Site attacks, hackergate and resetting passwords - here's what we know, what we're doing about it and what we think you should do. PLEASE READ!

[JustineMumsnet]

On the night of Tuesday 11 August, Mumsnet came under attack from what's known as a denial of service (DDoS) attack. Our servers were bombarded with requests, which required our internet service provider to massively increase server capacity to cope. We were able to restore the site at 10am on Wednesday 12 August. Meanwhile a Twitter account, @DadSecurity, claimed responsibility, saying in various tweets "Now is the start of something wonderful", "RIP Mumsnet", "Nothing will be normal anymore" and "Our DDoS attacks are keeping you offline".

To add to the 'fun', it seems @DadSecurity also resorted to Swatting attacks. Swatting is a criminal practice in which someone makes an emergency call to the police claiming that a crime is taking place at the house of the intended victim, in order to get them to send a swat team to the address.

An armed response team turned up at my house last week in the middle of the night, after reports of a gunman prowling around. A Mumsnet user who engaged with @DadSecurity on Twitter was warned to "prepare to be swatted by the best" in a tweet that included a picture of a swat team, after which police arrived at her house late at night following a report of gunshots. Needless to say, she and her young family were pretty shaken up. It's worth saying that we don't believe these addresses were gained directly from any Mumsnet hack, as we don't collect addresses. The police are investigating both instances.

@DadSecurity also claimed that he had access to Mumsnet user data. Later on 12 August, it became apparent that someone/ones had hacked into some of Mumsnet's administrative functions, at which point they were able to redirect our homepage to the @DadSecurity Twitter profile page, as well as to edit posts from two users' account and an MNHQ account on our forums.

Someone claiming to be the hacker also posted on the thread on which users were discussing the site outage. We immediately locked down all access to our admin functions and reported the attack to the police. We were confident that users' passwords had not been accessed, because MNHQ doesn't hold them as plain text; they're all encrypted, so that no one - not even us - can see them.

However, over the weekend, a user reported that posts had been made under her name which weren't by her, and we spotted two other cases where this had happened. This clearly suggested that the hacker had nonetheless been able to get hold of some users' passwords.

Our best guess at this stage (and it is just a best guess) is that this has been done via a form of phishing, in which the hacker creates a fake Mumsnet login page to which users are directed when clicking on our login button. The page would have had a different url but otherwise would look just like the usual page. The hacker would have been able to see passwords in plain text when they were typed in.

We take great care to protect the information you give us and not to ask for or store any more information than we need to run the site, but though we can't know how many accounts have been affected, there have been enough breaches for us to ask all Mumsnet users to change their passwords. As a result, you'll no longer be able to log in to Mumsnet with your current password, and will need to create a new one, here.

This will mean that any passwords the hacker has been able to harvest up to this point will be useless. We are looking into what we can do to strengthen our defences against phishing, but in the meantime we need to ask you to be vigilant, and to check the URL of the login page for the foreseeable future. The correct URL is www.mumsnet.com/session/login and it reads rather than at the beginning. We will place a warning on the login page reminding you to do this.

Alternatively use the social login option (ie Facebook/Google) as then you won't be required to enter a password. And if you log into any other sites using the same password that you use on Mumsnet, it makes sense to change your password on those sites, too.

We're really sorry for the alarm and inconvenience this might cause, and we realise you're likely to have further questions about what's been happening, so here's a summary of answers to the most obvious questions.

You say the hacker was able to access Mumsnet users' data: was data from my personal account accessed?
We have no way of knowing how many Mumsnetters were affected - so far we have evidence of 11 user accounts being hacked but it's an ongoing investigation. Those users have been informed, and their passwords have been reset. We think it prudent, however, that everyone reset their passwords - which in any case is a sensible thing to do from time to time.

What data could the hacker see?
By using your password and login, he would have been able to see the data on your profile - so that includes your username or email plus your password, your postcode if you've supplied it, your username history and your Mumsnet inbox.

Now that I've changed my password, can you guarantee that my data is safe?
Unfortunately, we can't give you a cast-iron guarantee of this - no site can. By forcing a password reset the hacker won't be able to log in as you; however, if phishing was the cause, the page could be phished again, which is why it's important that you check the URL of the login page when you enter your details, or use your social login. If the URL is anything other than www.mumsnet.com/session/login, don't use it.

Final thoughts
The internet is of course brilliant, but it's not 100% safe and secure. Whenever you share anything on the web, either publicly (such as on a Mumsnet thread) or privately (such as the data you give to a website when signing up), have a think about how happy you'd be for that information to fall into the hands of someone else. Make your passwords as secure as possible and change them every few months. Use different passwords for different accounts. Close redundant accounts that you no longer use.

