Another Mumsnet data breach

[kittensinthekitchen]

www.mumsnet.com/talk/site_stuff/4564026-change-in-format-of-response-to-report-emails

A user posted in Site Stuff earlier today to say that they'd received a response to a report they'd made, then noticed it included the other user's name and email address.

Justine has said the following

We had a temporary glitch with 'Report this post' for a short time today which meant the email of the person reported was included in the report and in a few cases in responses to those reports. This applies to a very small number of users and we'll be contacting them shortly to let them know. Our DPO has been informed and on his advice we'll report it the ICO if appropriate. Please be assured the issue is now fixed. We will of course be examining how it happened to ensure it never happens again. We're really sorry for any concern caused.
**

Has anyone been contacted? If you've noticed you've had a comment deleted today, beware, the person who reported it might have access to your personal information.

Nope. You wouldn't know how many times you've been reported.

Oh dear.

Not normally unless they want to discuss anything with you. Typically they just delete with no notice.

They've said they'll contact anyone affected by this and that it only affects around 20 users. No idea if they've contacted them all yet.

Fucking hell. This really, really isn't good enough.

MN have demonstrated in the past that their approach to users' data protection is pretty casual. Their poor response to this incident suggests that this hasn't changed.

I'm pretty shocked at the breach itself (I mean honestly, on top of all the site glitches that have been going on for weeks now, what sort of clowns do they have running their IT?) but also at one single response hidden in a thread that says not much more than oops, silly us.

can we have an update please? Even if its just "we will be able to let you know more at 11am'

As a web developer you have to choose to display this and theres no chance it's a slip up. You have to call to the database to retrieve the user details of the poster and then choose to print it to the page.

So your standard display message + whatever strings you called from the DB

Even if you stored the deletion reason on the db next to the reported message it would be as a code and the user details wouldnt be in that section of the db. Everything has / should be separate unless its stored in the deletion message string which is very unbelievable.

Plus who tested it? UAT? I struggle to see how it happened tbh

This does rather seem like it's been swept under the rug by Mumsnet

This is shocking. I did know that this forum has a terrible reputation but I didn't think things were as bad as this. It seems to be run by a bunch of complete amateurs.

I received notification that my name and email address has been shared with the person who reported my post. I’m shocked.

Things are really bad, I’m barely able to post, it takes forever then times out more often than not or double posts. I cannot fathom why it’s becoming so unusable with all the money that apparently has been lobbed at it.

That’s interesting. So someone wanting to bring the site into disrepute.

Thank you to the person who noticed this on their reporting email and posted about it. Many people wouldn't have given the "report confirmation" email a second glance!

So it could have been done deliberately?

Justine saying it was only for a short time yesterday that this was happening so if you have evidence to the contrary you should raise this with them

MN have replied to the original post saying everyone who is affected have been contacted and that it was between roughly 12.45pm and 7pm

I did this in the data breach of 2015 (l think it was)

I also regularly change my nn. I won't post on any forum where I can't protect my identity.

Things go wrong in IT all the time but the developer has to test codes changes. Then it goes to internal testing, then onto user acceptance testing ( in the normal ITworld). Maybe not so much in small IT systems.

You might have store who wrote the post and who reported and what the report code was but honestly not all in one string as you cant sort / manipulate such a bunch of random data like that. You could store it a BLOB which is a good way to save large chunks of data you dont want to sort, but I just cant see it. If it wasnt displaying it before why change the database structure or calls to the database? I just cant see how it accidentally changes out of the blue.

I'm not saying its malicious but it seems to involve bad coding / testing at best

I just cant see how it accidentally changes out of the blue

That's why my mind drifts toward internal sabotage, @IncessantNameChanger . Might seem dramatic, but after the Incident Of The Malicious Intern, I have realised that such things are possible.

Anyway, like others, I've switched to a burner email address, changed my password and changed my username (again).

I'm actually considering deleting my account. Certainly Premium is off the menu for, well, forever.

@IncessantNameChanger

Thanks for going to the trouble to explain. I won’t pretend to understand 😂

Can you please tell me about the malicious intern incident?

Brief guide to previous data breaches:

www.digit.fyi/mumsnet-suffers-data-breach-after-botched-upgrade/

And if you google 'Mumsnet intern data breach', @mrsister, you'll see the fuller picture of threads and articles.

One of mine was Monday at 6.36pm - still showed the email address of the poster. So that’s not a ‘short time’ as claimed by MNHQ.

So some busybody (or busybodies) who have appointed themselves Protectors of the Internet, who believe your opinion expressed is not valid and not worthy of being expressed, and already dislike you enough to 'report' you, now know your identity? Wonderful
I never liked that feature to start with but this is not ideal to say the least!
I am one of the 20 'victims'.
Their email to me did not tell me how many lovely do-gooders have my email address.

Their proposed solutions also do not really resolve anything apart from to give you the option of deleting all posts or changing your username. Alternatively, I will need to go through the annoyance of having to set up a new email, then of course, I'll be a 'new poster'. Lol.

"If you would like us to change all your posts to another username, the email address on your Mumsnet account, or indeed delete your posts please let us know and we'll action that straight away."