Please or to access all these features

Add post

Watch this thread

Save thread

Start a new thread

Flip thread

Hide thread

My feed

Active Unanswered threads

Getting started FAQ's

Unanswered threads Acronyms Talk guidelines

Hide shortcut buttons

Talk

Site stuff

Join our Innovation Panel to try new features early and help make Mumsnet better.

See all MNHQ comments on this thread

Flip

1 2 ··· 24 25 26 ··· 29 30

MNHQ

Due to a security breach we are resetting all passwords across Mumsnet

729 replies

RebeccaMumsnet · 12/04/2014 17:32

Following the recent security breach related to Heartbleed we are reseting the passwords of all users.

On Saturday 12 April, we will remove all passwords from our system and to use the site, you'll need to reset your password by clicking on the password reset link.

Type in your email address and click the 'Request reset' button and you will receive a mail to your Mumsnet registered email account. (You will need to click on the link in the mail within 30 minutes of receiving it, without changing the device you're using i.e swapping from phone to laptop, or you'll need to request a further reset).

If you do not receive a mail, please check you spam folder. The password reset mail will come to the email you used when you first registered with Mumsnet.

If you don't receive or can't access your reset mail, please [email protected] for help.

We are very sorry for all the fuss. We want to assure you that we followed all the published steps to protect members' security as soon as we became aware of the heartbleed security risk, but it seems that the breach occurred prior to that risk becoming known.

Most importantly, if you use the same password here as elsewhere, we strongly recommend you change your password on the other sites too.

Thanks,

Justine & the MNHQ team

OP posts:

NearTheWindymill · 14/04/2014 21:54

So when the system was logging us out on Saturday does that mean it was the logged out one's accounts that had been hacked then please?

Can you confirm that it was only the password/user names that were hacked and that our personal data was not accessed please.

Sparklingbrook · 14/04/2014 21:56

I was quite impressed that my bank spotted it before it went through my account Mignonette. Got a phone call asking if I had used a cashpoint abroad to withdraw about $400.

Had to have a new debit card which was a PITA but all ok since and am avoiding ATMs other than at banks.

Mignonette · 14/04/2014 22:01

Samer here Sparkling They called me to say they had already replaced the cash but needed to go through all my transactions. I had several thousand taken from phone shop transactions in over 6 locations in the UK- all within fifteen minutes of each other so they knew it could not have been me.

I sent the team a thank you card I was so grateful I reckon they get a shed load of complaints and not enough praise!

TigerSmoke · 14/04/2014 22:09

our passwords are encrypted but the heartbleed bug allowed access to live login pages

I haven't actually logged in for months (lurker supreme); does that mean I am safe? I.e. does "live login pages" refer to profiles that have been logged in more recently than I have logged into mine?

Thank you.

MNHQ

JustineMumsnet · 14/04/2014 22:16

@NearTheWindymill

So when the system was logging us out on Saturday does that mean it was the logged out one's accounts that had been hacked then please?

Can you confirm that it was only the password/user names that were hacked and that our personal data was not accessed please.

No, it doesn't NTWM, we logged everyone out on Saturday to require everyone to reset their password. I'm afraid we have no way of knowing which users' accounts were hacked, if any, beyond the handful of names that were used to post on here/published on pastebin.

And we have no way of knowing whether any of that info was used to access pms, profiles etc. All we can say is that the hackers were keen to let us know about the breach and there is no evidence of any accounts being used maliciously, save really for mine and even that fake post from my account could be seen as more of a heads up than a malicious act.

MNHQ

JustineMumsnet · 14/04/2014 22:18

@TigerSmoke

our passwords are encrypted but the heartbleed bug allowed access to live login pages

I haven't actually logged in for months (lurker supreme); does that mean I am safe? I.e. does "live login pages" refer to profiles that have been logged in more recently than I have logged into mine?

Thank you.

I hesitate to post because I'm not 100% on this, but I think it might mean you're safe - then again it's possible something (eg to do with cookies) means you're not. I will check with Tech, but want to reiterate that there's no evidence this hack was done with anything other than the intention to raise awareness at this stage.

NearTheWindymill · 14/04/2014 22:19

But what about when we were being logged out before 5.45pm?

