Site attacks, hackergate and resetting passwords - here's what we know, what we're doing about it and what we think you should do. PLEASE READ!

[JustineMumsnet]

On the night of Tuesday 11 August, Mumsnet came under attack from what's known as a denial of service (DDoS) attack. Our servers were bombarded with requests, which required our internet service provider to massively increase server capacity to cope. We were able to restore the site at 10am on Wednesday 12 August. Meanwhile a Twitter account, @DadSecurity, claimed responsibility, saying in various tweets "Now is the start of something wonderful", "RIP Mumsnet", "Nothing will be normal anymore" and "Our DDoS attacks are keeping you offline".

To add to the 'fun', it seems @DadSecurity also resorted to Swatting attacks. Swatting is a criminal practice in which someone makes an emergency call to the police claiming that a crime is taking place at the house of the intended victim, in order to get them to send a swat team to the address.

An armed response team turned up at my house last week in the middle of the night, after reports of a gunman prowling around. A Mumsnet user who engaged with @DadSecurity on Twitter was warned to "prepare to be swatted by the best" in a tweet that included a picture of a swat team, after which police arrived at her house late at night following a report of gunshots. Needless to say, she and her young family were pretty shaken up. It's worth saying that we don't believe these addresses were gained directly from any Mumsnet hack, as we don't collect addresses. The police are investigating both instances.

@DadSecurity also claimed that he had access to Mumsnet user data. Later on 12 August, it became apparent that someone/ones had hacked into some of Mumsnet's administrative functions, at which point they were able to redirect our homepage to the @DadSecurity Twitter profile page, as well as to edit posts from two users' account and an MNHQ account on our forums.

Someone claiming to be the hacker also posted on the thread on which users were discussing the site outage. We immediately locked down all access to our admin functions and reported the attack to the police. We were confident that users' passwords had not been accessed, because MNHQ doesn't hold them as plain text; they're all encrypted, so that no one - not even us - can see them.

However, over the weekend, a user reported that posts had been made under her name which weren't by her, and we spotted two other cases where this had happened. This clearly suggested that the hacker had nonetheless been able to get hold of some users' passwords.

Our best guess at this stage (and it is just a best guess) is that this has been done via a form of phishing, in which the hacker creates a fake Mumsnet login page to which users are directed when clicking on our login button. The page would have had a different url but otherwise would look just like the usual page. The hacker would have been able to see passwords in plain text when they were typed in.

We take great care to protect the information you give us and not to ask for or store any more information than we need to run the site, but though we can't know how many accounts have been affected, there have been enough breaches for us to ask all Mumsnet users to change their passwords. As a result, you'll no longer be able to log in to Mumsnet with your current password, and will need to create a new one, here.

This will mean that any passwords the hacker has been able to harvest up to this point will be useless. We are looking into what we can do to strengthen our defences against phishing, but in the meantime we need to ask you to be vigilant, and to check the URL of the login page for the foreseeable future. The correct URL is www.mumsnet.com/session/login and it reads rather than at the beginning. We will place a warning on the login page reminding you to do this.

Alternatively use the social login option (ie Facebook/Google) as then you won't be required to enter a password. And if you log into any other sites using the same password that you use on Mumsnet, it makes sense to change your password on those sites, too.

We're really sorry for the alarm and inconvenience this might cause, and we realise you're likely to have further questions about what's been happening, so here's a summary of answers to the most obvious questions.

You say the hacker was able to access Mumsnet users' data: was data from my personal account accessed?
We have no way of knowing how many Mumsnetters were affected - so far we have evidence of 11 user accounts being hacked but it's an ongoing investigation. Those users have been informed, and their passwords have been reset. We think it prudent, however, that everyone reset their passwords - which in any case is a sensible thing to do from time to time.

What data could the hacker see?
By using your password and login, he would have been able to see the data on your profile - so that includes your username or email plus your password, your postcode if you've supplied it, your username history and your Mumsnet inbox.

Now that I've changed my password, can you guarantee that my data is safe?
Unfortunately, we can't give you a cast-iron guarantee of this - no site can. By forcing a password reset the hacker won't be able to log in as you; however, if phishing was the cause, the page could be phished again, which is why it's important that you check the URL of the login page when you enter your details, or use your social login. If the URL is anything other than www.mumsnet.com/session/login, don't use it.

Final thoughts
The internet is of course brilliant, but it's not 100% safe and secure. Whenever you share anything on the web, either publicly (such as on a Mumsnet thread) or privately (such as the data you give to a website when signing up), have a think about how happy you'd be for that information to fall into the hands of someone else. Make your passwords as secure as possible and change them every few months. Use different passwords for different accounts. Close redundant accounts that you no longer use.

And if you read nothing else...
I do realise this post is long, so here's a quick summary:

DO reset your Mumsnet password
DO make passwords really strong to reduce the risk of them being guessed
DO check the URL of any login page to reduce risk of phishing
DO verify that is being used on login pages
DO use social login to avoid typing passwords
DON'T give out information to any organisations without verifying they are who they say they are (such as the fake @mumsnetsupport twitter account that had also been started but has now been removed by Twitter)

Please post here or mail us on [email protected] with any questions or thoughts. As you can imagine our inbox is fairly voluminous at the moment but we'll get back to you as quickly as we can.

