Site attacks, hackergate and resetting passwords - here's what we know, what we're doing about it and what we think you should do. PLEASE READ!

[JustineMumsnet]

On the night of Tuesday 11 August, Mumsnet came under attack from what's known as a denial of service (DDoS) attack. Our servers were bombarded with requests, which required our internet service provider to massively increase server capacity to cope. We were able to restore the site at 10am on Wednesday 12 August. Meanwhile a Twitter account, @DadSecurity, claimed responsibility, saying in various tweets "Now is the start of something wonderful", "RIP Mumsnet", "Nothing will be normal anymore" and "Our DDoS attacks are keeping you offline".

To add to the 'fun', it seems @DadSecurity also resorted to Swatting attacks. Swatting is a criminal practice in which someone makes an emergency call to the police claiming that a crime is taking place at the house of the intended victim, in order to get them to send a swat team to the address.

An armed response team turned up at my house last week in the middle of the night, after reports of a gunman prowling around. A Mumsnet user who engaged with @DadSecurity on Twitter was warned to "prepare to be swatted by the best" in a tweet that included a picture of a swat team, after which police arrived at her house late at night following a report of gunshots. Needless to say, she and her young family were pretty shaken up. It's worth saying that we don't believe these addresses were gained directly from any Mumsnet hack, as we don't collect addresses. The police are investigating both instances.

@DadSecurity also claimed that he had access to Mumsnet user data. Later on 12 August, it became apparent that someone/ones had hacked into some of Mumsnet's administrative functions, at which point they were able to redirect our homepage to the @DadSecurity Twitter profile page, as well as to edit posts from two users' account and an MNHQ account on our forums.

Someone claiming to be the hacker also posted on the thread on which users were discussing the site outage. We immediately locked down all access to our admin functions and reported the attack to the police. We were confident that users' passwords had not been accessed, because MNHQ doesn't hold them as plain text; they're all encrypted, so that no one - not even us - can see them.

However, over the weekend, a user reported that posts had been made under her name which weren't by her, and we spotted two other cases where this had happened. This clearly suggested that the hacker had nonetheless been able to get hold of some users' passwords.

Our best guess at this stage (and it is just a best guess) is that this has been done via a form of phishing, in which the hacker creates a fake Mumsnet login page to which users are directed when clicking on our login button. The page would have had a different url but otherwise would look just like the usual page. The hacker would have been able to see passwords in plain text when they were typed in.

We take great care to protect the information you give us and not to ask for or store any more information than we need to run the site, but though we can't know how many accounts have been affected, there have been enough breaches for us to ask all Mumsnet users to change their passwords. As a result, you'll no longer be able to log in to Mumsnet with your current password, and will need to create a new one, here.

This will mean that any passwords the hacker has been able to harvest up to this point will be useless. We are looking into what we can do to strengthen our defences against phishing, but in the meantime we need to ask you to be vigilant, and to check the URL of the login page for the foreseeable future. The correct URL is www.mumsnet.com/session/login and it reads rather than at the beginning. We will place a warning on the login page reminding you to do this.

Alternatively use the social login option (ie Facebook/Google) as then you won't be required to enter a password. And if you log into any other sites using the same password that you use on Mumsnet, it makes sense to change your password on those sites, too.

We're really sorry for the alarm and inconvenience this might cause, and we realise you're likely to have further questions about what's been happening, so here's a summary of answers to the most obvious questions.

You say the hacker was able to access Mumsnet users' data: was data from my personal account accessed?
We have no way of knowing how many Mumsnetters were affected - so far we have evidence of 11 user accounts being hacked but it's an ongoing investigation. Those users have been informed, and their passwords have been reset. We think it prudent, however, that everyone reset their passwords - which in any case is a sensible thing to do from time to time.

What data could the hacker see?
By using your password and login, he would have been able to see the data on your profile - so that includes your username or email plus your password, your postcode if you've supplied it, your username history and your Mumsnet inbox.

Now that I've changed my password, can you guarantee that my data is safe?
Unfortunately, we can't give you a cast-iron guarantee of this - no site can. By forcing a password reset the hacker won't be able to log in as you; however, if phishing was the cause, the page could be phished again, which is why it's important that you check the URL of the login page when you enter your details, or use your social login. If the URL is anything other than www.mumsnet.com/session/login, don't use it.

