To be irritated at MN security changes this morning!

[Happyringo]

Yeah ok I know it's for security, but Ffs! I couldn't log in, so I tried password reset but it wouldn't send the password to my registered email address, kept saying it wasn't valid, so I've had to create a new email address and therefore a new user name just to get my Sunday morning fix of aibu! Gggrrr! RIP ilovechips and hello happyringo...

the thing is though that if you changed your password on here before MN issued a patch for Heartbleed, all you have potentially done is give your old and new password to hackers.

eurochick most people would probably agree that it doesn't matter if usernames/passwords for a public forum are hacked if that is all that is accessible. however most people still use the same 1 or 2 passwords for everything - amazon, internet banking, email etc - so if hackers are able to access MN and get your name and password there is a good chance they can then exploit this information to access other sites. A simple preventative is not to use only a few passwords but to have unique passwords for each site you use: but so many sites want user names and passwords now that people do tend to simply use variations on a very small theme to make it easy to remember.

hellsbells99 - user name info has not been posted on any site. the security changes are being made because of the vulnerability in OpenSSL which means that hackers could access MNs own secure encrypted data (like their site banking details, business communications, personal info of members etc) as well as the users passwords etc. Most people make their personal information more available on facebook that on here so it is not that big a deal to MN forum users. It is a big deal to people if you have bought something thru a site using OpenSSL. It is a very big deal to businesses as it means their business communications, emails, banking details, staff details etc could have been hacked without a trace being left.

It was a doddle. YABU for not taking internet security seriously and for probably not even trying to understand Heartbleed. I think MNHQ have handled this very well.

adoptmama, a list of some usernames and passwords were published somewhere on the net, but I think MNHQ have emailed those on the list.

Adoptmama the site if saw yesterday had username AND passwords

I do take Internet security very seriously. My mumsnet password was different to any other online password, as recommended. I was just having a bit of a moan about the hassle to log in when I just wanted to read aibu with my morning coffee, not actually having a real life teeth gnashing wailing drama!

YABU - It takes 2 minutes to change passwords & quite honestly it is something you should do on a regular basis anyhow.

op surely if you were having trouble getting it to email you sending a quick message to mn to confirm your email would have been a leeetle easier than creating a new email and a new mn account wouldn't it?

changed mine yesterday. Since I was still logged in before logging out to change it I checked my registered email in my account details first.

Not really - it look less than a minute to create a new account and as I don't post that often anyway it doesn't really matter to me. Like I said just now, it was a minor irritation...

Sorry

Ok done that change now incase I did too early etc

So what's heartbleed? What was it that started all this....?

I'm not sure anything was posted on the internet as the thread on the password changes says "if they managed to copy passwords before we got the fix in place" (MNHQ post at 17:58 yesterday). I know that some people posted there was a very short list online for 20 minutes with usernames and passwords, although some usernames had been slightly altered.

My reading of their threads is that there is no proof that anything was accessed (which could only be done by someone previously stealing your data and logging in as you) and they cannot confirm as to whether anything genuine was posted. It would be easy for me - or any troll - to cull names off here and then post a 'password' next to it. As some people on here allow you to click on their user names and have a public profile - pics of their kids, house (doh), work place etc it would be quite easy to publish a short convincing looking list. Doesn't mean it wasn't genuine but MN patched the site last week so any breach was a while ago, if it happened which makes me sceptical of any 'list' which surfaced yesterday, coincidentally at the same time the password change info hit the site here.

I think MN are simply following the advice given to all site operators to have users change security information rather than reacting to an actual known breach.

I could be wrong, but that is my reading of it. Perhaps MNHQ themselves could clarify whether or not some genuine user information was taken due to heartbleed and posted anywhere.

Eurg!

I use the app - also wasn't on mn yesterday also didn't get email!

Had to register a new name!

Balls! But understand why

Here's a comic to explain how it works:

heartbleed

It's not necessarily the mumsnet password that is the issue, it's if you use the same email, password, etc etc for other things.

You really should change your password every so often anyway.

I agree with that advice, adoptmama. I don't use this username and password anywhere else, so that is why I don't really care about this.

Well, they most definitely managed to sign in as Justine & post a thread, so I think that alone is enough to make people change their passwords. Unless of course, you don't mind people signing in as you & posting shite.

I'm glad that most of you managed to do it easily.
I can't reset my password because they sent me an email at 4.45 this morning and of course it expired before I got to it.
I have now logged it via FB but can't use the app.
Not ranting cos I understand why it's been done, but it's certainly not easy for everyone!

1. A small number of usernames and passwords were made freely available on the web - easily googleable (I found it quickly). You don't know what has been posted in areas that are not freely available or easily discoverable

1. Justine's login details were used to impersonate her. Te same could happen to you if your details have been made available, regardless of whether you use the same password elsewhere

1. If you changed your login details before the patch was fixed you may have given both your old and new passwords to anyone who has hacked, so best to follow the reset instructions

It's a pain but necessary and I think MNHQ are doing their best under the circumstances. MN always seems to attract those who are up to mischief sadly

I am glad MN have taking this very serious.

I tried to do the password reset last night but the email didn't come through for hours. I was asleep when it came through so obviously the link had expired by this morning. Clearly the system was overloaded with requests. It was fine this morning and very quick and easy

Not been able to reset MN password, but I know mnhq is very busy and during the next few day I will be able to do it.

I don't understand why some people can do it but some can't. I've requested two reset emails but they haven't come. Can't change my password manually as the old one no longer exists. But strangely I can still post.

MostlyMama, Tigerbomb posted a link on a thread yesterday (her post has since been deleted) it linked to a website which had a long list of mumsnet usernames AND their passwords, I recognised a few of the names. It was at this point that mnhq decided to ask everyone to change their passwords.

I've just re set mine. I logged out then logged back in with my user name but pressed the 'forgot my password' button. I got an e mail then to re set it. It took minutes. I didn't need to change my user name.

I am usually permanently logged in but it kept chucking me out yesterday but I could get back in with my usual password.
I got the reset email but when I followed it I just ended up here - with no need to put my password ( new or otherwise) in.
Confused!!!!

same as you Hopping - I haven't had to change mine

I think MN are simply following the advice given to all site operators to have users change security information rather than reacting to an actual known breach.

No, we know Justine's password was stolen and misused. We also know that a list of usernames and passwords to mn has been posted on the internet. Given that they proved they have Justine's genuine password, this is enough to suspect that they have others, and not just the ones on the site linked to yesterday.

Hence the password reset.