Active discussions

Meet the Other Phone. Child-safe in minutes.

Meet the Other Phone.
Child-safe in minutes.

Buy now

Please or to access all these features

Talk

Back to thread
MNHQ

Due to a security breach we are resetting all passwords across Mumsnet

83 replies

RebeccaMumsnet · 12/04/2014 17:32

Following the recent security breach related to Heartbleed we are reseting the passwords of all users.

On Saturday 12 April, we will remove all passwords from our system and to use the site, you'll need to reset your password by clicking on the password reset link.

Type in your email address and click the 'Request reset' button and you will receive a mail to your Mumsnet registered email account. (You will need to click on the link in the mail within 30 minutes of receiving it, without changing the device you're using i.e swapping from phone to laptop, or you'll need to request a further reset).

If you do not receive a mail, please check you spam folder. The password reset mail will come to the email you used when you first registered with Mumsnet.

If you don't receive or can't access your reset mail, please [email protected] for help.

We are very sorry for all the fuss. We want to assure you that we followed all the published steps to protect members' security as soon as we became aware of the heartbleed security risk, but it seems that the breach occurred prior to that risk becoming known.

Most importantly, if you use the same password here as elsewhere, we strongly recommend you change your password on the other sites too.

Thanks,

Justine & the MNHQ team

Go to post
MNHQ

RebeccaMumsnet · 13/04/2014 11:27

@Friedbrain

MNHQ

I'm not the only one with a random name change!

Iv come across 4 different people looking at.other threads this morning!

I'll PM you - hang fire...

MNHQ

RowanMumsnet · 13/04/2014 12:05

@TheWoollybacksWife

I reset my password last night on both the main site and the mobile site but have just received an email about changing passwords. Does this mean I have to do it again?

No, you should be fine

MNHQ

RowanMumsnet · 13/04/2014 12:08

@Llareggub

I don't have the same email address that I signed up with but I haven't been signed out either. I only ever post from my iPhone and iPad. What should I do?

For now, just don't log out! You can email us at [email protected] asking us to update your email address - please try to include something only you and we would know about you (eg postcode if you ever gave that to us) so that we cn verify you're the genuine account holder - we don't want to reassign people's email addresses willy-nilly

MNHQ

RowanMumsnet · 13/04/2014 13:03

@StillStayingClassySanDiego

What a bloody pissing faff!

Not you MNHQ, I did a system restore without actually realising what I was doing and have wiped my PC of everything important, including my emails.

Have ever so slightly name changed and fresh password.

And breathe!

Argh no!

MNHQ

RowanMumsnet · 13/04/2014 13:57

@piscivorous

I have changed my password, am now in on laptop under my new password but can't get in on my phone. I'm stuck at the sign in screen which just keeps saying Invalid Login - Please reenter your details and I can't get anywhere else. I've tried the joining screen which tells me my email is in use and have tried deleting the app and reinstalling. Any suggestions please?

Hmm - is it the app that won't let you log in? Are you absolutely sure (sorry to ask) that you're putting the new password in correctly?

MNHQ

RowanMumsnet · 13/04/2014 14:16

@piscivorous

I think I am Rowan. I'll go and log out of here then try to get back in to check.

I'll go and try it now. With my technological prowess I feel a bit like Captain Oates, I may be some time...

MNHQ

RowanMumsnet · 13/04/2014 14:17

Oh it took me so long to post that, you'd already sorted it...

Sorry Solo Brew

MNHQ

RowanMumsnet · 13/04/2014 16:43

@BIWI

Rowan - I'm having the same problem as Pisci. I've changed my password on my laptop, and I'm logged in there, but I can't access the site on the app. I have double and triple checked that I've put the right password in Wink but it's still telling me that it's an invalid log in

Hmmm... we will flag this to Tech BIWI

MNHQ

RowanMumsnet · 13/04/2014 16:51

@cozietoesie

Is Tech still sane?

