Site attacks, hackergate and resetting passwords - here's what we know, what we're doing about it and what we think you should do. PLEASE READ!

[JustineMumsnet]

On the night of Tuesday 11 August, Mumsnet came under attack from what's known as a denial of service (DDoS) attack. Our servers were bombarded with requests, which required our internet service provider to massively increase server capacity to cope. We were able to restore the site at 10am on Wednesday 12 August. Meanwhile a Twitter account, @DadSecurity, claimed responsibility, saying in various tweets "Now is the start of something wonderful", "RIP Mumsnet", "Nothing will be normal anymore" and "Our DDoS attacks are keeping you offline".

To add to the 'fun', it seems @DadSecurity also resorted to Swatting attacks. Swatting is a criminal practice in which someone makes an emergency call to the police claiming that a crime is taking place at the house of the intended victim, in order to get them to send a swat team to the address.

An armed response team turned up at my house last week in the middle of the night, after reports of a gunman prowling around. A Mumsnet user who engaged with @DadSecurity on Twitter was warned to "prepare to be swatted by the best" in a tweet that included a picture of a swat team, after which police arrived at her house late at night following a report of gunshots. Needless to say, she and her young family were pretty shaken up. It's worth saying that we don't believe these addresses were gained directly from any Mumsnet hack, as we don't collect addresses. The police are investigating both instances.

@DadSecurity also claimed that he had access to Mumsnet user data. Later on 12 August, it became apparent that someone/ones had hacked into some of Mumsnet's administrative functions, at which point they were able to redirect our homepage to the @DadSecurity Twitter profile page, as well as to edit posts from two users' account and an MNHQ account on our forums.

Someone claiming to be the hacker also posted on the thread on which users were discussing the site outage. We immediately locked down all access to our admin functions and reported the attack to the police. We were confident that users' passwords had not been accessed, because MNHQ doesn't hold them as plain text; they're all encrypted, so that no one - not even us - can see them.

However, over the weekend, a user reported that posts had been made under her name which weren't by her, and we spotted two other cases where this had happened. This clearly suggested that the hacker had nonetheless been able to get hold of some users' passwords.

Our best guess at this stage (and it is just a best guess) is that this has been done via a form of phishing, in which the hacker creates a fake Mumsnet login page to which users are directed when clicking on our login button. The page would have had a different url but otherwise would look just like the usual page. The hacker would have been able to see passwords in plain text when they were typed in.

We take great care to protect the information you give us and not to ask for or store any more information than we need to run the site, but though we can't know how many accounts have been affected, there have been enough breaches for us to ask all Mumsnet users to change their passwords. As a result, you'll no longer be able to log in to Mumsnet with your current password, and will need to create a new one, here.

This will mean that any passwords the hacker has been able to harvest up to this point will be useless. We are looking into what we can do to strengthen our defences against phishing, but in the meantime we need to ask you to be vigilant, and to check the URL of the login page for the foreseeable future. The correct URL is www.mumsnet.com/session/login and it reads rather than at the beginning. We will place a warning on the login page reminding you to do this.

Alternatively use the social login option (ie Facebook/Google) as then you won't be required to enter a password. And if you log into any other sites using the same password that you use on Mumsnet, it makes sense to change your password on those sites, too.

We're really sorry for the alarm and inconvenience this might cause, and we realise you're likely to have further questions about what's been happening, so here's a summary of answers to the most obvious questions.

You say the hacker was able to access Mumsnet users' data: was data from my personal account accessed?
We have no way of knowing how many Mumsnetters were affected - so far we have evidence of 11 user accounts being hacked but it's an ongoing investigation. Those users have been informed, and their passwords have been reset. We think it prudent, however, that everyone reset their passwords - which in any case is a sensible thing to do from time to time.

What data could the hacker see?
By using your password and login, he would have been able to see the data on your profile - so that includes your username or email plus your password, your postcode if you've supplied it, your username history and your Mumsnet inbox.

