Due to a security breach we are resetting all passwords across Mumsnet

[RebeccaMumsnet]

Following the recent security breach related to Heartbleed we are reseting the passwords of all users.

On Saturday 12 April, we will remove all passwords from our system and to use the site, you'll need to reset your password by clicking on the password reset link.

Type in your email address and click the 'Request reset' button and you will receive a mail to your Mumsnet registered email account. (You will need to click on the link in the mail within 30 minutes of receiving it, without changing the device you're using i.e swapping from phone to laptop, or you'll need to request a further reset).

If you do not receive a mail, please check you spam folder. The password reset mail will come to the email you used when you first registered with Mumsnet.

If you don't receive or can't access your reset mail, please [email protected] for help.

We are very sorry for all the fuss. We want to assure you that we followed all the published steps to protect members' security as soon as we became aware of the heartbleed security risk, but it seems that the breach occurred prior to that risk becoming known.

Most importantly, if you use the same password here as elsewhere, we strongly recommend you change your password on the other sites too.

Thanks,

Justine & the MNHQ team

yeah finally managed to reset and login !

Anya, I think that as the phone is already logged in, it still posts. As soon as it logs out it will need the new password.
So if someone has your username and old password, they now can't log in.

After trying and failing to reset my password I've finally discovered that I'm using two different email addresses on here - the one I originally joined with, and the updated one that the newsletters etc go to - they both work (and go to the same place- gmail vs googlemail) but I've been trying to reset using latter and it needed the former! Might be worth checking if you're an old user and having problems as the newsletters weren't started for a while.

Just changed my password. Received reset email almost instantly. Thanks.

I don't think it's heavy handed at all. I think HQ have handled this as well as they were able.

I was on the thread where the 'hackers' revealed themselves on Saturday and it was actually pretty unnerving.
Yes, posting as me on MN isn't exactly a big issue and I certainly wouldn't lose any sleep over it but, as AF said, there are a lot of people who seriously value their privacy on here and for good reason.

There is also the obvious issue of the info being used to access other, much more important Information.

Also, we only know the basics of what happened, what the hackers chose for us to see. We have no idea what happened behind the scenes and what damage was/potentially could have been done.

All we've had to do is a bit of faffing with a password. HQ have had an absolute shit storm to plough through and they've done it as quickly, transparently and patiently as they could.

I'm really grateful to them and certainly wouldn't want to swap places with them!

I have just had a BBC "breaking news" alert to my phone about this... not bad only 48 hours late! (not sure how its newsworthy anyway!)

The hacker logged in as Justine would have presumably had some serious admin powers tied to that account. Banning posters, deleting stuff.

They were really lucky it was a good guy.

Sky news has it as a breaking story now too. Only 2 days late Sky, do keep up!

Sirzy it's newsworthy because it's proof that hackers have actually made use of the heartbleed bug to steal data. Up till then any threat was theoretical.

My DH works in IT and he was very interested to hear of the hacking. He went in to work today prepared to put a rocket up his team's arse in terms of sorting the patches out. Before then it was all 'is it a legitimate bug? Is it a real threat? Can it actually be exploited' now it's 'shit, better fix this'.

Yay! I'm back. Better safe than sorry, I say.
:)

I had a BBC notification on my phone about all this...seems a little over the top.

Should add to that comment, a little over the top by the BBC.

This has just been mentioned on ITV news. Didnt say much about it though

Ok whilst I can understand the requirement to alter your password on other sites if it is the same to this one, changing your password on here isn't really going to do much unless you have fixed the SSL library.

It's like changing your password and handing it over to the server to be re-broadcasted.

Once the SSL encryption has been patched or an alternative method of storing your users details has been found changing the details here wont fix anything.

Reccomended: hosting via vpn on a secure server (linux free distributable of your choice) the heartbleed will continue to relay info from memory to undisclosed location.

Use an immediate fix: Heartbeat came out a few days ago and although in beta, it patches a lot of the SSL vulnerability.

Use an effective Anti-Malware: Malwarebytes will undoubtedly know about this (last week) and have updated their tables to reflect that.

I know it's not the most comforting message in the world. But on the upside there are fixes. :)

Mumsnet have applied the SSL patch, but the data was stolen before that.

The reason people need to change their details on here is so that no one other than the actual user can log into their account.

This has been an internet security wake up call for me. I've been using the same password for basically everything for years even though I know that's a terrible idea. So I have now installed a password manager and reset good strong new passwords for everything. Took a few hours to sort out, but it should be better in the long run!

The dm now have it as breaking news

Hi,

I am having some problems...I have 2 registered email addresses with mumsnet, each one linked to a different account. I only ever used the second account (the one I am logged in under now) to post about something sensitive under a different username once or twice.

Anyway, I have reset both email addresses to a new password (the same password for both email addresses).

But when I tried to log in with my normal username (riverboat) with the new password, it says incorrect password.

I finally remembered the username I created with the second email address (the one I am logged in under here) and managed to log in with that. And worked out how to change my username to riverboat1 in my profile.

But I can't change it to riverboat, as that is registered to another user...me, but I can't work out why I can't use that to log in any more!

Does that make any sense at all, and is there a solution?

The bigger concern with this is that if Mumsnet has removed all passwords and is telling people to reset passwords on other sites then this probably means that the passwords where stored in an unencrypted format or the encryption keys for the password files where stored with them.

Either way its a monumental security error on the part of the site, even with full admin rights the passwords should not be viewable and the database of those passwords should be properly secured.

Given the magnitude of the breach have you reported it to the ICO yet?

No it doesn't mean the passwords were stored in an unencrypted format. The heartbleed bug is more complicated than stealing passwords from a password database. It's able to steal the plaintext version of your password because that's what you type into your computer when you log into MN. It doesn't steal it from your computer though, it steals it from the MN computer after it has received it.

To be able to steal a password, the hacker needs to be hacking (well, running their hacking program) as you are actually logging in.

I know the discussion has moved on a bit to the tetchy side of things, and sorry if this has already been asked, but ...on my account details page was my postcode, email address and first name. I didn't even know they were there tbh, I had never looked.

Is it likely that they were "taken" by the hackers, is that the sort of thing they were looking for ? What exactly would they do with them if they were ?

techy not tetchy.

Main story on the BBC uk news now.

I suspect that 'tetchy' is just the word to use at the moment.