Site attacks, hackergate and resetting passwords - here's what we know, what we're doing about it and what we think you should do. PLEASE READ!

[JustineMumsnet]

On the night of Tuesday 11 August, Mumsnet came under attack from what's known as a denial of service (DDoS) attack. Our servers were bombarded with requests, which required our internet service provider to massively increase server capacity to cope. We were able to restore the site at 10am on Wednesday 12 August. Meanwhile a Twitter account, @DadSecurity, claimed responsibility, saying in various tweets "Now is the start of something wonderful", "RIP Mumsnet", "Nothing will be normal anymore" and "Our DDoS attacks are keeping you offline".

To add to the 'fun', it seems @DadSecurity also resorted to Swatting attacks. Swatting is a criminal practice in which someone makes an emergency call to the police claiming that a crime is taking place at the house of the intended victim, in order to get them to send a swat team to the address.

An armed response team turned up at my house last week in the middle of the night, after reports of a gunman prowling around. A Mumsnet user who engaged with @DadSecurity on Twitter was warned to "prepare to be swatted by the best" in a tweet that included a picture of a swat team, after which police arrived at her house late at night following a report of gunshots. Needless to say, she and her young family were pretty shaken up. It's worth saying that we don't believe these addresses were gained directly from any Mumsnet hack, as we don't collect addresses. The police are investigating both instances.

@DadSecurity also claimed that he had access to Mumsnet user data. Later on 12 August, it became apparent that someone/ones had hacked into some of Mumsnet's administrative functions, at which point they were able to redirect our homepage to the @DadSecurity Twitter profile page, as well as to edit posts from two users' account and an MNHQ account on our forums.

Someone claiming to be the hacker also posted on the thread on which users were discussing the site outage. We immediately locked down all access to our admin functions and reported the attack to the police. We were confident that users' passwords had not been accessed, because MNHQ doesn't hold them as plain text; they're all encrypted, so that no one - not even us - can see them.

However, over the weekend, a user reported that posts had been made under her name which weren't by her, and we spotted two other cases where this had happened. This clearly suggested that the hacker had nonetheless been able to get hold of some users' passwords.

Our best guess at this stage (and it is just a best guess) is that this has been done via a form of phishing, in which the hacker creates a fake Mumsnet login page to which users are directed when clicking on our login button. The page would have had a different url but otherwise would look just like the usual page. The hacker would have been able to see passwords in plain text when they were typed in.

We take great care to protect the information you give us and not to ask for or store any more information than we need to run the site, but though we can't know how many accounts have been affected, there have been enough breaches for us to ask all Mumsnet users to change their passwords. As a result, you'll no longer be able to log in to Mumsnet with your current password, and will need to create a new one, here.

This will mean that any passwords the hacker has been able to harvest up to this point will be useless. We are looking into what we can do to strengthen our defences against phishing, but in the meantime we need to ask you to be vigilant, and to check the URL of the login page for the foreseeable future. The correct URL is www.mumsnet.com/session/login and it reads rather than at the beginning. We will place a warning on the login page reminding you to do this.

Alternatively use the social login option (ie Facebook/Google) as then you won't be required to enter a password. And if you log into any other sites using the same password that you use on Mumsnet, it makes sense to change your password on those sites, too.

We're really sorry for the alarm and inconvenience this might cause, and we realise you're likely to have further questions about what's been happening, so here's a summary of answers to the most obvious questions.

You say the hacker was able to access Mumsnet users' data: was data from my personal account accessed?
We have no way of knowing how many Mumsnetters were affected - so far we have evidence of 11 user accounts being hacked but it's an ongoing investigation. Those users have been informed, and their passwords have been reset. We think it prudent, however, that everyone reset their passwords - which in any case is a sensible thing to do from time to time.

What data could the hacker see?
By using your password and login, he would have been able to see the data on your profile - so that includes your username or email plus your password, your postcode if you've supplied it, your username history and your Mumsnet inbox.

Now that I've changed my password, can you guarantee that my data is safe?
Unfortunately, we can't give you a cast-iron guarantee of this - no site can. By forcing a password reset the hacker won't be able to log in as you; however, if phishing was the cause, the page could be phished again, which is why it's important that you check the URL of the login page when you enter your details, or use your social login. If the URL is anything other than www.mumsnet.com/session/login, don't use it.

Final thoughts
The internet is of course brilliant, but it's not 100% safe and secure. Whenever you share anything on the web, either publicly (such as on a Mumsnet thread) or privately (such as the data you give to a website when signing up), have a think about how happy you'd be for that information to fall into the hands of someone else. Make your passwords as secure as possible and change them every few months. Use different passwords for different accounts. Close redundant accounts that you no longer use.

And if you read nothing else...
I do realise this post is long, so here's a quick summary:

DO reset your Mumsnet password
DO make passwords really strong to reduce the risk of them being guessed
DO check the URL of any login page to reduce risk of phishing
DO verify that is being used on login pages
DO use social login to avoid typing passwords
DON'T give out information to any organisations without verifying they are who they say they are (such as the fake @mumsnetsupport twitter account that had also been started but has now been removed by Twitter)

Please post here or mail us on [email protected] with any questions or thoughts. As you can imagine our inbox is fairly voluminous at the moment but we'll get back to you as quickly as we can.

Thanks very much for reading,

Justine

I have not read the full thread. I have just had to sign back in as I was logged out and did so via the app before I was able to read this thread. Is my new password safe or not?

