to tell you to CHANGE YOUR PASSWORD NOW

[BoreOfWhabylon]

No, no I'm not.

See the stickied thread from Justine re hackers and go to the end. The Troll has just dumped a load of MN usernames and passwords on twitter.

Just skimmed and cant see myself but cant help but that theres a poster called Preggerswithcheggars!! Please reveal yourself!

Please could someone check if I'm on the list?

And yes, think Mumsnet was targeted due to it being mainly female parents. Look at who he follows - Seems to be some potential link with Fathers 4 Justice. So if he is only following them - it's safe to assume he has similar beliefs. So Mumsnet is the perfect target.

please would someone check if I am on the list or pm me to tell me how to check myself? thanks

Am I on the list please ?? I can't find the tweet with the list on

itsmine
sorry, on here:
www.mumsnet.com/Talk/_chat/2451977-Am-I-on-the-list towards the bottom and clear lists with bold points :)

I have only ever posted on that thread and this - I am a long time lurker who thought that actual for once I had something to offer to mumsnet :) so an advanced search on my user akkakk will find everything

Thankyou tall

thank you

Re passwords...yes, it's annoying to see so many weak passwords in use, but having a go at people isn't the best way to solve that. People struggle with passwords because these days we all have dozens of the little bastards, and generally password policies have totally unrealistic requirements ie make it long, complex and random, which means you can't remember it - but no, you aren't allowed to write it down either. You mustn't share it, and you must use a different one for each system...
This advice is, in reality, totally impossible to follow.

So. I know a bit about this stuff, and I suggest the following: forget all the standard password advice. It sucks. Do this instead:

1. Install good security software AND KEEP IT PATCHED. This is the single most important thing you can do to protect yourself online. And when you get those boxes popping up saying "Er, I think this website is a bit dodgy actually", don't just ignore them and click through anyway!

1. Don't create passwords by doing simple number/character substitutions, and don't use a simple scheme such as password = username+sitename, maybe with a 1 on the end, and increasing the number by 1 every time you have to change it. These are all strategies that attackers are very well aware of, so they don't really protect you at all.

Instead, try a password generation scheme such as sticking three random words together - this is reasonably memorable but (as long as the words aren't obviously linked eg cat-sat-mat) not straightforward to guess.

1. Don't worry about making a password strong enough to withstand a brute force attack - this is effectively almost impossible these days, due to the wide availability of cheap computing power, and brute force is not even the most significant attack vector - as we've seen here, stealing credentials via phishing or malware is far more prevalent and with those, password strength doesn't make a blind bit of difference.

1. Do not re use passwords between systems/websites you care about. Sure, use a single, weak password for sites you don't care about eg one where you just go to buy one thing then never return to, or which don't protect valuable personal information. Because if that one does get nobbled, you don't need to care. Put your effort into making sure the info you DO care about is better protected.

1. Writing passwords down isn't the worst thing in the world, and is probably inevitable for passwords you don't use regularly - most people just can't retain these in memory no matter how hard they try. Writing them on a bit of paper and then protecting that paper accordingly is a reasonable way of doing this. Alternatively, there are loads of software password managers available so you could use one of those - just bear in mind that these will have weaknesses, just the same as any other piece of software, and attackers will attack them if they can.

And here endeth the lesson...

Punt Was going to start a thread on password strategies (I don't have anything particular to share, but could learn a lot!). Fancy that?

I am on the list but the password showing is wrong. It is not the password I was using and not the one I just changed it to. They must have got the info from a fake login page and I typed my password in wrong.

Excellent advice from Puntastic there, on all counts. All my "useful" passwords are a two or three word phrase that means something to me but are probably not something someone is going to guess immediately (one of them is, eg, the very silly name of an old cuddly toy of mine followed by the type of toy, which unless you actually stalked me from childhood....).

I think that given the amount of duplicates, even triplicates, and more on the list it isn't a copy & paste of data held on the website. If he had copied our usernames from the site he wouldn't have had so many duplicates.

I wonder why some are on it and not others? I'm not a prolific poster but was concerned about the password. because the data wasn't collected by gaining access to the encryption section, he got them from a phising page that not everyone used. Also accounts for the multiple entries for the same person.

It matters for the folk who are using the same username and password across multiple sites.. But why would you do that...it's internet101, not using the same dets for various sites.

He's done a public pastebin dump. There are over 3000 names on the list. Totally public. With many copies! Some people are on there 6/7 times, which should be enough to tell you that 1] he doesn't have 3000 & 2] this wan't taken from the MN list of usernames & passwords.

*Even if it was phishing they had Admin log in as can be seen on the lists so they had full site access. They are encrypted & MN can't even see them! And if he did have several thousands of them, why publish the wonky list that he did?

Did he just select a random day/hour/minute and pick all the ones that were active? No, that isn't how it was done.

Yep, he's taken segw_

Thanks Leedy and Maid yeah, great idea - let's get something positive out of this and get people to think about passwords while our minds are all nicely focused on how important Internet security is!

I need to go and do some work now but feel free to c&p my words onto new thread, I'll try and check into it from time to time.

Oh, I just wrote something on another AIBU thread saying don't change your passwords regularly just for the sake of it - this offers little meaningful protection and is just yet another fanny-ache for the user in recalling yet another new password.

There are pictures of the previous user on that hacked Twitter account.

some points to make...

padlock
a padlock in your URL bar (the bit where you type which website to visit) simply means that there is an SSL certificate in place.
generally green means everything is under SSL
generally yellow means that some content has been pulled in from a non-SSL website (e.g. a graphic) and is not an issue
generally red means there is an issue with the SSL certificate
SSL certificates are all about encrypting the conversation between your computer and the server - it stops someone strange sitting at the next table to you at a cafe grabbing your typing over wifi - it will be encrypted...

It makes no difference to a phishing attack / this situation / keyloggers etc. where what you type is seen directly...

what data has been breached
perhaps surprisingly, probably not much...
I should say that I don't know the MN setup, but I do run a web company building websites :)

• your username and password will give the hacker access to your profile / account.
• they can post as you
• they can upload / remove photos
• they can see your email address
• they can see your PMs

as far as I know that is all - your account doesn't give access to anything else - the MN Admin account will probably let them delete people's posts / delete users / choose which biscuit appears on deleted threads - but I suspect that it is no longer compromised as if I had been the hacker I would have been deleting these threads :)

In reality, the hacker will not have had the time or interest to go through personal accounts reading PMs / or even as Admin to wreak a trail of havoc - the fact that more hasn't happened indicates that the publishing of the data was the goal = embarassment...

so probably there will be little issue for most people and in a few days all will be back to normal!

if you are worried - then it is only a few possible issues:

• your email address (if you use it elsewhere to log in, change the password)
• your PMs - if concerned, delete them.

everything else pretty much is public anyway...

I wasn't on the list under my old name, but I didn't just want to change my password because it's connected to my e-mail (paranoid I suppose) so I've just created a new e-mail account specifically for this site. I probably won't be the only one.

"saying don't change your passwords regularly just for the sake of it - this offers little meaningful protection and is just yet another fanny-ache for the user in recalling yet another new password."

yuppers