Due to a security breach we are resetting all passwords across Mumsnet

[RebeccaMumsnet]

Following the recent security breach related to Heartbleed we are reseting the passwords of all users.

On Saturday 12 April, we will remove all passwords from our system and to use the site, you'll need to reset your password by clicking on the password reset link.

Type in your email address and click the 'Request reset' button and you will receive a mail to your Mumsnet registered email account. (You will need to click on the link in the mail within 30 minutes of receiving it, without changing the device you're using i.e swapping from phone to laptop, or you'll need to request a further reset).

If you do not receive a mail, please check you spam folder. The password reset mail will come to the email you used when you first registered with Mumsnet.

If you don't receive or can't access your reset mail, please [email protected] for help.

We are very sorry for all the fuss. We want to assure you that we followed all the published steps to protect members' security as soon as we became aware of the heartbleed security risk, but it seems that the breach occurred prior to that risk becoming known.

Most importantly, if you use the same password here as elsewhere, we strongly recommend you change your password on the other sites too.

Thanks,

Justine & the MNHQ team

We are sending a message to everyone on our database with the exception of those who've specifically asked to receive no email from us; that will go out soon, probably before the end of today

TBH I think you should send to everybody, opt out or not.

Fuck! I hope a list of usernames and passwords haven't been put on the net!

It has and was posted earlier. So if you use the same logon info across more than one site you need to change those too.

So there is a list? What was on it? Just usernames and passwords or also email addresses?

If email addresses, then people who use the same password for their email address need to be changing that ASAP too. Anyone could be noseying through their stuff.

Mine is still automatically logging me in on my old password?

Changed my password, but I tried to use a number of symbols in it such as $%@_#+ and I wasn't allowed to. I could only use letters and numbers.

Letters and numbers alone make for very weak passwords. Upper & lower case help (assuming MN software recognises the difference? - I haven't tested that out), but they are still weak if people use real words.

Any chance that Tech could do something to allow other characters in passwords?

Please can someone let me know about the list of logins & passwords!

According to the OP of this thread there is a bloke somewhere on the web crowing about pissing around on MN. Not sure how true it is though, but it has been reported so I'm sure HQ are on it.

It was just username and password if that were posted, I looked earlier but am not sure I still have it as I've cleared everything off all my devices now.

@ItsAllGoingToBeFine

We are sending a message to everyone on our database with the exception of those who've specifically asked to receive no email from us; that will go out soon, probably before the end of today

TBH I think you should send to everybody, opt out or not.

If we do that and lots of people report us for deliberate spamming we could end up getting all our MNHQ emails to our users blacklisted, so it seemed best not to tbh - we're hoping any active users will see the stickies or hear other users talking about it. And of course eventually they'll be forced to reset their passwords anyway.

@doobedoobedoo

Changed my password, but I tried to use a number of symbols in it such as $%@_#+ and I wasn't allowed to. I could only use letters and numbers.

Letters and numbers alone make for very weak passwords. Upper & lower case help (assuming MN software recognises the difference? - I haven't tested that out), but they are still weak if people use real words.

Any chance that Tech could do something to allow other characters in passwords?

Pretty sure you can use special characters because I did - did it explicitly tell you you couldn't?

I have punctuation in mine.

I tried to use some symbols and got a "no special characters" error as well. Tried to use them as they are more secure...

@Maryz

Don't go pm'ing links to people.

There was a very short list of names and passwords which was online for about 20 minutes. It was found by googling, so anyone who is worried (and I only recognised one name on the list, who isn't on this thread) should google.

Rowan - I know MNHQ have that link (it was a post withdrawn on the other thread, but I'm sure you have it) - maybe email those dozen or so names directly rather than people pm'ing each other.

Yes, we're on it

There's a point there to remember. Watch out for the phishing Heartbleed emails. I have no doubt whatsoever that they'll be being written (badly) as we post - too good an opportunity for the bad guys to miss.

It was a partial list (or at least the one I saw) and they had removed a character of two from the user names. But that wouldn't make them unrecognisable (would have been better if they'd removed a bit of the password).

If you are recognisable from your username (posting history, public profile) and use your MN login for other sites, I would in theory be possible to hack them from the published info.

Ditto if heartbleed hackers have acquired data from other vulnerable sites.

At least with MN we know it's happened.

Oh my, gawd knows how many sites I have registered the same password for.... The list of names and passwords - is it still discoverable? And will MN PM those who were affected?

It's from M&S and it's bloody delicious.
Like liquid crunchie mixed with baileys.

I use different passwords for email facebook twitter and here so hopefully covered now I've changed password for this site

Rowan has said, tacitly, that they shall be contacting those on the list.

I am confused. I changed my password last night - do I need to change it again? And it wouldn't let me log in using this username. I tried using another one I've used recently, that didn't work either, but an older name did?

Those being told you can't use special characters - what devices/OSs/browsers are you using? Just seeing if we can spot a pattern.

Yes, the list is still there (I looked earlier,and went back to it via 'history' just now).

But don't get sidetracked into focus on those extracts which were found on google. Assume all have been grabbed, and are available on the dark web.

@SheherazadeSchadenfreude

I am confused. I changed my password last night - do I need to change it again? And it wouldn't let me log in using this username. I tried using another one I've used recently, that didn't work either, but an older name did?

If you log out, and then try to log back in, you'll be forced to change password again - sorry