Thank you for responding though. So do you mean they can't have got hold of my r/l name and dc's names and dates of birth etc.?

sunbathe · 14/04/2014 22:20

I haven't been logged out - should I have been?

I was forcibly logged out of Fitbit, for example, should that have happened to me on MN?

nsld · 14/04/2014 22:26

nsld
The bigger concern with this is that if Mumsnet has removed all passwords and is telling people to reset passwords on other sites then this probably means that the passwords where stored in an unencrypted format or the encryption keys for the password files where stored with them.

Either way its a monumental security error on the part of the site, even with full admin rights the passwords should not be viewable and the database of those passwords should be properly secured.

Given the magnitude of the breach have you reported it to the ICO yet?

No, that's not right, our passwords are encrypted but the heartbleed bug allowed access to live login pages (temporarily until we patched the site). We have no way of knowing how many login pages were accessed but obviously more than one was.

===

So if the passwords are encrypted as you say why do a mass delete?

The key questions are:

1: Has someone copied the user list from the site along with the passwords?

2: How good is the level of encryption used?

3: Where the encryption keys compromised?

4: Do you have no form of server logging to see whats happening?

5: Why do you not force https for all connections to your site? As I write this I can see that the connection to your servers is unencrypted.

momscribe · 14/04/2014 22:30

:( just saw the news and then jumped to mumsnet

Yes, changed my password as well and there I am in ....worked finally!

Sparklingbrook · 14/04/2014 22:31

The Daily Mail article is awful. What a surprise. Misleading headline or what?

noblegiraffe · 14/04/2014 22:33

Mumsnet has been vulnerable to this type of attack (as have all vulnerable websites) for 2 years.

Although the bug was only officially discovered recently and made public last week, the code for SSL is open source and that means that someone else could have discovered the bug for themselves long before it was made public.

So while it's unlikely that your data would have been stolen before the bug was made public, there is no guarantee that your passwords have been safe on any vulnerable site for the last two years.

TigerSmoke · 14/04/2014 22:36

Thanks Justine - it would be great to know. Thank you for such a prompt response.

noblegiraffe · 14/04/2014 22:40

Nsid:

It wasn't that kind of hack
Irrelevant here
Irrelevant here
Heartbleed is undetectable
Ironically, https is exactly where heartbleed makes websites vulnerable.

noblegiraffe · 14/04/2014 22:44

Nsid, this explains nicely how heartbleed steals data

xkcd.com/1354/

mumtotoby · 14/04/2014 22:48

Can I ask what information they stole other than passwords?

Maryz · 14/04/2014 23:08

This reply has been deleted

Message withdrawn at poster's request.

VivaLeBeaver · 14/04/2014 23:19

Was it a MN regular who hacked us? I'm guessing it was as the fake Justine message seemed to be by someone who knows MN.

Lucked · 15/04/2014 00:29

I have been trying, on and off, since yesterday to reset and I can't get the link to work ( says expired link).

Can I just change my password in My Account, does the link do anything special.

TheDetective · 15/04/2014 01:51

Is there any way I can find out my old password. I think I know what it was - but I can't quite remember. I've not had to log in for a while.

I really need to know what it was - because I then need to work out if I need to change some other passwords.

Please help!

roselover · 15/04/2014 02:16

daily mail having a go at Mumsnet ….like its anyones fault - I do wish they would F**k off

roselover · 15/04/2014 02:18

I changed my password - its really easy - you don't need to know your old one - the link only lasts for a could of days so do it was soon as they send you the "change it" link - it will be sent to your email address

TheDetective · 15/04/2014 02:52

I've changed my password. But I need to know my old one.

In case it is the same as other passwords used elsewhere. Which I will then need to change.

RustyBear · 15/04/2014 04:22

Change them anyway TheDetective especially if the site has your card details or other sensitive info- they may have been compromised from their own site, or another one if you use the same password in multiple places. It's entirely possible that other sites have been compromised but just don't know it. See noblegiraffe's post at 22.33.

GiddyUpCowboy · 15/04/2014 06:33

Just seen Justine is on BBC after 8am.

Flip

1 2 ··· 24 25 26 ··· 29 30

Swipe left for the next trending thread