Due to a security breach we are resetting all passwords across Mumsnet

[RebeccaMumsnet]

Following the recent security breach related to Heartbleed we are reseting the passwords of all users.

On Saturday 12 April, we will remove all passwords from our system and to use the site, you'll need to reset your password by clicking on the password reset link.

Type in your email address and click the 'Request reset' button and you will receive a mail to your Mumsnet registered email account. (You will need to click on the link in the mail within 30 minutes of receiving it, without changing the device you're using i.e swapping from phone to laptop, or you'll need to request a further reset).

If you do not receive a mail, please check you spam folder. The password reset mail will come to the email you used when you first registered with Mumsnet.

If you don't receive or can't access your reset mail, please [email protected] for help.

We are very sorry for all the fuss. We want to assure you that we followed all the published steps to protect members' security as soon as we became aware of the heartbleed security risk, but it seems that the breach occurred prior to that risk becoming known.

Most importantly, if you use the same password here as elsewhere, we strongly recommend you change your password on the other sites too.

Thanks,

Justine & the MNHQ team

I think the answer to that is likely to be that they don't know Arya. If it's on your account details page then a hacker using you log in detail s could have logged on as you and seen them. I'm not sure if they could actually find out whether anyone actually had done that though.

or twitchy

PS - the hacking appears at the moment to have been relatively benign. I'd concentrate on online accounts where you've potentially had more significant exposure if I were you.

or twitchy. Indeed.

at twitchy.

I have changed passwords for everything and made them more complex. I haven't got that many online accounts tbh.

Can I ask a question? (And I don't want this to come across as nasty or anything) but when posters were concerned over the threat of heartbleed early on and were reassured by tech that all was ok and nothing would happen was this BS/did tech really not know what was going on when they should have/something that tech couldn't have possibly known at that time?

It just feels like everyone was saying no problem, all is ok when people were concerned and then all of a sudden- problem.

Sorry if this has been covered elsewhere.

It doesn't come across as nasty.

For myself, I think that the situation actually changed as new information became available - in particular that there were personal details about members being broadcast on the internet/used by others on this site which could have been garnered before the patch went in.

I'm still not completely convinced that Heartbleed was the cause of the problems: systems have been being hacked for donkey's ages and it could well be that existing purloined data was used to effect at this particular time - to highlight the Heartbeat issue for example.

Nonetheless, MNHQ had to make the call on the basis of what they had available; and the information changed. I wouldn't disagree with the action they took.

Cozie, the hacker logged into mumsnet using another stolen account to explain how Heartbleed was used to steal the passwords. It was definitely heartbleed that was the cause of the problems.

I'm still not convinced 100%, giraffe. Suffice to say, though, that HB is a significant issue, particularly now that it's been broadcast so widely, so I think MNHQ's actions were justified.

Do you think they have stolen all our birthing plans and hints for saving money on Christmas crafts

Perhaps if we post more about gruesome gynaecology, the Bad Hacking People will get scared by MN. It will be like the IT crowd where they are trying to explains periods to Moss and Roy says, "You know, like in Carrie!"

Don't mess with these chicks, muthafuckas.

So in a week where a weakness in website security has been published, alongside a list of websites that are vulnerable, where the script needed to exploit that vulnerability and steal login data from vulnerable websites is freely available and easy to use, in a hack where the hacker actually tells the site being hacked that he has hacked it and how....and you're not convinced??

Then what would it take to convince you?

If that's directed at me, I am convinced, completely convinced, and I bloody hope people don't use the same pw for social networking and their banking.

No, sorry, Boffin, xpost, it was aimed at cozie.

Lots of comments on the DM website slagging off MN, its posters and making out it is bollocks and for publicity too.

Sorry daft question, what if I can't recall my MN password? I have reset it but it would be good to know what my old password was just to know which other sites I need to change my password on.

Any possibility of finding out my old password? Just need to know whether to panic!!

It's not bollocks and it's not for publicity. It's a serious issue.

I don't know, Giraffe. Let me think about it. I just believe (having seen it many times) that just because something can be done doesn't mean that it has been done.

Thank fuck I never signed up to online banking. I was warned off it ages ago by a friend who is a super tech and I listened to her despite having to put up with some people on MN sneering at her warnings.

I also use a small current account for online shopping with companies like Amazon that is solely for that. It cannot go over drawn and has only small amounts of cash in it. If it was hacked, it'd not be the end of the world.

I will never internet bank. Nor pay bills online.

I have a little box thingy for online banking which i stick my debit card in and it generates a random number for log in every time. No passwords. I don't think that's a worry is it?

Sparkling we were sent one of those in a vain attempt to make us sign up for IB but have decided not to.

I am staying old school. I realise that cloning is still an issue (have had that happen too) so I try to use only inside ATMs. Yes, that means I have to plan so as to ensure I have enough actual cash but to be honest the peace of mind it gives me is worth it. I transfer a sum of money via teller or ATM into my slush account every week or ten days and that seems to work.

i totally understand Mignonette. I have been cloned. At the local Tesco Express along with loads of others. They do say to try and use proper bank ATMs wherever possible, not supermarkets etc.

I used to work for a bank which weirdly makes me a bit less worried.

Well I suppose I should be glad my bank closed my account with very little warning this week, so even if I had used that password on something linked to my card then I don't think they can use it because it no longer exists. I didn't think I'd be saying that this week.

@CecyHall

Can I ask a question? (And I don't want this to come across as nasty or anything) but when posters were concerned over the threat of heartbleed early on and were reassured by tech that all was ok and nothing would happen was this BS/did tech really not know what was going on when they should have/something that tech couldn't have possibly known at that time?

It just feels like everyone was saying no problem, all is ok when people were concerned and then all of a sudden- problem.

Sorry if this has been covered elsewhere.

Hi CecyHall (how are you?).
You're right we did think things were ok because we'd seen the details of the heartbleed security risk soon after it was announced and had implemented the recommended patch/fix - so Tech was confident that we were secure. Unfortunately in the time between publication of the risk and implementing the fix - about a day - someone had been in and scraped some user data. This only became fully apparent when some accounts were hacked on Saturday in order to post a message about giving us a heads up about Heartbleed.

At that point, obviously, we became aware that we had a problem and decided the only sensible course of action was to force a password change and shout about the associated password risk as loudly as possible.

Hope that makes sense.

@nsld

The bigger concern with this is that if Mumsnet has removed all passwords and is telling people to reset passwords on other sites then this probably means that the passwords where stored in an unencrypted format or the encryption keys for the password files where stored with them.

Either way its a monumental security error on the part of the site, even with full admin rights the passwords should not be viewable and the database of those passwords should be properly secured.

Given the magnitude of the breach have you reported it to the ICO yet?

No, that's not right, our passwords are encrypted but the heartbleed bug allowed access to live login pages (temporarily until we patched the site). We have no way of knowing how many login pages were accessed but obviously more than one was.

@PuppysMum1

Sorry daft question, what if I can't recall my MN password? I have reset it but it would be good to know what my old password was just to know which other sites I need to change my password on.

Any possibility of finding out my old password? Just need to know whether to panic!!

No, sorry PuppysMum1, we can't help on that one - we encrypt the passwords so that not even MNHQ staff can find out what they are. Best bet is to change your password everywhere which has sensitive info.

Sparkling

I truly hope that the fleas from a thousand camels infest their groins. Sodding cloning bastards. Sorry it happened to you too.