Site attacks, hackergate and resetting passwords - here's what we know, what we're doing about it and what we think you should do. PLEASE READ!

[JustineMumsnet]

On the night of Tuesday 11 August, Mumsnet came under attack from what's known as a denial of service (DDoS) attack. Our servers were bombarded with requests, which required our internet service provider to massively increase server capacity to cope. We were able to restore the site at 10am on Wednesday 12 August. Meanwhile a Twitter account, @DadSecurity, claimed responsibility, saying in various tweets "Now is the start of something wonderful", "RIP Mumsnet", "Nothing will be normal anymore" and "Our DDoS attacks are keeping you offline".

To add to the 'fun', it seems @DadSecurity also resorted to Swatting attacks. Swatting is a criminal practice in which someone makes an emergency call to the police claiming that a crime is taking place at the house of the intended victim, in order to get them to send a swat team to the address.

An armed response team turned up at my house last week in the middle of the night, after reports of a gunman prowling around. A Mumsnet user who engaged with @DadSecurity on Twitter was warned to "prepare to be swatted by the best" in a tweet that included a picture of a swat team, after which police arrived at her house late at night following a report of gunshots. Needless to say, she and her young family were pretty shaken up. It's worth saying that we don't believe these addresses were gained directly from any Mumsnet hack, as we don't collect addresses. The police are investigating both instances.

@DadSecurity also claimed that he had access to Mumsnet user data. Later on 12 August, it became apparent that someone/ones had hacked into some of Mumsnet's administrative functions, at which point they were able to redirect our homepage to the @DadSecurity Twitter profile page, as well as to edit posts from two users' account and an MNHQ account on our forums.

Someone claiming to be the hacker also posted on the thread on which users were discussing the site outage. We immediately locked down all access to our admin functions and reported the attack to the police. We were confident that users' passwords had not been accessed, because MNHQ doesn't hold them as plain text; they're all encrypted, so that no one - not even us - can see them.

However, over the weekend, a user reported that posts had been made under her name which weren't by her, and we spotted two other cases where this had happened. This clearly suggested that the hacker had nonetheless been able to get hold of some users' passwords.

Our best guess at this stage (and it is just a best guess) is that this has been done via a form of phishing, in which the hacker creates a fake Mumsnet login page to which users are directed when clicking on our login button. The page would have had a different url but otherwise would look just like the usual page. The hacker would have been able to see passwords in plain text when they were typed in.

We take great care to protect the information you give us and not to ask for or store any more information than we need to run the site, but though we can't know how many accounts have been affected, there have been enough breaches for us to ask all Mumsnet users to change their passwords. As a result, you'll no longer be able to log in to Mumsnet with your current password, and will need to create a new one, here.

This will mean that any passwords the hacker has been able to harvest up to this point will be useless. We are looking into what we can do to strengthen our defences against phishing, but in the meantime we need to ask you to be vigilant, and to check the URL of the login page for the foreseeable future. The correct URL is www.mumsnet.com/session/login and it reads rather than at the beginning. We will place a warning on the login page reminding you to do this.

Alternatively use the social login option (ie Facebook/Google) as then you won't be required to enter a password. And if you log into any other sites using the same password that you use on Mumsnet, it makes sense to change your password on those sites, too.

We're really sorry for the alarm and inconvenience this might cause, and we realise you're likely to have further questions about what's been happening, so here's a summary of answers to the most obvious questions.

You say the hacker was able to access Mumsnet users' data: was data from my personal account accessed?
We have no way of knowing how many Mumsnetters were affected - so far we have evidence of 11 user accounts being hacked but it's an ongoing investigation. Those users have been informed, and their passwords have been reset. We think it prudent, however, that everyone reset their passwords - which in any case is a sensible thing to do from time to time.

What data could the hacker see?
By using your password and login, he would have been able to see the data on your profile - so that includes your username or email plus your password, your postcode if you've supplied it, your username history and your Mumsnet inbox.

Now that I've changed my password, can you guarantee that my data is safe?
Unfortunately, we can't give you a cast-iron guarantee of this - no site can. By forcing a password reset the hacker won't be able to log in as you; however, if phishing was the cause, the page could be phished again, which is why it's important that you check the URL of the login page when you enter your details, or use your social login. If the URL is anything other than www.mumsnet.com/session/login, don't use it.

Final thoughts
The internet is of course brilliant, but it's not 100% safe and secure. Whenever you share anything on the web, either publicly (such as on a Mumsnet thread) or privately (such as the data you give to a website when signing up), have a think about how happy you'd be for that information to fall into the hands of someone else. Make your passwords as secure as possible and change them every few months. Use different passwords for different accounts. Close redundant accounts that you no longer use.

And if you read nothing else...
I do realise this post is long, so here's a quick summary:

DO reset your Mumsnet password
DO make passwords really strong to reduce the risk of them being guessed
DO check the URL of any login page to reduce risk of phishing
DO verify that is being used on login pages
DO use social login to avoid typing passwords
DON'T give out information to any organisations without verifying they are who they say they are (such as the fake @mumsnetsupport twitter account that had also been started but has now been removed by Twitter)

Please post here or mail us on [email protected] with any questions or thoughts. As you can imagine our inbox is fairly voluminous at the moment but we'll get back to you as quickly as we can.

Thanks very much for reading,

Justine

@BoreOfWhabylon

ouryve it was the login page though.

All this has given me brainhurt

But probably not as much brainhurt as it's given MNHQ

Thanks BoreOfWhabylon we'll take a look into this, can you let us know if it is still happening if you visit the log in page and what browser you are using?

