Possible MN Heartbleed vulnerability

[cozietoesie]

Without wanting to start a scare where the reality of the problem might be limited, are MNHQ recommending a change of password to users given that Mumsnet looks at the moment to be one of the sites classified as vulnerable?

The safest thing to do is use one of the online checkers posted earlier in this thread to see if a site you use is still vulnerable to heartbleed. If it is - don't go changing your password there! A hacker could be listening and will see you do it. If however, the online checker says the site is safe, then it is safe to go change your password there and hackers will probably not be able to listen.

I hope you all stay safe on the internet :)

LastPass does seem the best bet. I use it, but have not yet gone all the way with huge unpronounceable passwords for each site.

As for lastpass getting hacked I was wondering about that myself, but I'm not sure it's possible. The master password stays on your PC so the site never really sees the cleartext.

So, the email I've just received signed from Justine, telling me that all MN passwords have been deleted, to set a new one and make sure all other passwords are changed - genuine or not?

genuine. You can do it through the link on this thread

Some sage advice on passwords xkcd.com/936/

And there is nothing wrong with writing passwords down, you have your bank account numbers written down on every statement and your bank cards, just keep the list somewhere safe, that means on paper, NOT in a Word document on your computer.

Well, this is interesting, someone has used the same user name as me! They also know a lot more about hacking than me too!

MN how does this work?

Yikes. email them directly.

Sorry - that should have read 'email MNHQ directly.'

Keepithidden, the hacker who knew Justine's password also found out yours, and others. They posted as Justine to expose the problem, when tech didn't appreciate the extent of the vulnerability they logged in as you and some other posters too.

So they don't have the same username as you, they used your password and logged into your account.

Hopefully you have changed your password now so they can't do it again.

giraffe

That is the same user name used above on the thread. It bears checking out in any case.

cozie, it is the same username not because there are two distinct users with the same name, but because the hacker had Keepithidden's password, so logged in as them to leave Tech a message, so it is not the same user name as such, but the same account that has been used by someone else.

Oh I took that point, Dino. Rather depends on the behind the scenes timing doesn't it. (Any password changes etc.) And there have been some unsettling things happening.

It's best it's reported to HQ however - who knows what else they may have done with that account if they had it under control - so that Keepit can clear her name.

Eg-get rid of the suspicion of sending questionable messages to Tech!

The person who hacked Justine posted about it on another forum, including the use of keepithidden's account to talk to tech.

They don't seem to have had any malicious intent, merely trying to get MN to accept the scope of the issue and force a password change.

It wasn't the same person as whoever posted the list of usernames and passwords on the internet.

Interesting - thanks giraffe.

(You mean there really was a questionable message to Tech? I just made that up! )

Do you have a link to that, noblegiraffe? I'd be interested in reading it

Thanks everyone, finally managed a password change.

Going to be interesting if I keep getting emails asking about Tech help from MN though. I'm not at all computer-savvy!