Thanks very much for reading,

Justine

I reset at 3.45 today it all worked fine until I then left the browser to do something else and it had logged me out and would not accept my new or old password.
Had to request another password reset but I'm in now

ouryve it was the login page though.

All this has given me brainhurt

But probably not as much brainhurt as it's given MNHQ

Oh no, mary you're definitely not the only one who thinks this just isn't funny. It's pretty bad, especially the whole SWAT team thing.

I can see Justine/MNHQ's points but agree that it would have been better to be over cautious, rather than underplaying the potential seriousness of the attack, even if it had given the silly wanker more headspace than he deserved.

@SusanMichelson

But I'm not getting an email notification of password change to either of the addresses, old or new.

Sorry to be a pain SusanMichelsom but would you mind mailing [email protected] please so we can look at which email addresses you are using? Thank you

@Maryz

I get that Justine.

But it seems to me that you hadn't a clue what was going on (which I have no issue with) but wanted to reassure posters that nothing was wrong (which I do have an issue with, because you didn't actually know).

You can't just hope everything is ok when you know that a hacker of some sort has one persons email address and password, and another poster's real life address.

Surely you owe posters at least a "something weird is happening, be careful" type of thread, instead of the reassurance you have been giving us.

It's not right.

I disagree - we were certainly in the dark about what was going on and needed to dig about a fair bit to be able to say something sensible to you all. In the meantime I'm not sure there was any point in posting something that would only cause alarm and exactly the effect the hacker would hope to achieve.

Like any other company with lots of servers to run, MNHQ have constant hacker assaults to deal with. The rational business decision is to only issue an alarm to posters when they have credible evidence about any of these assaults being successful enough to directly matter to posters.

@badg3r

Hmmm... Pretty sure my password had been changed since I suddenly couldn't login to the app and my password is saved automatically. Anyone else have this problem?

Hi badg3r, we changed all user passwords as a precaution today, you seem to be in now fine but if you have trouble please do reset your password by entering your email address here

@Maryz

I find it hard to believe that I'm the only person who thinks this just isn't funny.

I certainly don't think it's funny Maryz. I simply don't see what you'd have had us do other than perhaps adopt a more serious tone and you may be right about that. But I don't think it would have actually achieved any different outcome.

I was logged out this afternoon and my usual password wouldn't work.

I have reset it again.

@YeOldeTrout

Like any other company with lots of servers to run, MNHQ have constant hacker assaults to deal with. The rational business decision is to only issue an alarm to posters when they have credible evidence about any of these assaults being successful enough to directly matter to posters.

I couldn't have put it better myself - thank you YeOldeTrout - that's what I meant!

Its not funny.

But when someone has access like that its pretty hard to shut them down.

Also if he only for into ELEVEN account as, it suggest he went with a brute force attack.

MNHQ, can you not enforce complex passwords please?

I reset my password just now (unaware of the kerfuffle) and it let me change it back to my old one which isn't particularly complex. Just lowercase and a couple if numbers

We wouldn't tell all and sundry that we'd had our systems compromised (on work in IT) and certainly not end users!

Especially when scary things are happening like swatting.

MNHQ have dine just fine

Take a look at this MNHQ. This page is a screen shot of the MN tab I've been using all day. As you can see it says Https at the top. (Well obviously not all day I might have done a load of washing

This is a screen shot of the tab I'm on now and posting from. It doesn't have the Https. What does that mean?

I'm with you Maryz.

Some sort of heads up that something weird was going on would have helped.

I did think something odd was going on when there were 2 posters with the name on one thread. But still MNHQ made light of it.

Tbf MaryZ I could probably track posters down with zero access to their accounts.

Justine, it was one of Jeffrey's little friends who posted to the effect that MN was a haven of man haters, the tweet was deleted before Jeffrey himself was banned.

I am very sorry to read about the experience of your au pair and the MNetter who was targeted. These are despicable acts.

same name*

I also agree it's not funny but I don't think MNHQ have done anything but the best they could. They were there in the background actually dealing dealing with it.
I fail to see how a generic "something's up, watch your step" type post from then would have helped. In fact anything which hinted at withheld info would have turned into a bloody shitstorm from all the finger-tappers.
Besides, we knew something was up. We knew there was a hack. Anyone particularly concerned about that could have changed passwords/deleted account/retired to the bunker at any point, no need to wait for the signal. Your account, do what you feel is best.
I think HQ can't win with a minority of huffy posters with unrealistic expectations.

He only had access to 11 out if the 100,000s accounts, so if he had a copy if password s etc (which he didn't) a lot more would be compromised.

hashtag, me too. All was well this morning, then when I opened up lap top this afternoon I was logged out and Mumsnet would not accept my password.

I have had to do a reset using a different password to get back in again.