Another Mumsnet data breach

[kittensinthekitchen]

www.mumsnet.com/talk/site_stuff/4564026-change-in-format-of-response-to-report-emails

A user posted in Site Stuff earlier today to say that they'd received a response to a report they'd made, then noticed it included the other user's name and email address.

Justine has said the following

We had a temporary glitch with 'Report this post' for a short time today which meant the email of the person reported was included in the report and in a few cases in responses to those reports. This applies to a very small number of users and we'll be contacting them shortly to let them know. Our DPO has been informed and on his advice we'll report it the ICO if appropriate. Please be assured the issue is now fixed. We will of course be examining how it happened to ensure it never happens again. We're really sorry for any concern caused.
**

Has anyone been contacted? If you've noticed you've had a comment deleted today, beware, the person who reported it might have access to your personal information.

Will MN be making those affected know?

Would those who have the emails email the other emails to alert them?

God, what a joke.

apparently new sign ups have been suspended too.

That is so awful. Really sorry for anyone affected. It is very concerning.

This was the nudge I needed to change my MN email address to a random burner one! Not good.

This is really bloody serious.

MNHQ might let the ICO know? Might?

As this is not the first data breach on this site, I strongly recommend that anyone who does not want their identity revealed have a separate email account for MN, with an email address that is not identifiable.

That's probably due to a really persistent troll that's been hanging about for the last couple of days.

Ah right yeah, I thought they had IP info or similar to identify PBP but maybe there’s been a breakdown in that.

I reported a post earlier and on the reply it contained the details of the op, which was clearly a spam type email address but it’s worrying that if someone was say, asking for help to leave an abusive relationship and the person who they are leaving reported the thread, it would potentially create a threatening situation for the OP.

I've read somewhere that PBPs have been able to reregister on the new platform, as if any banned IPs, emails etc haven't carried over.

Yep, people report threads for all sorts of reasons, not just trolls, so anyone could have anyone's contact details.

No-one from MN seems to be available just now to answer people's questions over this, so it seems they're not seeing it as a big deal at all. (Though someone did say they now have an identifying email address for a member of MN admin, so maybe that will be taken seriously)

If there is a data breach then I would like to know about it. You’d think by now after all the other data breaches this site would be secure.

I've been using MN less and less due to the new platform which doesn't work for me at all so I have to use the horrible horrible app..... this gives me the excuse I need to take a proper break, and then use a burner address and new nn if I decide to continue, shame as I've been a lurker since 2001 and registered since 2005. End of an era.

You'd think they'd be hotter on security by now, but it seems not. I wonder if this will just be swept under the rug again. Makes you wonder how many security breaches happen that they just don't tell users about- it seems this was only mentioned because someone posted about it in Site Stuff. The thread was initially deleted! ☹️

This is worrying!

Yes, that's worryingly inadequate

I changed to a throw-away email address for MN after Jeffery-gate and discovered only months later that they had retained all users' previous registered email addresses (making change to throwaway in effect useless)

Given the reappearance of old deleted PMs, I am somewhat concerned again about MN standards, and what other old stuff could reappear and where

The best response is to invite in ICO and get their help in putting it right.

MNHQ say it ‘only’ affected about 20 users, but is that just the number who notified them that they had the other person’s email address? I don’t really trust MNHQ to give a straight answer about data breaches after past performances tbh.
There might be people who don’t check the email they’ve signed up with so might not know they are part of a GDPR breach at all.

Oh shit. This doesn’t sound good. I reported a couple of the troll threads😑

Because of the nature of this breaching, it makes sense that they don't publicise it to members until they're sure it's fixed. Otherwise all the trolls on here would be reporting people they want to dox.

There are lots of MRAs and TRAs constantly trying to get access to users' details by trying to become staff/admin or trying to hack the system. Everyone should really be aware of that by now. There is a group of 'intersectionists' that lobby for representation on the admin team who are obviously just TRAs.

I started using a MN specific email after the TRA intern breach a few years ago.

It's absolutely shocking that there isn't a pinned post or main notification about this. Just a message on a thread, which many people won't read.

Maybe MNHQ need a Preview button so they can check their emails before they send them out

@DaisyQuakeJohnson

They say it's been fixed already, thankfully.

I did ask Justine last night what time period it affected but it seems a fairly serious data breach isn't a reason to ensure staff are available for any questions 😕

I recommend using a separate email account for sites like these. I realize that a data breach can come from any organization, but in this case we want to remain anonymous.

I reported one of my own posts as I decided that whilst true for me, it might have prevented somone in a domestic violence situation leaving, anyway, the responese does contain my email address in the text (never has before)

The email was at 5.27 on Sat 4th for anyone wanting the time.

Its not a data breach for me as its my own data - but MN havent said anything and its only luck it was my own post i reported.

Do they send you an email if you get reported? How will I know? I'm shocked at this tbh.