Site attacks, hackergate and resetting passwords - here's what we know, what we're doing about it and what we think you should do. PLEASE READ!

[JustineMumsnet]

On the night of Tuesday 11 August, Mumsnet came under attack from what's known as a denial of service (DDoS) attack. Our servers were bombarded with requests, which required our internet service provider to massively increase server capacity to cope. We were able to restore the site at 10am on Wednesday 12 August. Meanwhile a Twitter account, @DadSecurity, claimed responsibility, saying in various tweets "Now is the start of something wonderful", "RIP Mumsnet", "Nothing will be normal anymore" and "Our DDoS attacks are keeping you offline".

To add to the 'fun', it seems @DadSecurity also resorted to Swatting attacks. Swatting is a criminal practice in which someone makes an emergency call to the police claiming that a crime is taking place at the house of the intended victim, in order to get them to send a swat team to the address.

An armed response team turned up at my house last week in the middle of the night, after reports of a gunman prowling around. A Mumsnet user who engaged with @DadSecurity on Twitter was warned to "prepare to be swatted by the best" in a tweet that included a picture of a swat team, after which police arrived at her house late at night following a report of gunshots. Needless to say, she and her young family were pretty shaken up. It's worth saying that we don't believe these addresses were gained directly from any Mumsnet hack, as we don't collect addresses. The police are investigating both instances.

@DadSecurity also claimed that he had access to Mumsnet user data. Later on 12 August, it became apparent that someone/ones had hacked into some of Mumsnet's administrative functions, at which point they were able to redirect our homepage to the @DadSecurity Twitter profile page, as well as to edit posts from two users' account and an MNHQ account on our forums.

Someone claiming to be the hacker also posted on the thread on which users were discussing the site outage. We immediately locked down all access to our admin functions and reported the attack to the police. We were confident that users' passwords had not been accessed, because MNHQ doesn't hold them as plain text; they're all encrypted, so that no one - not even us - can see them.

However, over the weekend, a user reported that posts had been made under her name which weren't by her, and we spotted two other cases where this had happened. This clearly suggested that the hacker had nonetheless been able to get hold of some users' passwords.

Our best guess at this stage (and it is just a best guess) is that this has been done via a form of phishing, in which the hacker creates a fake Mumsnet login page to which users are directed when clicking on our login button. The page would have had a different url but otherwise would look just like the usual page. The hacker would have been able to see passwords in plain text when they were typed in.

We take great care to protect the information you give us and not to ask for or store any more information than we need to run the site, but though we can't know how many accounts have been affected, there have been enough breaches for us to ask all Mumsnet users to change their passwords. As a result, you'll no longer be able to log in to Mumsnet with your current password, and will need to create a new one, here.

This will mean that any passwords the hacker has been able to harvest up to this point will be useless. We are looking into what we can do to strengthen our defences against phishing, but in the meantime we need to ask you to be vigilant, and to check the URL of the login page for the foreseeable future. The correct URL is www.mumsnet.com/session/login and it reads rather than at the beginning. We will place a warning on the login page reminding you to do this.

Alternatively use the social login option (ie Facebook/Google) as then you won't be required to enter a password. And if you log into any other sites using the same password that you use on Mumsnet, it makes sense to change your password on those sites, too.

We're really sorry for the alarm and inconvenience this might cause, and we realise you're likely to have further questions about what's been happening, so here's a summary of answers to the most obvious questions.

You say the hacker was able to access Mumsnet users' data: was data from my personal account accessed?
We have no way of knowing how many Mumsnetters were affected - so far we have evidence of 11 user accounts being hacked but it's an ongoing investigation. Those users have been informed, and their passwords have been reset. We think it prudent, however, that everyone reset their passwords - which in any case is a sensible thing to do from time to time.

What data could the hacker see?
By using your password and login, he would have been able to see the data on your profile - so that includes your username or email plus your password, your postcode if you've supplied it, your username history and your Mumsnet inbox.