Now that I've changed my password, can you guarantee that my data is safe?
Unfortunately, we can't give you a cast-iron guarantee of this - no site can. By forcing a password reset the hacker won't be able to log in as you; however, if phishing was the cause, the page could be phished again, which is why it's important that you check the URL of the login page when you enter your details, or use your social login. If the URL is anything other than www.mumsnet.com/session/login, don't use it.

Final thoughts
The internet is of course brilliant, but it's not 100% safe and secure. Whenever you share anything on the web, either publicly (such as on a Mumsnet thread) or privately (such as the data you give to a website when signing up), have a think about how happy you'd be for that information to fall into the hands of someone else. Make your passwords as secure as possible and change them every few months. Use different passwords for different accounts. Close redundant accounts that you no longer use.

And if you read nothing else...
I do realise this post is long, so here's a quick summary:

DO reset your Mumsnet password
DO make passwords really strong to reduce the risk of them being guessed
DO check the URL of any login page to reduce risk of phishing
DO verify that is being used on login pages
DO use social login to avoid typing passwords
DON'T give out information to any organisations without verifying they are who they say they are (such as the fake @mumsnetsupport twitter account that had also been started but has now been removed by Twitter)

Please post here or mail us on [email protected] with any questions or thoughts. As you can imagine our inbox is fairly voluminous at the moment but we'll get back to you as quickly as we can.

Thanks very much for reading,

Justine

mynewaccount - I think I know who you mean. I think arguably it is less risky to post knowing you are effectively doing so in public with your own name (which this poster does. She knows many people know her real name from simply go ogling salient biographical details) than to post expecting to be anonymous.

@CloserToFiftyThanTwenty

I agree with Maryz and others that waiting a week to tell us that something more sinister has been going on is unacceptable. I know that there is always a judgment call to be made re timing, and telling people that there is a problem when you can't answer questions can cause a bit of panic. But I don't see why you couldn't have put something up that said "We think that we have resolved the key problems caused by Jeffrey, but Tech is still working on a few loose threads. We will come back with a fuller explanation of what went on when he has finished on that, but in the mean time we are taking the precautionary measure of making everyone change their passwords. We would also like to remind everyone about basic internet security (don't use the same password for everything; make your passwords complicated etc etc etc)"

We understand why you're upset, CloserToFifty, but we think we made the best calls we could with the information we had, in the moment. The swatting side of things had to be dealt with separately due to the involvement of the police, and we were confident (and remain confident) that the hacker found the two addresses via Google, not us, so the swatting didn't itself ring alarm bells about passwords. It wasn't that we waited a week to tell you there was something more sinister going on; until Sunday, when we became aware of further activity by the hacker, we weren't aware that there was anything more sinister going on. At that point, we needed to investigate as thoroughly as possible behind the scenes without alerting the hacker to what we were doing, and as soon as we came up with a plausible theory, we posted. As I said upthread, it was a constantly shifting situation, and we did our very best to balance all the competing considerations.

@CantSee4Looking

HQ why is it when you click to login in when you click a link from talk or something like that, that you get a whole heap of extra in the url?

eg: www.mumsnet.com/session/login?target=%2FTalk%2F_chat%2Fa2444911-Ask-a-stupid-question-free-from-judgement%3Fmsgid%3D56180726

I was on the thread reading it when logged out and clicking the log in button on the top right corner gave me this url.

when I was on talk and tried to log in there was stuff connected to talk in the URL.

Are you saying that these should not be used and only the linked log in url in the op must be used.

Hello there,

We append all of that extra info to the url so that we can redirect you back to the page you came from once you've logged in. If you're curious it's called a query string and v common practice to include extra info not really part of the url. You'll see it on searches and e-commerce site too.

Note that the url still contains the crucial 'https' so all is well.

Really sorry Justine and Bearfrills, what an absolute arsehole!

Thanks for letting us know.

Just found this as I was about to pose a question...

I have over the past several evenings had to sign in each time I went onto MN ~ thought it was odd, but hey ho. Tonight, I'd tried many times to log in and eventually I asked for a reset...I typed in my (now previous) password as my new reset one and it was accepted which I thought strange hence finding this thread.