And if you read nothing else...
I do realise this post is long, so here's a quick summary:

DO reset your Mumsnet password
DO make passwords really strong to reduce the risk of them being guessed
DO check the URL of any login page to reduce risk of phishing
DO verify that is being used on login pages
DO use social login to avoid typing passwords
DON'T give out information to any organisations without verifying they are who they say they are (such as the fake @mumsnetsupport twitter account that had also been started but has now been removed by Twitter)

Please post here or mail us on [email protected] with any questions or thoughts. As you can imagine our inbox is fairly voluminous at the moment but we'll get back to you as quickly as we can.

Thanks very much for reading,

Justine

So I've set up a new account but can MNHQ reassure me that the hacker can't access the new accounts

I've used a unique email address as usual but I still don't like the thought that someone could access my account. I don't have any information but I don't like the thought that someone could post from my account or something.

I'm pretty sure i didnt type in my password the one time i had to log in last week. I checked the list (yes i went through all 3000 -too muh time on my hands- like some cryptographers i could mention ) i couldnt see my name on it.

Could someone do the search thingy for my name please and if its there say what the password beside it is?

I was caught out under a former name. I think the problem is that when you log
In from a mobile site (phone or tablet), you don't see the full irk with just login.anyoldwebsite.com

Surly - can't see you on there

Bogey that's not appreciated considering the risk my dd and I are now at because of this and I'm not talking a tech one I'm talking assault! Hilarious eh!!!!

Of course it isnt.

However, I have had my emails comprised before, sometimes it just happens because the bastards get the combination right.

Shouting at MN isnt going to help keep you safe.

You are NOT at risk because of this. All the hackers can get is your usename and password. They cant get your address, your real name or your childs name.

I understand the fear, I really do. But stop and think for a second. What can anyone do with your username, a password that no longer works and an ISP that is so vague that mine has me logging in from a city 15 miles away.

Keep every password different and dont post anything online that you dont want "out there".

Thank you both.

Well I was one of the phished, while I kick my own arse for not realising can I request a delete of my posting history please? Yes a full delete!

If you use your password for facebook, anyone who could see the still active dadsec pages could log in and find out personal details? Some of the 3000 posters won't be aware of this yet so will not know to change their other passwords (if they are the same).

Passwords all changed. Just want I want to do at this time when I have work in the morning!

School - sorry to hear that. Have your tried emailing MNHQ direct to request the deletion? Probably more effective that a comment on this thread which might get overlooked.

Why the f*ck not might I ask enviousllama? L

Not expecting you to know, just expressing my annoyance!

Well said bogey.

Textfan, you are panicking and not thinking logically. You need to calm down. You are working yourself into a frantic tizzy unnecessarily. It is helping no-one.

Yes I've reported my own post Perspicacia

This is the first time that I've been happy that Hotmail stopped allowing you to link all your hotmail accounts to each other so you could access them all if you were logged into one of them.

However, I have also been in to try and erase personal details from my account here, and it's true that you can't remove your children; but I can't even change their details either. I just get an "oops! error something or other" and nothing changes.

School - it may be just because the situation the site is in at the moment, MNHQ will be able to delete your entire posting history, they've done it before for other posters.

What form did the phishing take School?

cpsr.org/prevsite/publications/newsletters/issues/2000/Winter2000/king.html/
© Computer Professionals for Social Responsibility

'there are no women friendly spaces' on the internet.

Discuss with references to continued invasions by angry men either alone or in groups, especially on certain boards such as Relationships and Feminist topics.

The targeting of certain women who frequently post in forthright manner on those boards, and threads started with the aim of disparaging those boards and those posters should be of great concern to MN.

Thumb - I had that problem when I tried to change my children's details earlier. I just logged back on and their details have now gone - hurrah. I'm suspecting that MNHQ servers are currently overloaded with changes and updates to user accounts and there is a slight lag between us typing a change and it actually being applied to the database.
Might be worth checking your account again to see if the changes you made have now been applied.

Mardybra - the phishing was described upthread by Justine - a fake login page was used by Dadsec to grab users details as they entered them. Hence the need for us to check that the login page we use is starts with https.

If the hacker(s) accessed the accounts they had the passwords to they will have the posters email addresses. Even if posters had (let's hope) different email passwords, the email addresses if released could, with the mumsnet account name, identify the posters and then their posting history is laid out and clearly linked to their real name. Mumsnet you should be letting posters delete their account history! I know there is a huge amount on but this should really be a priority.

So how would people end up on the fake login though?

Mumsnet was taken down and when someone tried to access the page they were redirected to a page that looked identical to login.... Except it wasn't it was a fake site used to harvest usernames and passwords.

Because he also hacked the site so that clicking on the real MN login button redirected you to his fake login page instead of the real one.