Poor Tech - this comes after a week of them struggling with poor broadband in the office as well (because of a third-party problem, not Tech's fault)

MNHQ

RowanMumsnet · 13/04/2014 17:06

@MinecraftAteMyWorld

I changed my password earlier on my phone but have not been asked to on my laptop. Should I change it?

No you should be OK by the sounds of it

MNHQ

RowanMumsnet · 13/04/2014 17:15

@InspirationFailed

Sorry to be a pain - I can't access PMs

I get this message Confused

Oh dear! Are you on the mobile site? Anyone else having trouble reading their PMs on there?

MNHQ

RebeccaMumsnet · 14/04/2014 13:14

Hi all,

Tech have extended the amount of time you are allowed to click on the emailed link for. You now have 48 hours but only for links sent this afternoon onwards.

Please do click to resend.

We are still ploughing through your mails, apologies it is taking some time but if you have mailed in, please hang fire and we will get back to you.

Thanks all for being so patient.

MNHQ

JustineMumsnet · 14/04/2014 21:42

@CecyHall

Can I ask a question? (And I don't want this to come across as nasty or anything) but when posters were concerned over the threat of heartbleed early on and were reassured by tech that all was ok and nothing would happen was this BS/did tech really not know what was going on when they should have/something that tech couldn't have possibly known at that time?

It just feels like everyone was saying no problem, all is ok when people were concerned and then all of a sudden- problem.

Sorry if this has been covered elsewhere.

Hi CecyHall (how are you?).
You're right we did think things were ok because we'd seen the details of the heartbleed security risk soon after it was announced and had implemented the recommended patch/fix - so Tech was confident that we were secure. Unfortunately in the time between publication of the risk and implementing the fix - about a day - someone had been in and scraped some user data. This only became fully apparent when some accounts were hacked on Saturday in order to post a message about giving us a heads up about Heartbleed.

At that point, obviously, we became aware that we had a problem and decided the only sensible course of action was to force a password change and shout about the associated password risk as loudly as possible.

Hope that makes sense.

MNHQ

JustineMumsnet · 14/04/2014 21:46

@nsld

The bigger concern with this is that if Mumsnet has removed all passwords and is telling people to reset passwords on other sites then this probably means that the passwords where stored in an unencrypted format or the encryption keys for the password files where stored with them.

Either way its a monumental security error on the part of the site, even with full admin rights the passwords should not be viewable and the database of those passwords should be properly secured.

Given the magnitude of the breach have you reported it to the ICO yet?

No, that's not right, our passwords are encrypted but the heartbleed bug allowed access to live login pages (temporarily until we patched the site). We have no way of knowing how many login pages were accessed but obviously more than one was.

MNHQ

JustineMumsnet · 14/04/2014 21:48

@PuppysMum1

Sorry daft question, what if I can't recall my MN password? I have reset it but it would be good to know what my old password was just to know which other sites I need to change my password on.

Any possibility of finding out my old password? Just need to know whether to panic!!

No, sorry PuppysMum1, we can't help on that one - we encrypt the passwords so that not even MNHQ staff can find out what they are. Best bet is to change your password everywhere which has sensitive info.

MNHQ

JustineMumsnet · 14/04/2014 22:16

@NearTheWindymill

So when the system was logging us out on Saturday does that mean it was the logged out one's accounts that had been hacked then please?

Can you confirm that it was only the password/user names that were hacked and that our personal data was not accessed please.

No, it doesn't NTWM, we logged everyone out on Saturday to require everyone to reset their password. I'm afraid we have no way of knowing which users' accounts were hacked, if any, beyond the handful of names that were used to post on here/published on pastebin.

And we have no way of knowing whether any of that info was used to access pms, profiles etc. All we can say is that the hackers were keen to let us know about the breach and there is no evidence of any accounts being used maliciously, save really for mine and even that fake post from my account could be seen as more of a heads up than a malicious act.

MNHQ

JustineMumsnet · 14/04/2014 22:18

@TigerSmoke

our passwords are encrypted but the heartbleed bug allowed access to live login pages

I haven't actually logged in for months (lurker supreme); does that mean I am safe? I.e. does "live login pages" refer to profiles that have been logged in more recently than I have logged into mine?