Final thoughts
The internet is of course brilliant, but it's not 100% safe and secure. Whenever you share anything on the web, either publicly (such as on a Mumsnet thread) or privately (such as the data you give to a website when signing up), have a think about how happy you'd be for that information to fall into the hands of someone else. Make your passwords as secure as possible and change them every few months. Use different passwords for different accounts. Close redundant accounts that you no longer use.

And if you read nothing else...
I do realise this post is long, so here's a quick summary:

DO reset your Mumsnet password
DO make passwords really strong to reduce the risk of them being guessed
DO check the URL of any login page to reduce risk of phishing
DO verify that is being used on login pages
DO use social login to avoid typing passwords
DON'T give out information to any organisations without verifying they are who they say they are (such as the fake @mumsnetsupport twitter account that had also been started but has now been removed by Twitter)

Please post here or mail us on [email protected] with any questions or thoughts. As you can imagine our inbox is fairly voluminous at the moment but we'll get back to you as quickly as we can.

Thanks very much for reading,

Justine

Bearfrylls - that sounds horrific and I'm so sorry you went through that. I'd imagine it's the sort of experience that will stick around a while; look after yourself. I like the sound of your DS, though - there's a boy who likes his sleep.

I can't see what MNHQ could possibly have done differently - or at least not without a bucketfull of hindsight. It's very easy to say "yes, but you could have done X or said Y" - much harder when you're in the thick of it.

My question was never answered. I gave the benefit of the doubt at first, but tbh it seems to sum up the contempt with which I'm starting to feel we are being treated.

That sounds truly terrifying Bear. Can't blame your DS for not having any of it

I like that xkcd cartoon, Lolo This is more like my method of choosing passwords, though.
www.thepoke.co.uk/2014/06/11/how-to-create-a-unique-internet-password/

Can I make a quick suggestion - there's another thread running called I've Had to Reset My Password and people are talking about having reset with the same password because they haven't seen this thread.

Can Tech, instead of directing people to the LogIn page, direct them to this sticky, which has the reset link in it?

Perhaps you should repeat the question, quiet. There have been a lot of them and some might have been missed.

the first I knew about this is when my password wouldn't work when I tried to log in this evening

I thought I'd been bloody banned again

Awwwww AnyFucker. Im sure you have been very good and that wont happen again lol.

Actually although I hate the phrase, it all smacks a little of "victim blaming" to me. MN do not have the funds or resources of an international bank in terms of internet/server security. Why should Justine have to apologise through the nose because some batman costume wearing prick disgruntled male has taken offence?

As an aside... is "Lone Parents" routinely trolled by F4J? :(

My very best wishes to Justine + BearFrills who did not ask, nor deserve any of this shitstorm literally on their respective doorsteps.

CaveMum me too! Well, actually a bit more than that and I'd been pondering the coincidence.

Firstly, I run a website and have a security thing on it. It catches potential hackers trying to login and blocks them. Normally the names are standard attempts like admin, nameofsite, etc. I'd always assumed bots were doing it. But then from Friday, the attempts rose and they were all using my real full name. Different countries. Very weird, but my site security is (hopefully!) strong and nobody has gained access. Because they're now using my real name, I think these must be actual people and now it seems personal iykwim!

Secondly, a friend contacted me to say they'd received spam email from me from a very strange - and not connected to me - email address. Using my full name again, and a peculiar domain. Still pondering what that was all about.

Finally, quite a few of my friends who may or may not be MNers have reported having their emails hacked over the past few days.

Gonna change my password everywhere now though!

@ItsAllGoingToBeFine

I agree with MaryZ.

We didn't need to know about the "swatting".

We did need to know about the DDOS
We did need to know about the administration functions being compromised.
We did need to know about the (few) user accounts being compromised.
We did need to know about the potential phishing.

Users should have been informed of these events as they were happening/as soon as MNHQ became aware in a low key matter of fact way. MNHQ presumably has some sort of SOPs in place for a cyber attack, may I respectfully suggest that after this debacle they update this to include keeping their users informed so that they can take action.

