Active discussions

Meet the Other Phone. Protection built in.

Meet the Other Phone.
Protection built in.

Buy now

Please or to access all these features

Talk

Back to thread
MNHQ

Due to a security breach we are resetting all passwords across Mumsnet

83 replies

RebeccaMumsnet · 12/04/2014 17:32

Following the recent security breach related to Heartbleed we are reseting the passwords of all users.

On Saturday 12 April, we will remove all passwords from our system and to use the site, you'll need to reset your password by clicking on the password reset link.

Type in your email address and click the 'Request reset' button and you will receive a mail to your Mumsnet registered email account. (You will need to click on the link in the mail within 30 minutes of receiving it, without changing the device you're using i.e swapping from phone to laptop, or you'll need to request a further reset).

If you do not receive a mail, please check you spam folder. The password reset mail will come to the email you used when you first registered with Mumsnet.

If you don't receive or can't access your reset mail, please [email protected] for help.

We are very sorry for all the fuss. We want to assure you that we followed all the published steps to protect members' security as soon as we became aware of the heartbleed security risk, but it seems that the breach occurred prior to that risk becoming known.

Most importantly, if you use the same password here as elsewhere, we strongly recommend you change your password on the other sites too.

Thanks,

Justine & the MNHQ team

Go to post
MNHQ

JustineMumsnet · 15/04/2014 12:54

@nsld

nsld The bigger concern with this is that if Mumsnet has removed all passwords and is telling people to reset passwords on other sites then this probably means that the passwords where stored in an unencrypted format or the encryption keys for the password files where stored with them.

Either way its a monumental security error on the part of the site, even with full admin rights the passwords should not be viewable and the database of those passwords should be properly secured.

Given the magnitude of the breach have you reported it to the ICO yet?

No, that's not right, our passwords are encrypted but the heartbleed bug allowed access to live login pages (temporarily until we patched the site). We have no way of knowing how many login pages were accessed but obviously more than one was.

===

So if the passwords are encrypted as you say why do a mass delete?

The key questions are:

1: Has someone copied the user list from the site along with the passwords?

2: How good is the level of encryption used?

3: Where the encryption keys compromised?

4: Do you have no form of server logging to see whats happening?

5: Why do you not force https for all connections to your site? As I write this I can see that the connection to your servers is unencrypted.

Hiya,
NobleGiraffe has actually answered a lot of your questions very ably already but by way of further reassurance:

Our passwords are stored in encrypted form in the database, but like most other sites our login form sends the username and password in plain text, wrapped in an encrypted SSL envelope to avoid eavesdropping in transit. When they arrive at our server, the envelope is decrypted. The Heartbleed bug allowed access to this data as it arrived at our server.

The hackers did not copy passwords from the database, they obtained them from the web server’s RAM via Heartbleed - two very different scenarios.

It’s impossible to say how many usernames and passwords were accessed via Heartbleed, but what we can say is that we re-booted all our servers 57 days ago, so we're confident that anyone who hasn't logged in since then wouldn't have been affected by this.

The Heartbleed bug has in fact made us revisit our use of https (SSL) across the site. Previously we only used it on the login page. However we are now in the process of using https on all pages where the user’s password is entered.

We agree that this is best practice and improves the security of the site overall (but let's be clear, not following this practice had no bearing on this security breach).

MNHQ

JustineMumsnet · 15/04/2014 12:58

@JustineMumsnet

[quote TigerSmoke] our passwords are encrypted but the heartbleed bug allowed access to live login pages

I haven't actually logged in for months (lurker supreme); does that mean I am safe? I.e. does "live login pages" refer to profiles that have been logged in more recently than I have logged into mine?

Thank you.

I hesitate to post because I'm not 100% on this, but I think it might mean you're safe - then again it's possible something (eg to do with cookies) means you're not. I will check with Tech, but want to reiterate that there's no evidence this hack was done with anything other than the intention to raise awareness at this stage.[/quote]

Hi again TigerSmoke,
As said, whilst it’s impossible to say how many usernames and passwords were accessed via Heartbleed, we have checked and we re-booted all our servers 57 days ago which would have wiped the memory, so we're confident that anyone who hasn't logged in since then wouldn't have been affected. Hope that helps.

MNHQ

KateSMumsnet · 15/04/2014 13:30

@Lucked

Never logged out, never changed my password (link won't work). I definitely haven't had a forced log out.

Curiouser and curiouser - are you using the app or the site?

MNHQ

KateSEggMumsnet · 15/04/2014 15:00

@MrsUggy

With regards to not using HTTPS throughout the site, this means that an attacker can steal the users session cookie.

I highlighted the issues with HTTPS (or the general lack of it on mumsnet) back in 2011. It took years to add even HTTPS and then not everywhere.

sigh

Hi MrsUggy - we've actually just introduced https on every page that requires you to enter your log in details.

MNHQ

RowanMumsnet · 15/04/2014 17:24

@MrsUggy

This wouldn't prevent an attacker stealing the session id (the rootsess cookie) and posting messages as another users and reading a users 'inbox' (all the non https pages basically).

I don't see any good reason why one wouldn't just make the site 100% HTTPS.

Tech's take on this is that the theft of rootsess cookies is practically quite difficult/rare (eg the hacker would have to be sharing an insecure wireless connection with a Mumsnet user in the act of exchanging information with the server), so it's outweighed by the very real effects sitewide https would have on user experience, especially slower browsing. It would also make it difficult for us to operate sub-domains like Mumsnet Local on the same server.

MNHQ

KateSEggMumsnet · 16/04/2014 16:00

Hi folks

We've created a page explaining exactly how events unfolded: Mumsnet and Heartbleed as it happened

MNHQ

DawnMumsnet · 18/04/2014 12:42

@VeryStressedMum

Definitely hasn't logged me out of my phone, but still no reset email its been over 2 hours now and before it was 5 hours after i requested it. No idea why i haven't been logged out on my phone. Just a few days before mumsnet asked us to change the passwords i noticed I was logged out when i hadn't logged myself out so i logged back in using my usual password, this happened twice. I'd really like my reset email mnhq??????

Hi VeryStressedMum

Sorry for all the faff - just letting you know that we've mailed you a fresh password reset link now. Please email [email protected] if you don't receive it, we're determined to sort this out for you!

MNHQ

RowanMumsnet · 24/04/2014 10:37

Hello

Great to see we've helped haul some of you back into the liferaft; apologies to those who are still struggling.

It's still best to sort individual difficulties by mailing us at [email protected]. Our mail backlog, while still bigger than we'd like it to be, is reducing now and hopefully we'll be able to work with those of you who have thornier problems for whatever reason.

We can't merge accounts, but hopefully with a bit of elbow grease we can help people get back into their old ones.

Watch this thread for updates

Tap "Watch" to get all the latest updates

End of posts

There are no more MNHQ posts on this thread

Back to thread