Thank you.

I hesitate to post because I'm not 100% on this, but I think it might mean you're safe - then again it's possible something (eg to do with cookies) means you're not. I will check with Tech, but want to reiterate that there's no evidence this hack was done with anything other than the intention to raise awareness at this stage.

MNHQ

KateSMumsnet · 15/04/2014 09:46

@sunbathe

I haven't been logged out - should I have been?

I was forcibly logged out of Fitbit, for example, should that have happened to me on MN?

This should have happened, has it happened yet?

MNHQ

KateSMumsnet · 15/04/2014 10:01

@NearTheWindymill

But what about when we were being logged out before 5.45pm?

Thank you for responding though. So do you mean they can't have got hold of my r/l name and dc's names and dates of birth etc.?

We're afraid we can't definitely say what the hackers have or haven't got, which is why we're advising folks who use the same password for Mumsnet as other stuff to change them.

MNHQ

KateSMumsnet · 15/04/2014 10:10

@mumtotoby

Can I ask what information they stole other than passwords?

The bug allowed people to see information that you submit via the log in page, which means your username or email, plus your password.

Beyond that, we really don't know what the hackers have done with this information. We realise that must be frustrating to hear, and if we knew any more we'd certainly tell you. But the fact is we can't be sure.
However, we have no reason to suspect, and no evidence to suggest that anyone's account has been used for anything other than to flag up the security breach.

MNHQ

KateSMumsnet · 15/04/2014 10:23

@VivaLeBeaver

Was it a MN regular who hacked us? I'm guessing it was as the fake Justine message seemed to be by someone who knows MN.

We honestly don't know Viva! Sorry we're giving such vague answers, but anything we do find out we'll pass onto you guys.

MNHQ

KateSMumsnet · 15/04/2014 10:35

@TheDetective

Is there any way I can find out my old password. I think I know what it was - but I can't quite remember. I've not had to log in for a while.

I really need to know what it was - because I then need to work out if I need to change some other passwords.

Please help!

Hullo TheDetective - we're afraid that since we've wiped everyone's password from our data base, we can't tell you what you password was. In any case, due to data protection, we can't send out people's passwords, and it would be the same even without Heartbleed.

We suggest that to be on the safe side, it might be an idea to change your password for the sites you're worried about.

MNHQ

KateSMumsnet · 15/04/2014 10:39

@sunbathe

Kate - no. Still logged in!

Ah, sorry we've confused ourselves here. The forced log out would have only happened to those who hadn't done their password reset after the passwords were wiped. So we're guessing you must have done yours sunbathe!

MNHQ

KateSMumsnet · 15/04/2014 10:47

@Maryz

Justine, can I ask whether you thanked or banned the person who did the demonstration -caszko I think - both in your name, and on the "Justine's thread" thread.

I think we were all lucky it was brought to our attention, even if it might have been simpler for them to just contact you. Doing it this way we've all had a boot up the arse for internet safety in general.

And no, it wasn't me. I'm a technowuss Sad

Hm, the lady doth protest too much methinks Wink

Things are all still a bit up in the air (understatement of the century), and we can't be sure whether people who appear to take credit for the hacking were genuine or not, so we're not making any hasty decision.

We do totally see what you mean though, and it does seem that it was done to highlight the problem, rather than to be overtly malicious.

MNHQ

KateSMumsnet · 15/04/2014 11:02

To folks who can't reset, but are able to post here.

Anyone who hadn't reset their password before 13:49 (ish) yesterday would have been forcibly logged out, so you had to reset, else you wouldn't have been able to log in.

Sooo, if you're able to post here, you must have been able to reset your password, hurrah!

However, if you didn't reset your password before yesterday, and you haven't been forcibly logged out, and have just stayed logged in, something has gone wrong - so please shout!

Watch this thread for updates

Tap "Watch" to get all the latest updates