Due to a security breach we are resetting all passwords across Mumsnet

[RebeccaMumsnet]

Following the recent security breach related to Heartbleed we are reseting the passwords of all users.

On Saturday 12 April, we will remove all passwords from our system and to use the site, you'll need to reset your password by clicking on the password reset link.

Type in your email address and click the 'Request reset' button and you will receive a mail to your Mumsnet registered email account. (You will need to click on the link in the mail within 30 minutes of receiving it, without changing the device you're using i.e swapping from phone to laptop, or you'll need to request a further reset).

If you do not receive a mail, please check you spam folder. The password reset mail will come to the email you used when you first registered with Mumsnet.

If you don't receive or can't access your reset mail, please [email protected] for help.

We are very sorry for all the fuss. We want to assure you that we followed all the published steps to protect members' security as soon as we became aware of the heartbleed security risk, but it seems that the breach occurred prior to that risk becoming known.

Most importantly, if you use the same password here as elsewhere, we strongly recommend you change your password on the other sites too.

Thanks,

Justine & the MNHQ team

Thanks for your reply Justine, I hoped that it would be something like that (mainly because I'm still cross about the Lush hack a few years ago where it turned out they knew for months before it was made public, so glad it wasn't like that as I don't want Mumsnet on my grudge list!)

Pretty lucky really that it was an actual hacker pointing out the security defects, rather than a bunch of script kiddies from 4chan causing havoc.

Yoo hoo MNHQ! I've emailed your Contactus address twice about the reset password link not working for me. The first time I got an auto reply, fair enough. The second time, no reply.

I've tried over and over in the past 2 days to reset my password, both on my mobile (which thankfully I hadn't logged out of so I can post) and on my PC. Each and every time I get the reset email just fine, but when I click on the link it takes me to a page which says 'expired link'. Straight away. Every time.

I don't understand why this is (it seems) a problem for me alone, but it's on 2 separate devices so I imagine it's account-related not device-related? Whatever, I really don't want to name change and set up a new account - but at this rate I'll have to.

Help?

Brilliant Giddy, hope she can set the record straight a bit. The comments on the DM website are really odd.

Walkacross - I am most probably wrong but try clearing your cookies on the PC then try and reset password again.

THe DM know we are a threat to them- of course they are having a go. It is when they stop snarking at us that we know they have succeeded in their mission to turn the whole country into a bunch of racist, sexist gits.

Walk across that is exactly my problem.

Will clearing cookies log me out? I am thinking I might just set up a new account TBH.

Noble Giraffe wrote:

1. It wasn't that kind of hack
2. Irrelevant here
3. Irrelevant here
4. Heartbleed is undetectable
5. Ironically, https is exactly where heartbleed makes websites vulnerable.

===

1. You dont know this, its pretty clear from the messages on the site that the owners have no idea what has happened and given that the owner of the site had her account compromised you cannot say what has or has not happened in the background. Getting the site owners login is the first step to getting to the real data in the background.

1. Absolutely its relevent, if you dont know what the attackers have done then the level of encryption of the databases behind the site is criticial.

1. Again if the encryption keys where lost, which is part of the heartbleed vulnerability then 2 becomes a moot point if they have copied the data.

1. Server logging would tell you who did what, so if a compromised admin account used FTP to copy across the username and password data it would be recorded. Equally if accounts are accessed at the most basic level using the heartbleed vulnerability then this would also be visible in server logging even if the IP address was the only thing captured.

1. No https doesnt make you vulnerable, the use of unpatched out of date libraries and poor or no security certificates is what makes you vulnerable. Open up the "secure" login page for this site in Firefox and click on the certificate information and see what it says. Badly implemented https at login combined with no https anywhere else is to put it bluntly a joke and is indefensible.

What makes this worse is a quick search of the ICO registrar of data controllers which finds this in the Mumsnet registration:

Reasons/purposes for processing information

We process personal information to enable us to produce and distribute printed material, promote our services; maintain our accounts and records; to support and manage our employees. We also process personal information in the course of selling, hiring or exchanging it.

Type/classes of information processed

We process information relating to the above reasons/purposes. This may include:

personal details

family details

education and employment details

financial details

goods or services provided

text of articles and information relevant to the publication

We also process sensitive classes of information that may include mental and physical health details.

So a poor approach to security and sensitive classes of information are not a great mix really.