Now that I've changed my password, can you guarantee that my data is safe?
Unfortunately, we can't give you a cast-iron guarantee of this - no site can. By forcing a password reset the hacker won't be able to log in as you; however, if phishing was the cause, the page could be phished again, which is why it's important that you check the URL of the login page when you enter your details, or use your social login. If the URL is anything other than www.mumsnet.com/session/login, don't use it.

Final thoughts
The internet is of course brilliant, but it's not 100% safe and secure. Whenever you share anything on the web, either publicly (such as on a Mumsnet thread) or privately (such as the data you give to a website when signing up), have a think about how happy you'd be for that information to fall into the hands of someone else. Make your passwords as secure as possible and change them every few months. Use different passwords for different accounts. Close redundant accounts that you no longer use.

And if you read nothing else...
I do realise this post is long, so here's a quick summary:

DO reset your Mumsnet password
DO make passwords really strong to reduce the risk of them being guessed
DO check the URL of any login page to reduce risk of phishing
DO verify that is being used on login pages
DO use social login to avoid typing passwords
DON'T give out information to any organisations without verifying they are who they say they are (such as the fake @mumsnetsupport twitter account that had also been started but has now been removed by Twitter)

Please post here or mail us on [email protected] with any questions or thoughts. As you can imagine our inbox is fairly voluminous at the moment but we'll get back to you as quickly as we can.

Thanks very much for reading,

Justine

As a result of this thread I've looked at my 'my account' section. I tried to delete the name and age of DS but it won't disappear.

@MissTeriName

CaveMum me too! Well, actually a bit more than that and I'd been pondering the coincidence.

Firstly, I run a website and have a security thing on it. It catches potential hackers trying to login and blocks them. Normally the names are standard attempts like admin, nameofsite, etc. I'd always assumed bots were doing it. But then from Friday, the attempts rose and they were all using my real full name. Different countries. Very weird, but my site security is (hopefully!) strong and nobody has gained access. Because they're now using my real name, I think these must be actual people and now it seems personal iykwim!

Secondly, a friend contacted me to say they'd received spam email from me from a very strange - and not connected to me - email address. Using my full name again, and a peculiar domain. Still pondering what that was all about.

Finally, quite a few of my friends who may or may not be MNers have reported having their emails hacked over the past few days.

Gonna change my password everywhere now though!

Hi MissTeriName and CaveMum - thanks for flagging. I'll pass this on to tech.

Have you put in your password again? It might be a change that has to be okayed by doing that.

I now have a separate email address for mn.

Sorry to make more work for hq but can i suggest that if you do have anything you would not want outed under a namechange, you ask hq to delete the relevant posts/threads so that name ends up with no posts showing at all?

WrenNatsworthy is right, it's impossible to delete or even edit your children's details if you put them in. Can you please change this MNHQ? I want to delete DC's details asap for security reasons. Thanks.

This is about a lot more though than just the fact that mn was compromised. It has to do with how much information there is about people out there in cyber space, information which is usually put there by the people who are compromised.

How many people for instance have their rl name on their twitter account. And how many people have facebook accounts which are public. I am constantly surprised by the amount of information i can e.g. see on someone's facebook profile without having to be their friends. And all it takes is for someone to check in at home on fb and bingo, someone who has gone to the lengths of looking up your rl name immediately knows where you live, with a picture of you and your children into the bargain.

And these types of apps are on the increase, periscope for instance lets people stream live video of whatever they want, often themselves and their children, in their houses. And it's all done in innocence and meanwhile they are essentially publishing their personal world for anyone with too much time on their hands to use for nifarious (sp?) means.

Wren, just change your (eg) 5 year old boy to a 9 year old girl? For now, anyway :)

Ah, plan ruined by scrambled. Doh.