MNHQ please make us have complex passwords

MNHQ
Please have a look at my recently reported post if you possible can. I'm sure you're very busy but it's quite important. Thanks.

Maryz - nooooo! you can't create a new account, you'll be stuck with MN New!! don't do it. You know you'll hate it.

@Maryz

Well I don't agree with you.

You knew someone had accessed a mumsnetters real address and did nothing.

I'm off to change my password and my email address. I fact, I'm seriously considering deleting my account and linking a new one to a non-traceable gmail. NOT because of a hacker. But because mnhq continually down-playing it and essentially lying that everything is ok has seriously pissed me off. It's just not on to treat us like small children.

I think this was a very poor show.

That Mumsnetter's address - and mine for that matter - is accessible without any information we store - we've googled and checked. So I don't accept your criticism Mary and don't think we've been lying to you.

An awful lot of the country are vulnerable to swatting I suspect if someone has a mind to do it and no one needs Mumsnet data to do it. But it's obviously completely up to you whether you trust us want to use the site or not.

@WicksEnd

Take a look at this MNHQ. This page is a screen shot of the MN tab I've been using all day. As you can see it says Https at the top. (Well obviously not all day I might have done a load of washing

This is a screen shot of the tab I'm on now and posting from. It doesn't have the Https. What does that mean?

Hello, the login page should be https not other pages including this thread.

Maryz - the posters address thing, MN don't collect addresses.
The poster communicated with him on twitter, likelihood is he made use of social media and other available info to whittle down RL details.

I need to step out for a bit now as have 6 kids (not all mine) who I've neglected all day and who need taking to the cinema - but I'll be back on later.

WicksEnd - am on phone app but that is worrying!

This is 00100001

I have no idea why anyone would put their postcode into MN. Its not compulsory.

Secondly MNHQ I just put in the lamest password for this account. Just "fredfredfred"

It seems insane that I don't need to even put a numeral in after you've forced us the "change" our passwords

Yeah, it is not MNHQ fault they got the addresses.

FWIW I think you have done a great job MN. Thank you.

How did he know names of mumsnetter in order to get address? Or was that off Twitter?
Because MN do store our surname and sometimes postcode, so surely he could get an address with the data MN store in our account details?

Oh x post

@WicksEnd

MNHQ Please have a look at my recently reported post if you possible can. I'm sure you're very busy but it's quite important. Thanks.

We've replied to you and sorted that now Wicksend

badg3r. Same happened to me - and I think that is all correct and shipshape - a couple of hours ago Mumsnet 'disabled' all passwords, figuring this is the easiest way of forcing every mumsnet user to change their passwords. So your autofilled password would no longer be accepted.

They only have your postcode if you close to put it in, its not compulsory. Also they don't have a surname either. Unless you choose to put it in

I know it's not compulsory, but it is possible to have it there so surely it's also possible that he got the data that way.

DH is a professional in IT security.

He does say that it does seem apparent that MN don't really know what they are doing with regard to security given the explanation here.

It is MORE LIKELY that passwords have been hacked from a list of email addresses that have already been hacked somewhere else. People use the same passwords for different sites. Phishing in the way described above would be a lot of work for the same ends and therefore is probably unlikely.

OR
it is possible you got done by Heartbleed ages ago and someone has been sitting on it. (he was sitting on some information and didn't act all in one go)

OR
They have got through encryption if you are using a particular type. You wouldn't need to know the passwords and it wouldn't give you the passwords but you could get the information needed to access the account. He says it can be done in about 30 seconds if you are using this encryption type and know what you are doing. (DH: Even salted hashes can be cracked quickly from an extract, salts don't add much to the affair either.)

And getting an address from twitter is not particularly difficult.

All pages on the site should be not just login really as it makes it harder for hackers and means users don't have to worry so much.

He holds the view that MN are trying to shift the blame for not taking proper security measures in the first place.

Depending on what has happened someone may have put a backdoor in on the server which you can't see too...

If you need a more detailed explanation, then I can try and get DH to contact you if he has time.

Justine 'I need to step out for a bit now as have 6 kids (not all mine) who I've neglected all day and who need taking to the cinema - but I'll be back on later.'

Be careful Justine, you are sounding a bit like Camila Batmanghelidgh. That is one of her techniques according to The Spectator. Children to deal with and steps back later. Only joshing. I think you have put up with a lot and done a great job.

Jessica I just went to login page and it still only said 'mumsnet.com' at the top - until I clicked on that and then the whole secure url was revealed! (is ipad)

Sorry sorry. I am such a fool

Indeed red I think security was a bit lacking in the first place.

AND STILL IS! I'm shocked that the password reset didn't actually force you to actually chnahe your password or make it complex

I agree with MaryZ.

We didn't need to know about the "swatting".

We did need to know about the DDOS
We did need to know about the administration functions being compromised.
We did need to know about the (few) user accounts being compromised.
We did need to know about the potential phishing.

Users should have been informed of these events as they were happening/as soon as MNHQ became aware in a low key matter of fact way. MNHQ presumably has some sort of SOPs in place for a cyber attack, may I respectfully suggest that after this debacle they update this to include keeping their users informed so that they can take action.

I also agree with other posters that MN should require a secure password, it is good practice, and will hopefully encourage users to think about their passwords for other sites too.

I can't even remember my old password and if it's the same as other one I use on other sites. Yikes! Do I need to change all my passwords?