I've had the email 5 times, are they getting misdirected somehow.

I too have had lots of spam emails from contacts recently (I think I even posted about it recently) and sex type emails to an email account that I've never had that type of message to before.

I don't think either are connected to mumsnet (different email accounts) but it does seem that there's a wider problem in cyber space at the moment.

Flipping hell! I had to reset it earlier today but didn't realise the swat team calls etc. very scary.

It's incredible how women having space and voices incenses certain men, isn't it?

No email here either

Hey everyone, quick word back on the emails - have spoken to tech. We have indeed sent the emails to everyone, but we've been around for a while, so have a LOT of users, and it seems it may be taking some time to work through the list. Very sorry some of them are taking a while to get through, but please don't worry if yours hasn't arrived yet; there's nothing sinister going on

"bloody Jeffrey" is a cheesy knob head cockwomble.

Thank you Sarah.

I've just had an email come through!

Well I had some attempts to phish using fake emails last week, but they stopped them all - three in one morning. That's a first. I don't think it was related to this bollocks. It happened before that.

Holy Smoke!
I've had loads of spam since last week, maybe two weeks ago. Tons.
I've had to sign back into MN several times over the last week.

I have managed to change my password now.

How terrible for those swatted.

The sad bastard.

I think you need a restorative, Sarah. Raid Tech's gin cupboard!

I have changed password and can log in on Safari but the new trial MN app is buggered, it won't let me log in or show anything, it's entirely blank!

What I did to increase security was to setup a new Gmail email address with a nonsense name e.g. [email protected] (this is NOT my email!), set it up with 2-step verification, and use that to register with MN. I never check this email so to make sure I don't miss out on communication I then setup email forwarding from this account to automatically forward all emails to my normal email address. Slightly OTT maybe, but it works for me.

I didn't get an email either.

But I reset the password after last week's stuff and simply thought I'd forgotten the new password when I logged in earlier, even though I'd remembered it at lunchtime.

I've also changed email addresses, and wiped a lot of info about me, including changing email passwords, discovering that a friend of mine may have been hacked in the meantime. (but not me, at least nothing is showing up yet.)

I use a different password for each site, it's just sensible.

alas, cozietoesie, I am the proud owner of an 8mo who likes to start the day at 5am. It's peppermint tea or bust for me

SarahMumsnet the email hasn't reached me, either. Current, reliable address.

@ouryve

SarahMumsnet the email hasn't reached me, either. Current, reliable address.

tech assures me they're on their way, ouryve - it's seems that it's just taking a while for some of them to get through as our list of registered users is so long.

I'm really sorry to hear about BearFrills' and Justine's au pair's experiences . I sincerely hope that the police find Jeffrey and throw the book at him. In the meanwhile, it is an ongoing criminal investigation and we all ought to remember that there will be limits on what MNHQ can say publicly about what is going on so that there is no danger that it is compromised.

However...

MN has been playing up for over the last week (slow to load, crashing, pages blanking out) and today I was booted out and it has taken some hours to get back in with a new password. I still haven't got the email either. Thought you ought to know, in case it is useful info for the agency I sincerely hope that you are now engaging to work out a) how to minimize the chances of this happening again; and b) what your SOP should be when something similar does happen (because let's face it, something is going to go wrong at some point, that just is what it is).

I agree with Maryz and others that waiting a week to tell us that something more sinister has been going on is unacceptable. I know that there is always a judgment call to be made re timing, and telling people that there is a problem when you can't answer questions can cause a bit of panic. But I don't see why you couldn't have put something up that said "We think that we have resolved the key problems caused by Jeffrey, but Tech is still working on a few loose threads. We will come back with a fuller explanation of what went on when he has finished on that, but in the mean time we are taking the precautionary measure of making everyone change their passwords. We would also like to remind everyone about basic internet security (don't use the same password for everything; make your passwords complicated etc etc etc)"

EveDallas - I bet the owner of the lost laptop had to write down the username and password because they were so bloody complex to remember, and the laptop automatically shuts down after three failed attempts. An example of when security goes so far as to render the IT significantly less useful than intended...

Just to join the party.

I haven't had an email either but the app kept kicking me out. Had to go on to the website to see if there was an issue

Oh, and I've also had loads of spam / phishing emails in the last week, though I suspect that's coincidental. I do wonder, though, about the large number of emails allegedly sent from my friends' email accounts urging me to click a link of a "totally hillarious video" etc - now I come to think of it, I reckon they are all probably MNers...

I set up new accounts from time to time and I always use unique site specific emails and passwords.

I post a lot but routinely alter details so I'm not identifiable.

I'm usually very cautious but I'd like to confirm that 'real' details given via survey monkey in response for volunteers to test school bags won't have been compromised.

I'm always surprised how much info people give out. One long time poster is so easy to google despite the fact she regularly name change. Even her adult children are easily identifiable. It seems a bit risky to me.

Just using this thread to test if I can post.

CantSee4Looking - the extra stuff in the url is just the page where you were so that the login page can get you right back there instead of popping you to the homepage or wherever.

If you look at it, you'll see the link of the page you were on when you clicked "login" -- the %2F etc is the url encoding of that link so it doesn't interfere with the login url. You can see how encoding works here.

I've gotten the notification email four times already...

(I'm sad I am restricted to 100 posts showing on my threads with my new account. I know it's minor worry compared to everything else.)