Due to a security breach we are resetting all passwords across Mumsnet

[RebeccaMumsnet]

Following the recent security breach related to Heartbleed we are reseting the passwords of all users.

On Saturday 12 April, we will remove all passwords from our system and to use the site, you'll need to reset your password by clicking on the password reset link.

Type in your email address and click the 'Request reset' button and you will receive a mail to your Mumsnet registered email account. (You will need to click on the link in the mail within 30 minutes of receiving it, without changing the device you're using i.e swapping from phone to laptop, or you'll need to request a further reset).

If you do not receive a mail, please check you spam folder. The password reset mail will come to the email you used when you first registered with Mumsnet.

If you don't receive or can't access your reset mail, please [email protected] for help.

We are very sorry for all the fuss. We want to assure you that we followed all the published steps to protect members' security as soon as we became aware of the heartbleed security risk, but it seems that the breach occurred prior to that risk becoming known.

Most importantly, if you use the same password here as elsewhere, we strongly recommend you change your password on the other sites too.

Thanks,

Justine & the MNHQ team

@trace2

We need to know if mumsnet has been patched because if not then the new password will be as vulnerable as the one it replaces.

Yes we did the patch last week trace2 - our best guess is that the breach occurred before then

Rowan can probably confirm this but I think it has been patched a couple of days ago. Unfortunately the data was taken before it was patched and very few people had changed their passwords since then.

oops x posts

It won't let me add the photo

VelocityViewServlet : Error processing a template for path '/resend-registration-confirm'
Unable to find resource 'mobile/registration/regconfirmresender.html'
org.apache.velocity.exception.ResourceNotFoundException: Unable to find resource 'mobile/registration/regconfirmresender.html'
at org.apache.velocity.runtime.resource.ResourceManagerImpl.loadResource(ResourceManagerImpl.java:483)
at org.apache.velocity.runtime.resource.ResourceManagerImpl.getResource(ResourceManagerImpl.java:354)
at org.apache.velocity.runtime.RuntimeInstance.getTemplate(RuntimeInstance.java:1400)
at org.apache.velocity.runtime.directive.Parse.render(Parse.java:198)
at org.apache.velocity.runtime.parser.node.ASTDirective.render(ASTDirective.java:175)
at org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:336)
at org.apache.velocity.Template.merge(Template.java:328)
at org.apache.velocity.Template.merge(Template.java:235)
at org.apache.velocity.tools.view.servlet.VelocityViewServlet.performMerge(VelocityViewServlet.java:805)
at com.mumsnet.baseservlets.CommonBaseServlet.performMerge(CommonBaseServlet.java:420)
at org.apache.velocity.tools.view.servlet.VelocityViewServlet.mergeTemplate(VelocityViewServlet.java:762)
at org.apache.velocity.tools.view.servlet.VelocityViewServlet.doRequest(VelocityViewServlet.java:555)
at org.apache.velocity.tools.view.servlet.VelocityViewServlet.doGet(VelocityViewServlet.java:509)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.mumsnet.filters.SessionNotifierInitialisationFilter.doFilter(SessionNotifierInitialisationFilter.java:28)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.mumsnet.filters.AdvertisingFilter.doFilter(AdvertisingFilter.java:186)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.mumsnet.filters.ReferralTrackingFilter.doFilter(ReferralTrackingFilter.java:154)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.mumsnet.filters.FirstSeenCookieFilter.doFilter(FirstSeenCookieFilter.java:34)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.mumsnet.security.filters.SecureCookieVerificationFilter.doFilter(SecureCookieVerificationFilter.java:58)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.mumsnet.filters.ResponseMetricFilter.doFilter(ResponseMetricFilter.java:40)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.mumsnet.filters.AuthenticationFilter.doFilter(AuthenticationFilter.java:45)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at com.mumsnet.filters.RequestFilter.doFilter(RequestFilter.java:47)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at de.javakaffee.web.msm.RequestTrackingContextValve.invoke(RequestTrackingContextValve.java:99)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at de.javakaffee.web.msm.RequestTrackingHostValve.invoke(RequestTrackingHostValve.java:170)
at de.javakaffee.web.msm.RequestTrackingHostValve.invoke(RequestTrackingHostValve.java:138)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:200)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:603)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:619)

Thank you x

@InspirationFailed

I can't change my password.

I clicked the link to reset

Change the password

Try to log in and get the 'unverified account' message and it tells me to click a link in the confirmation email.

But there is no link in it, so I click to resend the confirmation email and get this message (on the photo)

I'm assuming I'm logged in now under my old password (I clicked to log in with google and it logged me in without me having to put any password in)

Hmm that's odd - anyone else finding that the Google log-in is allowing you to circumvent the password reset?

Sorry Inspiration, your photo didn't upload

sorry x-post Inspiration - can you email in to [email protected]?

I had a message to change internet provider too. I'm going to cancel my credit card I think.

I've had this password since 2003. Sniff

Beyond credit cards what else could be exposed do you think?

Mnhq. If you're emailing me wrt anything my hotmail is out. So try twitter.
0

A message from who, Windymill?

I've not used the google log in, and I'm no expert but wouldn't it use your google password to log you in not a specific MN one? I don't know if it's under MN's control.

Ah we've just had a sudden rush of emails saying the password reset mail either isn't arriving or is blank when it does arrive - we're getting Tech to take a look now.

Inspiration, are you posting using the app?

From my internet provider so wondering if this is viral. Obviously not going to say who my internet provider is on here. Interner provider password not provider - sorry typed fast.

So, is this why we were all being logged out then?

So does this mean our personal identities could be out there then?

strange.

I'm posting using the mobile site, I logged out and tried to log in again and the only way I can do it is to go via google. It hasn't asked me for any password at all. I've emailed.

@InspirationFailed

I'm posting using the mobile site, I logged out and tried to log in again and the only way I can do it is to go via google. It hasn't asked me for any password at all. I've emailed.

We've replied to you now Inspiration

Thank you :-)

MNHQ, please could you answer a question?

Our usernames and passwords have been published online, is that correct? But is that purely the current username, or all our old ones too?

Trying to change the password on my account, type in my old password which I kept having to use to log in with yesterday but its now saying it doesn't recognise it! How can I change it if I don't know what it is to start with?