I think it's probably worth bearing in mind that this is a first for MN and given that there's no 'fire drill' for this kind of thing they've handled it as best they can in the moment. I can only assume that all of you being a teensy little bit pissy about things have never found yourselves caught up in a fast moving and unknown situation? I'm not sure there's anything to be gained by keeping on harping about how you'd have handled it differently - until you're in something like this you don't know how the hell you'll handle it.
Do I know what I'm on about? Well, kind of. I found myself in a critical fire situation and in charge of about 80 members of staff and quite a few members of the public. I was by default 'in charge' and wouldn't normally have had to handle that kind of thing. You just do what you do in the moment and hope to hell that common sense gets you through. I think you should lay off a bit. That's all.

That's not good Probably best to De Reg completely and start with a blank account again to be on the safe side.

We don't know why accounts are still being hacked. It's probably not just to piss about correcting spellings

I think it's probably worth bearing in mind that this is a first for MN and given that there's no 'fire drill' for this kind of thing they've handled it as best they can in the moment

Heartbleed

www.telegraph.co.uk/news/uknews/crime/11810790/Mumsnet-founder-targeted-in-Swatting-attack.html

Wren, i just did it, it is possible to edit children, add some more, give them silly names etc...

Thinking about today, MN I've had a email saying a 23 year old wanted me to make his sex slave, with horrendous grammar.

I'm worried now. Of course I deleted it, but it does make me wonder. I've never had an e-mail like it.

is it possible to change the email address you signed up without changing your user name ?

^^ very possibly a stoopid question

Really iamabove? Why can't I do it? I get an error message

Can I just double check that the hacking that took place meant that alternate usernames that were stored on my account details could have been read? I have absolutely no reason to think that they were looked at but I wonder if there's a better way to store the names. I only use each name once or twice.

@textfan

I'm not sure there was any point in posting something that would only cause alarm and exactly the effect the hacker would hope to achieve. but that needs to be balanced against letting mners know there is an issue and to be cautious. Was there communication to all police forces that there were 2 swatting incidents?

You knew someone had accessed a mumsnetters real address and did nothing.

I too am thinking about setting up a unique email just for mn if I even continue using which I'm also considering and I'm sure I'm not the only one. Getting hacked, changing passwords is an inconvenience, having armed police turn up to a house with children in is something else entirely!

He does say that it does seem apparent that MN don't really know what they are doing with regard to security given the explanation here. that's been my feeling too.

I agree passwords need to be more complex too or even randomly generated.

MNHQ presumably has some sort of SOPs in place for a cyber attack, I'm not convinced they do. If they do it needs a major review.

There is an entire CANYON of difference between feeding a troll/giving it attention and keeping your members informed without directly lying to them via short status updates.

Also the information isn't being given in the areas most mners access most often. I get why more in depth explanations be put in "site stuff" but in order to let as many mners know as possible it does as a pp said it would be best to also put on the home page and aibu and chat.

You're right that we needed to balance the need to keep users informed against the possibility that we'd cause alarm/give the hacker what he was after, and tbh that's what we tried to do. Sorry if you don't think we got it right. In terms of whether the two police forces involved communicated what had happened to all UK polices forces: I'm not sure. That would be down to internal police practices; I imagine they have structures in place that determine when crimes are flagged to other forces.

Tech will be looking at options for passwords over the coming days.

We've stickied this thread at the top of active conversations, AIBU and chat as well as Site Stuff, and of course we sent emails to all members.

Yes, AF you can go into my account and change it.

and of course we sent emails to all members.

I have not received an email?

@ScrambledSmegs

WrenNatsworthy is right, it's impossible to delete or even edit your children's details if you put them in. Can you please change this MNHQ? I want to delete DC's details asap for security reasons. Thanks.

Sorry about this, ScrambledSmegs - I'll report to tech now

ta

Me neither. Password reset went through ok, but no email.

aren't our date of births on our profiles too? So name, date of birth, email and postcode
Could he have possible got addresses from the surveymonkey stuff for product tests or is that seperately held?