It's generally a good idea to clean your device frequently anyway. (Malwarebytes and Superantispyware are both free for the manual operation versions and can be loaded pretty quickly and easily. A complete system scan will take upwards of an hour for each. (The quick scans are ......quick....... but it's as well to start off with a full scan and you can have them going on in the background while you do other things if needs be.)

It's generally a good idea to clean your device frequently anyway. (Malwarebytes and Superantispyware are both free for the manual operation versions and can be loaded pretty quickly and easily. A complete system scan will take upwards of an hour for each. (The quick scans are ......quick....... but it's as well to start off with a full scan and you can have them going on in the background while you do other things if needs be.)

Sorry - the cat posted there. Twice.

Hacker must think they were friendly probing, if they gave MN the heads up.
If we must be probed here on MN we prefer the friendly type.

And before I was finished as well. I think I'll have a cup of coffee - but in the meantime, it would do your systems no harm in any case, Lucked, to clear out cookies and cache and scrub them for naughties. It may not help this specific problem but it's generally good practice.

But before the coffee.....

nlsd

It's wrong to bring the DP registration into play here. I've done innumerable registrations and a quick statement (as you've done) may not bear any relation to the data actually held or processed. The registrations are general statements which aim to encompass all possibilities for a data controller and don't necessarily reflect the holdings or processing of individual organizations.

Best not to quote that again, I think.

Nsid, I see you've done a bit more reading since your last post.

Yes if the encryption keys were stolen then MN need to generate new encryption keys. All vulnerable websites should be doing this anyway, because of the theoretical possibility that it could have been done.

1. If we know that they have stolen a potentially large amount of unencrypted username and password data using heartbleed, then I don't understand why stealing encrypted login and password data would make the situation any different. We know the login and password data has been compromised, which is why all passwords have been deleted and all users alerted to change their passwords on other websites if the same as MN.

But 4. Do you really think a hacker would hack under their own IP address?

1. I didn't say https made websites vulnerable, I said https made it vulnerable to heartbleed. And it wasn't out of date versions that were the problem, it was the up-to-date versions. If MN had been using a really old version, they'd have been unaffected by this bug.

@sunbathe

I haven't been logged out - should I have been?

I was forcibly logged out of Fitbit, for example, should that have happened to me on MN?

This should have happened, has it happened yet?

@NearTheWindymill

But what about when we were being logged out before 5.45pm?

Thank you for responding though. So do you mean they can't have got hold of my r/l name and dc's names and dates of birth etc.?

We're afraid we can't definitely say what the hackers have or haven't got, which is why we're advising folks who use the same password for Mumsnet as other stuff to change them.

@mumtotoby

Can I ask what information they stole other than passwords?

The bug allowed people to see information that you submit via the log in page, which means your username or email, plus your password.

Beyond that, we really don't know what the hackers have done with this information. We realise that must be frustrating to hear, and if we knew any more we'd certainly tell you. But the fact is we can't be sure.
However, we have no reason to suspect, and no evidence to suggest that anyone's account has been used for anything other than to flag up the security breach.

Has Justine had to cut her holiday short because of all this?

If she has, I suspect she's not the only one. (In Mumsnet and elsewhere.)

Kate - no. Still logged in!

nsld - if the admin accounts have access to "use FTP to copy across the username and password data" we have bigger problems here than whether or not MNHQ have been hit by heartbleed... but given that this is not the 1990s and the vast majority of tech companies are not stupid enough to allow that sort of access, I'm going to suggest that with all due respect, you're talking out of your bottom. :)

@VivaLeBeaver

Was it a MN regular who hacked us? I'm guessing it was as the fake Justine message seemed to be by someone who knows MN.

We honestly don't know Viva! Sorry we're giving such vague answers, but anything we do find out we'll pass onto you guys.

@TheDetective

Is there any way I can find out my old password. I think I know what it was - but I can't quite remember. I've not had to log in for a while.

I really need to know what it was - because I then need to work out if I need to change some other passwords.

Please help!

Hullo TheDetective - we're afraid that since we've wiped everyone's password from our data base, we can't tell you what you password was. In any case, due to data protection, we can't send out people's passwords, and it would be the same even without Heartbleed.

We suggest that to be on the safe side, it might be an idea to change your password for the sites you're worried about.

@sunbathe

Kate - no. Still logged in!

Ah, sorry we've confused ourselves here. The forced log out would have only happened to those who hadn't done their password reset after the passwords were wiped. So we're guessing you must have done yours sunbathe!