AIBU to say Mumsnet have lost my trust.

[Beelzebop]

We discuss all sorts on here. From colours of duvet covers to rape. And you let someone steal all our secrets and honest conversation.
It takes you 48 hours to tell me.
Daily Mail anyone?
Poor show indeed Mumsnet.

Some major corporations have kept their data breaches secret for years. MN have responded as quickly as they could reasonably do I think.

It's a type of bug I've heard of happening on other systems, so I think it is probably just a bug and not a malicious backdoor. It would also be rather hard for any attacker to deliberately exploit.

just reentered it and apparently no paste so I misread it sorry

I haven't received this email.

I get daily thread emails but not this

Santaclarita I entered my email address into haveibeenpwned and it said there had been 3 data breaches and 'no pastes'. What exactly does 'no pastes mean (obviously I will go and change the passwords for the websites which were breached).

Password hygiene had absolutely nothing to do with this breach. It was an upgrade.

Whether they should have caught it in testing: arguably, they could have caught it during development, depending on what caused the issue and whether it was dependent on environment. (E.g. might behave differently between a dev's laptop and between AWS or whoever their new cloud provider is).

But there are always endless things to test and some escapes will happen, though I would expect most focus to be given to high priority areas (such as this one!). Whether testing would look at the effect of two users logging in at exactly the same time? If you have professional testers, yes, fuck yeah I would expect them to consider that a site with millions of users might have concurrent login attempts!

But many organisations will hire bargain basement testers who will plod through a few obvious scenarios and stop there. MN - if you're paying under £50k for testers in London, you are not paying enough.

The other side of it: the fact they didn't roll back swiftly, suggests either a failure of comms, processes, or that they really hadn't planned to have to do a swift switch back and ran around screaming for 12 hours.

All the above is guesswork of course.

It’s easy to say just leave the site but there isn’t anything else like it. Just because I don’t want my data breached doesn’t meant I don’t enjoy the conversation and connection I get from Mumsnet. Is life really that black and white for anyone? Do you not have any complaints about anything you own or any business that you patronize? Most people have more nuanced feelings about things. They weigh up the pros and cons and if the pros outweigh the cons they stay. It doesn’t mean they can’t complain or consider leaving bc of the cons.

And yes MN is a business, we all know that. But they certainly do everything possible to create a friendly, chatty atmosphere, like we’re all just a bunch of regular gals gabbing over our third glass of wine. The casual folksy tone of most MNHQ posts is excruciating. People are slowly learning how to be safe online but it’s still complicated for a lot of Internetters and this site in particular really cultivates a feeling of trust. It’s a powerful thing and they are very good at it. I’m not absolving users of their responsibility to protect their identity but it’s not black and white. There are many issues at play and definitely a conversation to be had. Simply saying “it’s a business, you got what you deserved” is a total cop out.

ChocFreak

It means that they haven't been found in a 'pastebin', so basically somewhere a hacker has dumped the information, usually a sample before trying to sell it or they will just dump the entire lot of info for anyone to have fun with.

It's best to assume that someone does have the password basically and just change it.

But many organisations will hire bargain basement testers who will plod through a few obvious scenarios and stop there. MN - if you're paying under £50k for testers in London, you are not paying enough.

You should see what they pay some security consultants in London. Some of them are paying 30k below average, and these are banks! You are never going to get decent people with that. It's scary to think that they are in charge of your money.

Women put a lot of stuff on here about domestic abuse. It needs better security.

OP, YANBU. It’s not the data breach itself that concerns me the most. But the fact that many users remain completely unaware that it even occurred... and so can’t take steps to protect themselves in future. That’s why it matters that some people never received the email.

*Santaclarita thanks for taking the time to reply, I have changed my passwords now. It's scary how much info hackers can get hold of. Sometime ago Dh set up an app on the laptop to record passwords for all the various online accounts we have. I do have a unique password for each account, so even if one was hacked none of the others would be comprised (I hope!).

QwertyLou I only received the email from Mumsnet last night saying there had been a breach. I think they should have emailed much sooner.

ChocFreak it's alright. Make that app is password protected too. Some of them allow it, I imagine some don't.

Maybe I am naive....

But if you use a non identifiable email address

And a password not linked to any other website you use (which is good practice anyway)

And delete messages once conversation finished (good practice)

And don't give away personal ID (why would you?)

And remember it's the internet and a public website

A small breach of data such as has been described by MN - is not a problem

However if you give away loads about who you are (which imo is stupid as it's a public website) and you are one of those affected by the data breach - then, yes, I'd be worried

If we face facts in this instance, someone out there will have got access to one of those accounts. They then assume that like most people, that person doesn't bother changing their password. They now have access to everything.

Except MN have confirmed that noone had access to anyone else's password, that passwords are encrypted (which I think was a new measure after the previous breach) and that in order to open the password page in the account you need to enter the password.

I think people should stop scaremongering.

Anyone who thinks data is safe anywhere is naive. We take the risks. This is the nature of online, We are not the customers we are the product.

Use a password manager like LAST PASS

I agree @Confusedbeetle

Received my email 17.09.

A small breach of data such as has been described by MN - is not a problem

What troubles me more is that it took so long after the problem was first reported before the issue was fixed. In most of that time, MN didn't know exactly what was going on. Fortunately it turned out to only be a small number of users and a limited issue this time, next time it might be a bigger problem where a lot more damage can get done in the 24+ hours.

I work in tech and MN did it by the book. They acknowledged the problem immediately, informed all involved almost as soon as they found out, they carried out a software downgrade that fixed the problem and they forced everyone to log out and log in again.
Compared to most data breaches I’ve worked on, it was a text book response. I know companies who didn’t even realise they’d been hacked for 8 months and then tried to cover it up.

I still haven't had an email @MNHQ, should I have received one?