Due to a security breach we are resetting all passwords across Mumsnet

[RebeccaMumsnet]

Following the recent security breach related to Heartbleed we are reseting the passwords of all users.

On Saturday 12 April, we will remove all passwords from our system and to use the site, you'll need to reset your password by clicking on the password reset link.

Type in your email address and click the 'Request reset' button and you will receive a mail to your Mumsnet registered email account. (You will need to click on the link in the mail within 30 minutes of receiving it, without changing the device you're using i.e swapping from phone to laptop, or you'll need to request a further reset).

If you do not receive a mail, please check you spam folder. The password reset mail will come to the email you used when you first registered with Mumsnet.

If you don't receive or can't access your reset mail, please [email protected] for help.

We are very sorry for all the fuss. We want to assure you that we followed all the published steps to protect members' security as soon as we became aware of the heartbleed security risk, but it seems that the breach occurred prior to that risk becoming known.

Most importantly, if you use the same password here as elsewhere, we strongly recommend you change your password on the other sites too.

Thanks,

Justine & the MNHQ team

[LackaDAISYcal]

You can check the vulnerability of sites HERE

[SureFootedWhispher]

Why didn't they send an email to Users? Some people might not see this. Or force a password change? or is this what they are doing and if so when does it come into affect?

[RustyBear]

I changed all my passwords yesterday, it took most of the day! I used a site that was recommended by GitHub to check whether websites had been fixed, though it doesn't always give a definitive result. I will be keeping a close eye on my more sensitive sites, and those that didn't return a result and will change again after a while, or if any of the sites contact me to say they are now safe (a couple have done already)

[cozietoesie]

Keeping a close eye on more sensitive sites is always a good idea - particularly so in the current climate.

[HarveySchlumpfenburger]

It's probably a good idea to change those more sensitive ones regularly anyway.

[OMGtwins]

In case it helps anyone see here for an explanation of the bug: xkcd.com/1354/

Basically it means for a type of login secured by a protocol called SSL (using a particular program for implementing it called OpenSSL) is vulnerable to someone asking the server to send back more data from the working server memory than is supplied when they log in. So if I were a hacker I could log in and use the vulnerability to ask the server to send back a bunch of extra info which might contain details of other people's recent log ins held in the server memory (including encryption keys sometimes).

SSL (or TLS) is the way all secure websites let you log in, hence the widespread worry. And yes the bug has been around for 2 years but has only just been made public (this is quite common in computer security, sadly).

Have a Google for if the website you use is vulnerable, most companies will make a big deal out if fixing it because of everything on the press. Some common ones are here: mashable.com/2014/04/09/heartbleed-bug-websites-affected/

Don't change you password until the website you have been using is fixed.

[OMGtwins]

Can someone make those links work please Computer security I can do, Mumsnet links I have no idea because I usually lurk...

[HarveySchlumpfenburger]

xkcd.com/1354/

mashable.com/2014/04/09/heartbleed-bug-websites-affected/

[LackaDAISYcal]

surefooted, this is forcing a password reset. afaiu everyone has been booted out and will need to reset their password before loggin in again.

[OneStepCloser]

So, if your knocking off everyones password today and if they haven`t seen this thread what will happen to them? How will they know?

Will they try to come on tom and be blocked?

[MisForMumNotMaid]

Facebook appears to have the same vulnerability and ebay possibly does from the above check vulnerability link.

Off to change some more passwords. I can see myself forgetting lots of passwords.

[RowanMumsnet]

Hello

You won't be forced out of a session - ie if you were already logged in and posting when the forced password reset occurred, you won't have been forcibly logged out. You will be forced to change your password next time you need to log in though.

We are sending a message to everyone on our database with the exception of those who've specifically asked to receive no email from us; that will go out soon, probably before the end of today.

[RustyBear]

OMGtwins - I was working on the basis that changing a password now, even if you don't know the site is fixed, is safer than leaving it (especially if you use the same password for more than one site) - as long as you then change it again once you know the site is fixed Because if a site has already been attacked, but doesn't know it, changing the password now stops information already gained from being used.

[Imnotmadeofeyes]

I'm not techy at all but I did wonder why 'they' (being the magical computer wizards) didn't release a fix patch through widely used software like an anti-virus update before releasing it so publicly?

Rock and a hard place I suppose when you know something needs fixing asap, but I almost heard the ears of a million hackers prick up at the news...

[LackaDAISYcal]

ebay have made an announcement on their site...I had to find it using a google search though; you'd think it would be on the homepage

[RhondaJean]

Rebecca Rebecca panic panic the link on my email Isn't live, you have to use it within 30 minutes I missed that bit! Will it resend if I link again

Also

I can't cut an paste it on my iPad

[HarveySchlumpfenburger]

I think they did, to an extent. The BBC article about it seemed to suggest that websites had been given some time to get the fix patch in place before the news was released.

I think part of the problem was that site owners either couldn't or didn't check to see whether their data had already been breached

[SoleSource]

Done.

[RhondaJean]

Emm panic over once I stopped flapping I went and tried it and sorted it (sorry)

[StolenStollen]

I've clicked the link and submitted my email but I haven't got an email from HQ yet.
Do I try again or email hq?

[EverythingIsAwesome]

according to alcksaDAISY's link, Mumsnet was always safe - so I dont think that link is reliable

[RowanMumsnet]

@StolenStollen

I've clicked the link and submitted my email but I haven't got an email from HQ yet.
Do I try again or email hq?

Hello - are you checking the email address you used when you registered with MN?

If so, might be worth checking in the spam folder.

If that doesn't work, try asking for a new one - loads of people are re-setting at the moment so there may be a few glitches.

[HarveySchlumpfenburger]

I think we can quite safely say that MN wasn't always safe.