Mumsnet site attacks: what happened and what to do next
As you probably know, Mumsnet has recently come under attack from hackers who have accessed some user information.
On the night of Tuesday 11 August, Mumsnet went offline following a denial of service (DDoS) attack
A Twitter account named @DadSecurity claimed responsibility.
The hackers made hoax calls to the police
In what's known as a swatting attack, an armed response team turned up at JustineMumsnet's house in the middle of the night: the police had received a spurious report about an armed man prowling around.
A Mumsnet user who engaged with @DadSecurity on Twitter was also visited by armed police in the middle of the night, following a report of gunshots.
We don't believe these addresses were gained directly from any Mumsnet hack, as we don't collect addresses. The police are investigating both instances.
On 12 August our homepage was redirected to the @DadSecurity Twitter account
The hacker/s also edited posts from two users' accounts and an MNHQ
account on our forums.
Someone claiming to be the hacker also posted on the thread on which users were discussing the site outage. We immediately locked down all access to our admin functions and reported the attack to the police.
Then, over the weekend, a user reported that posts had been made under her name that weren't by her, and we spotted two other cases where this had happened. It became clear that the hackers had got hold of some users' passwords - a fact confirmed late Tuesday night, when they posted the stolen passwords online.
On 18 August, we reset all passwords
You can't now log in with an old password. If you haven't already done so, you'll need to choose a new password. Make sure it's strong - there's help here on how to do that, or use this automated password generator.
If you use the same password on Mumsnet and other sites, you should stop doing so - and change your passwords on those sites too.
You should always use unique, hard-to-crack passwords - but we know it can be a nightmare trying to remember them all. So we recommend that you use password management software to remember passwords and store them securely - for example, 1Password, KeePass or LastPass.
We take great care to protect the information users give us, and don't ask for, or store, any more information than we need to run the site. All passwords are encrypted, so that no one - not even us - can see them. We think, therefore, that this has been done via a form of phishing, whereby the hacker creates a fake Mumsnet login page that looks just like the usual page, but with a slightly different URL. The hacker would have been able to see passwords in plain text when they were typed in.
Any passwords the hacker has been able to harvest up to this point will now
be useless. However, if phishing was the cause, the Mumsnet login page could be
phished again - so it's really important to check the URL when you enter
your details, or use your social login (ie via Facebook/Google), which
doesn't require a password.
If the URL begins with anything other than
https://www.mumsnet.com/session/login, don't use it. Note the 'S' in 'https://'.
You can read live updates and more about the technical details of the attack here.
UPDATE: We now have code in place that will force users to choose a complex and robust password. Late on Wednesday night we forced a log-out and obliged everyone to reset their password (even if you had already done so recently).
Who's been affected, and how?
We can't know how many users have been affected in total, but we do know the hackers have posted roughly 3,000 usernames and passwords online.
Once he gained access to the hacked user accounts, the hacker would have been able to see profile data - username, password, postcode if supplied, username history and Mumsnet inbox.
No site is 100% safe and secure. Whenever you share anything on the web, either publicly (as on a Mumsnet thread) or privately (as with the data you give to a website when signing up), have a think about how happy you'd be for that information to fall into the hands of someone else.
Make your passwords as secure as possible and change them every few months. Use different passwords for different accounts, and close redundant accounts you no longer use.
Last updated: almost 2 years ago