Another Mumsnet data breach

[kittensinthekitchen]

www.mumsnet.com/talk/site_stuff/4564026-change-in-format-of-response-to-report-emails

A user posted in Site Stuff earlier today to say that they'd received a response to a report they'd made, then noticed it included the other user's name and email address.

Justine has said the following

We had a temporary glitch with 'Report this post' for a short time today which meant the email of the person reported was included in the report and in a few cases in responses to those reports. This applies to a very small number of users and we'll be contacting them shortly to let them know. Our DPO has been informed and on his advice we'll report it the ICO if appropriate. Please be assured the issue is now fixed. We will of course be examining how it happened to ensure it never happens again. We're really sorry for any concern caused.
**

Has anyone been contacted? If you've noticed you've had a comment deleted today, beware, the person who reported it might have access to your personal information.

I'm not convinced this wasn't malicious.

Yes! Could have gone on ages!

Yes, all of this.

The developers working on this site are not just bad, they're horrendous, and would have been fired from any other company weeks ago. I'm not sure MN quite grasp just how bad it is. Like, you actually need to actively try to be this bad.

I am one of the '20' users affected - just my luck, when I barely ever get comments deleted. I use a throwaway email just for this site and don't post anything overly personal, but what if I had? People post all sorts of stuff about their home lives, domestic violence, etc. I've seen people in abusive relationships posting about having affairs. Can you imagine a malicious person getting their email and using it to contact their abusive partner?

I will definitely be taking this further. Luckily for me, I work in tech and deal with this stuff all the time. It won't be Mumsnet's choice whether or not they get reported to the authorities.

I've just checked my email and yes, I have the email address of that stupid "faggot faggot faggot" poster from yesterday

I think it's important for us to know how many posters now have our details. I've also asked for the content of the reports to get an idea of why I was reported and thus figure out how potentially malicious those who have my email address may be.

Very concerning.

There were big problems on the site late last night - DDoS? No word from MNHQ on that.
www.mumsnet.com/talk/site_stuff/4562956-pages-taking-an-age-to-load-anyone-else

I responded to MNHQ email at 11.33am.
I haven't had a response.
So much for sorting it 'immediately'.

Care to respond @MNHQ?

I wondered about that.

I have a separate email address for MN, I also reregistered a few months ago to clear out anything that may have been there, old usernames and stuff like that, if it gets hacked there isn't much there then.

For those of you not aware, the feminism section of mn host discussions on gender critical feminism that are not popular with trans rights activists.

I have had a joke theory that the site redevelopment was being done by a transrights activist, as something this shit couldn't have been done by accident.

Suddenly this theory doesn't seem so far fetched. Having e mail addresses revealed to activists would be very damaging for many women who use this site.

This is pretty awful isn't it? Very surprised there's been no response from MNHQ on this thread

@MNHQ Please respond.

Might… if appropriate

might!
what

It puts them at risk in multiple different ways

MNHQ have done nothing to reassure me or safeguard me as a result of them passing my private details to three malicious people.

CARE TO RESPOND????????????

Yes. Given the number of psychos on Twitter who would love to be able to dox women on the FWR board this is really worrying.

I nearly reported a couple of posts earlier today, I’m glad now that I didn’t get round to it.

I'm never reporting a post again

They really do seem to have shot themselves in the foot with this latest fiasco.

Maybe MN might be wise to consult an experienced architect who could advise on encrypting email address? Maybe that's needed?

If you store the email address just once. Only in one place on your database and use its key only in the other parts of the db ( single point of truth is an absolute basic in IT) there would be zero reason to ever have emails accessible from anywhere in the first place. But say the table is username, password, email in your user table then why the need to call anything back except the username unless your logging on? Why would you even need to know the email except for logon or in user settings? My mind boggles.

Or put some proper access rights on that table in the db? Only the database administrators have access to that table on the DB. You could also set up a new table on the db that shows you who looked at the user emails and when.

But only using the username or its key would be the norm. Who repeatedly parses a email address? No wonder it's a bit slow to load.

No where at all does this site display email except in user settings.

It's very odd

I’m shocked at how badly MN is handling this.

Justine’s response on this thread is unreal.

www.mumsnet.com/talk/site_stuff/4564499-my-data-has-been-breached?reply=117744975

Surely someone could have gone around reporting anyone they wanted the details of once they realised? How can mn keep tabs?

What are TRAs and MRAs?

Thanks

This is why I re-regged under a burner email and fake name and won’t upgrade to premium. How anyone can trust them with real details to access premium defeats me.

Trans rights activists and men’s rights activists. Place is swarming with them.