Due to a security breach we are resetting all passwords across Mumsnet

[RebeccaMumsnet]

Following the recent security breach related to Heartbleed we are reseting the passwords of all users.

On Saturday 12 April, we will remove all passwords from our system and to use the site, you'll need to reset your password by clicking on the password reset link.

Type in your email address and click the 'Request reset' button and you will receive a mail to your Mumsnet registered email account. (You will need to click on the link in the mail within 30 minutes of receiving it, without changing the device you're using i.e swapping from phone to laptop, or you'll need to request a further reset).

If you do not receive a mail, please check you spam folder. The password reset mail will come to the email you used when you first registered with Mumsnet.

If you don't receive or can't access your reset mail, please [email protected] for help.

We are very sorry for all the fuss. We want to assure you that we followed all the published steps to protect members' security as soon as we became aware of the heartbleed security risk, but it seems that the breach occurred prior to that risk becoming known.

Most importantly, if you use the same password here as elsewhere, we strongly recommend you change your password on the other sites too.

Thanks,

Justine & the MNHQ team

Oooh we're on One Show! Although aren't the news behind? I was out last night and saw "BREAKING NEWS: Mumsnet..." I thought something had happened whilst I'd been away for half an hour not 48 hours ago!

So whose kid got grounded for this?

"I guess you missed the Sony PSN or LinkedIn data breaches in the recent past then?"
No, I didn't miss them (or Tumblrs, or Evernotes, or any of the other high profile data breaches), but they weren't caused by Heartbleed so are as good as irrelevant.

"What capabilities do you think admin accounts have on a website? after all they are not end users are they?"
Admin accounts - well without having access to one I can't answer that question, but I'm going to go out on a limb and assume they don't have a big bloody button that says "download unencrypted user data to my PC".

You seem to be correlating admin access at website level with admin access at server level and it's very unlikely that this is the reality. Even ignoring the security concerns with FTP as a protocol, I don't know of any site that allows you to "use FTP to copy across the username and password data" as you put it (and I make enough of the bloody things).

"Using heartbleed is the first step to get in, once they are inside who knows what they could see, do and take?"
Get in to where? Again, you seem to be correlating access to a web based admin account with some sort of sysadmin super power..?

Hi folks

We've created a page explaining exactly how events unfolded: Mumsnet and Heartbleed as it happened

Instead of using a patched OpenSSL why not use PFS, as Ixquick and Startpage do? Or would it be too much of an arseache?

God almighty, that rogue post was vair funny and at least they had bothered to read the site

I am just imagining all the kicking off while people were still in bath towels. So very MN.

Glad I'm not the only one who thought it was funny. It didn't sound like Justine but I could imagine something being posted as a joke so at the most I would have thought it was Justine/MNHQ having a laugh with us if I had seen it before it was caught.

Typse? Retarded? You sound pleasant

Pleasant and intelligent.

You sound pleasant
He's American.

You can still be American and unpleasant...

oh i know, i was aiming more for American = unpleasant.

That’s why the word retard has re-entered the language after being phased out years ago along with spastic, Americans.

I guess I did come off a bit strong. But netsec is important to me and should be to you. I hope this is a lesson to everyone who reuses passwords. Install something like LastPass, use a unique, long (30+ chars) passphrase for the database and you are done (use this method for coming up with you passphrase: xkcd.com/936/). Generate passwords with a click of a button that can have as much entropy as you want. All of it is stored for you so you don't have to remember the passwords.

Done.

This 'Heartbleed' bug has been preasent for over 2 years and is NOT the only security flaw in TLS (Transport Layer Security - otherwise known as SSL).

P.S. As for the spelling error, oops. And I am not American.

• Fixed link to the password guide: xkcd.com/936/

And I am not American

Are you saying my awful generalisation based on one word is wrong? NEVER!

Alrighty

I would like the Mumsnet admins to comment on why the TLS Cert was re issued 2 days AFTER they got users to change their passwords? That means that users updated their password while the server was still running a potentially vunerable certificate.

Err..who is this ^ person? is it the fungus? (fungi)

Well it's not the heartbleed hacker who stole Canadian taxpayer details, because he has just been arrested.

I wonder when the cybercrime division will turn their attention to the much more important hacking here.

"I wonder when the cybercrime division will turn their attention to the much more important hacking here."

I don't think this is nearly as big of an issue. There are going to bethousands of sites that are vunrable due to Heartbleed. The cybercrime' devision will have more important stuff to do. If they do do anything in the first place that is.

Who is this heartbleed character, is he trying to pretend he is responsible for this?

He talks nothing like the messages posted at the time of the intrusion. Also, LastPass is seen by a lot of people in the security industry as a terrible idea - single point of failure.

I can't log in on iPad with details verified on the regular site? Though to be honest, the lack of pages on talk drives me bonkers also, so no real loss!

I am not the attacker, nor am I trying to pretend to be him. I am just someone who is interested in netsec.

True, it is a single point of failure. But that is if it fails. If you use a sufficently strong password to encrypt the database then you will be fine. If you are unsure about LastPass's closed source nature, try KeePassX. Same thing (little less usability, not a good browser implementation) but open source so you can have more confidance that the actual manager is secure.

But, the encryption standards LastPass uses for it's database is strong, throurley tested in the industry and implemented well. As I said before. Use a strong passphrase (see link on how to do that in my first post) and you are fine.