I also agree with other posters that MN should require a secure password, it is good practice, and will hopefully encourage users to think about their passwords for other sites too.

We posted to tell users about the DDoS attack as soon as it happened, ItsAllGoingToBeFine, and updated the thread to say that we were looking into how the hacker had got into our administrative functions. At that point, we locked down all access to our administrative functions, and the hacker went quiet, so we assumed (incorrectly as it turns out) that we'd locked him out. We kept a close eye on things, but didn't see any more suspicious activity until Sunday, at which point tech directed all their resources at investigating any other possible routes into the site. We didn't want to alert the hacker to our investigations, but as soon as we got to the point that we had a robust theory (though as Justine said in her OP, it does remain only a theory) we posted to say what we thought had happened and what we proposed to do about it.

The whole thing has unfolded very quickly, and we've done our best to investigate as fast as we could, and update you as soon as we were able - which we'll keep doing, as new information surfaces.

@MrsBertMacklin

Can I make a quick suggestion - there's another thread running called I've Had to Reset My Password and people are talking about having reset with the same password because they haven't seen this thread.

Can Tech, instead of directing people to the LogIn page, direct them to this sticky, which has the reset link in it?

Thanks for the suggestion, MrsBertMacklin - I'll put it to tech

I suspect MN will have things in place (checking IP address etc) to prevent the same person registering multiple accounts.

I am trying not to laugh too hard at that comment.

I'm not a geek like DH. I do however know how to change my IP address.

It goes something like this: Router on. Router off. Router on.

Amongst other more complex solutions.

Trouble is, the swatting wasn't his grande finale, was it. There are thousands of identifiable posters on this site. I'd be advising them to clear their Account pages of postcodes and real names too. And changing email addresses with real names etc in.

Late to this - I also thought I'd been banned ( and I haven't been on here for ages!).

How awful for you Justine, I hope you and your family are ok.

FGS. Has the arse quotient in the world suddenly increased exponentially?

for Bearfrills and Justine's au pair.

I feel bad for starting my whingeing thread about having to log in all the time now. Sorry.

Sorry if this has been mentioned but I don't have the patience (or interest) to RTFT. I've only just come across this, realised it's not me being baby-brained and forgetting my password and that I actually need to do something. Would it be possible for Tech to put a little note on the log on page, stating what's happening?

@quietasamouse

My question was never answered. I gave the benefit of the doubt at first, but tbh it seems to sum up the contempt with which I'm starting to feel we are being treated.

Sorry quietasamouse - it's been fairly full on. I'll go back through the thread and find your question now.

For the record, in the past I have known someone to create 1000+ fake accounts in order to cheat at a computer game....

www.newstatesman.com/sci-tech/2015/08/troll-hacked-mumsnet-and-sent-armed-police-founders-house

@quietasamouse

But Justine surely if people have supplied their postcodes when signing up a hacker could find out where they lived?

Yes, it's possible - as Justine said in the OP, if you entered your postcode when you signed up with MN, then it will be visible in your account, and if the hacker phished your password and logged in as you, they would have been able to see it. FWIW, in the case of Justine and Bearfrills, this isn't how we think their addresses were obtained; again as Justine said in one of her follow-up posts, both were easily googleable.

@Nightfall1983

Sorry if this has been mentioned but I don't have the patience (or interest) to RTFT. I've only just come across this, realised it's not me being baby-brained and forgetting my password and that I actually need to do something. Would it be possible for Tech to put a little note on the log on page, stating what's happening?

Good idea - I don't have the tools to do myself, but will ask tech to do so at the first opportunity

exLtEveDallas How did the idiot who left the MOD laptop on a train even DO that? It's insane. Was he drunk? I imagine his boss was unbelievably grateful that it was you who found it.

Finally got in again. Anyone miss me (doubt it..)

Thanks, I've just edited my account details and removed all personal information apart from my email address. Luckily that is just a random load of letters that I made up when in drunken student mode, so all is well :)

I still can't log in here. I reset my password four times and still wouldn't log me in. I finally logged in through Facebook and even then it came up with an old user name I guess I used to have but forgot about faintly showing in the username title above this message box. Are other people able to log in the regular way yet?