your request to deregister. It's only the page that says 'Thanks for your request' that has broken - apologies.

We will be de-regging you as the day goes on and mailing you to confirm this is done.


I don't want to de-reg, but I want to delete my posting history. How can I do this?

Pleas mail contactus@mumsnet.com with a request to delete your history - we're working to respond to all de-reg and deletion requests as quickly as we can, but it may take a little time - apologies. 


Didn't the problem start a week ago, when users informed you they were having problems with logging in and being logged out - MN said it was a techie problem?

We were experiencing unrelated technical issues at that point, unfortunately - it's possible the phishing happened then too, but because we had no suspicion this was going on, we assumed that our own technical issues were to blame for users' logging in problems.


Why has Mumsnet been targeted?

We don't know. There's a suggestion in some places online that it's down to MN's reputation as a safe space for women and/or a website with a feminist bent.

On one online message board, someone claiming to be the hacker refers to Mumsnetters as feminist extremists, which might give a clue to their motivation. But of course we can't be sure they are the 'real' hacker.

On the original thread he hacked, DadSecurity denied any such motivations, saying: "We are doing this because we find it entertaining".


Where can I find out more details about the technical side of the attacks?

We'll be updating this page with more technical information as soon as we can - in the meantime, this thread contains lots of detail that may help.


How did the hacker get Justine's and the other member's street addresses?

We think this was done via Google - both are very easy to find. We don't think it was via the Mumsnet site - we don't collect addresses.


What about the census data that Mumsnet recently asked users to provide?

We do not keep census data in our Mumsnet database. It is processed, anonymised and disposed of securely outside of our databases and site administration. We have no evidence this has been accessed at all. It is an entirely separate system.


Why are you working on the assumption that this was a phishing attack?

As we've said, Mumsnet passwords are encrypted and we use the recommended algorithms for this, with high-strength settings. With phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, the hacker doesn't need to decrypt anything; they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager).

The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors. 


If this was purely a phishing attack, and the hackers didn't access the Mumsnet database, why were 22 mumsnet staff accounts also on the published list?

We're assuming MN staff were also were phished, since they have to log in too. As we've said, we do believe that this was a phishing attack, but of course we'll let you know immediately if we get any indication that this is not the case.


If this was a phishing attack, how can you be sure that it's not still going on?

We can't - this is why we're asking users to be hypervigilant when using the Mumsnet login page, and always check the URL. 

If the URL begins with anything other than https://www.mumsnet.com/session/login, don't use it. Note the 'S' in 'https://'.

Alternatively, use your social login (ie via Facebook/Google), which doesn't require a password in order to log in to Mumsnet.


My password was on the published list, but it's a really old one and I've since changed it?

The fact that some of the passwords were very old is our current chief line of enquiry. If this is the case for you, please email techtest@mumsnet.com.


Where can I find out whether my details were in the list that the hacker(s) published?

There is a Mumsnet thread here containing all the usernames and passwords that were published. You don't need to go through it manually - control/cmd F to search your name.


The list was published on Pastebin - is it still there and have you reported it?

The list is still on Pastebin, although we have emailed them and reported it several times. If you'd like to add your voice to the complaints, you can email them on admin@pastebin.com.

UPDATE: Pastebin has now removed both the original list and the one containing clients' details.


The hacker claimed on Twitter they had a Mumsnet moderator working with them - do you believe this is true?

We have no reason to believe it was an inside job - Mumsnet staff don't have access to passwords and haven't for some time. The list included passwords from some newer HQ members - so it's definitely not just an old list from pre-encryption times.


If you can't say for definite that the hacker won't strike again, why haven't you taken Mumsnet offline to prevent more details being accessed?

The site is also still being used by people with genuine issues and problems - there was a thread going on last night exactly the same time as the hacker was here started by someone's looking for support because her DH had committed suicide.

We believe we have taken reasonable steps to ensure data security given what we know and when we knew it. And unfortunately, no site can guarantee complete security. If we shut the site down then the hacker has succeeded in shutting down a very useful site that is predominantly a space for women. But ultimately if you feel compromised or worried then you can and should leave because we're here to make folks' lives easier, not the reverse.


Why has it taken so long to investigate?

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet, there is a lot of information to go through.

When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyse, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us. 


Were your security standards up to scratch??

We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on.

We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold.

After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.


Why is the 'padlock' on the login page yellow, rather than green? Does this mean it's not secure?

The login page is secure. There is a small problem whereby some of the things on the page are being served using HTTP, rather than HTTPS, which is why the padlock is yellow rather than green.


My password was published - but my computer remembers my password automatically and I don't have to type it. Doesn't this mean it wasn't a phishing attack?

Not typing the password doesn't mean it wasn't phished. Your browser still processes the password, even if it was remembered by it or by a password manager plug-in, and thus it could still have been captured.


Some users are reporting that they are still able to log in using old passwords, despite the forced password reset - why is that?

If people have reset their password to the same as it was, perhaps because they've not yet received the email about the hack, then they (or anyone) would be able to log in using the details on that list. We are working on enhancing the password requirements and when that's ready there will likely be another password reset. We will also check against that list to make sure that people aren't re-using those passwords.

UPDATE: We now have code in place that will force users to choose a complex password. Late on Wednesday night we forced a log-out and obliged everyone to reset their password (even if you had already done so recently). If you're STILL able to log in with one of your last two passwords, or with one which doesn't meet the new security standards (more than 10 characters, a combination of letters and at least one number/symbol) please email techtest@mumsnet.com.


Other users are reporting that the published passwords haven't been used to log in for a long time. Doesn't this indicate that the data didn't come from phishing?

This is a pretty fast-moving situation. The hacking has been going for a while of course, but the list was only published last night and the information from users is still coming thick and fast. We promise that people are working around the clock on this.

There are a few possibilities. We need quite firm evidence that the hacked data is in fact old. If anybody has any information about that, eg it's a password you've not used for more than several weeks, then please send that information to contactus@mumsnet.com.


Where can I find a list of what I should do right now?

Here:

  • DO reset your Mumsnet password
  • DO make passwords really strong to reduce the risk of them being guessed
  • DO check the URL of any login page to reduce risk of phishing
  • DO verify that https:// is being used on login pages
  • DO use social login to avoid typing passwords
  • DON'T give out information to any organisations without verifying they are who they say they are (such as the fake @mumsnetsupport twitter account that had also been started but has now been removed by Twitter)

Last updated: almost 2 years ago