Don't know if I've added anything different to the mix, but thought I'd mention it anyway.

Ahhhh it has dawned on me why I get various emails about Mumsnet Exeter. I must have put a fake post code in when I joined. I don't live anywhere near Exeter.

I do think we should have all received an email advising us our personal details may have been compromised. When I came on earlier just felt a bit frustrated that I needed to sign on yet again, then had to get a password reset, so naively reused my old password as it is easier to remember. Majority of systems I access do not normally permit reuse of a former password, so I just assumed that I had set the account up with a different one in the first place.

It was only later that I happened upon this thread, and was shocked to realise that I had reused my password which may have actually been already obtained. Not only that my real name, postcode and date of birth is potentially available to unknown others (I have now deleted this, as I had not realised it was optional when originally creating my account)

How many other MNers are still not aware of the potential security risk to their personal data?

IMO This thread needs to be a sticky at the top of all topics.

Jesus Christ Justine and Bearfrills. That's shocking.

I also had a go at him on Twitter and he responded to me too. I do hope I don't get the police turning up at my door. Dh has got lots of shotguns and they might get the wrong idea!

SarahMumsnet Thanks for your reply - having done more than my fair share of emergency comms in my time, I think we will have to agree to disagree.

Anyway.... Any chance we can have a webchat set up with a proper internet / social media security expert? Ie one place where we could ask questions (like if we sign into a site using Facebook are our accounts then linked in some way?) and share tips and advice on keeping safe and secure online

Slightly baffled. I reset my password using the link up at the top right of the page, and it did have the https. Are we supposed to get a confirmation email? I didn't.

Mynewaccount
I've been 'outed' as such on Mumsnet, due to the blogging work I've done and various things that used my RL name. If I want to post something private, I do so under a different name. Even without being able to link my name to a user name on Mumsnet, it would be easy to find me as being a MNetter, since I occasionally post about the site on Twitter.

Horrible as the events of the past week were for Justine and Bear, they are very rare. Part of the reason that so many post on Mumsnet is that there is a community here; you 'recognise' people, and friendships have been forged here. If we were all to name change regularly, then that would no longer happen.

I've tightened security, and changed a lot of passwords, particularly those of email addresses, and hope that it's enough.

I too am a bit annoyed it wasn't made clearer sooner than a hacker had my name, postcode and dob.

I'm more annoyed with myself to realise I had mistakingly used the same bloody details on my eBay so they could have my name, Dob and full address (idiot emotion)

I'm having real problems tonight, haven't been able to login as its saying my info is not correct! I've gone through an email from mumsnet sent yesterday and managed to request a change of password which is how I'm on now but worried that this might not have been legit and hoaxers have my info ?

The new app is down & this is the only page I can access?

Closertofifty
That is a great idea. I know my way around social media, but would love to learn more about online security.

Feking hell Justine and Bear and families/friends. Poor you.
I for one missed the whole thing and reset my password just fine.
Stay strong

I also very much like CloserToFifty's suggestion - a general webchat on security would be excellent for general awareness raising and not just on MN.

As far as I can tell, most of the older members of my family use eg pets' names and birthdays for their passwords - and the younger family members, who think they're completely internet savvy, seem to be completely wide open to information manipulation.

cozie is that a little sad face at the end there? Because on the mobile site it says 'sad' and it's in a box?

I presume the hacker got the info about people from their profiles/account details- I've just deleted my postcode off my account, I never put my date of birth down anyway.

But I wanted to ask MNHQ why does MN ask for/need such personal info?

Ignore me, it's back to normal now.

It is a sad face. (I have no idea why it's appearing oddly with you. Blame Jeffrey.)

would the hacker have been able to gather data from profiles in bulk or would he have had to click on each profile one at a time.

No idea how it works

SilverBirch same as me!

Alice I got a confirmation email; I did a reset twice inside a few minutes and got confirmation emails both times.