Site attacks, hackergate and resetting passwords - here's what we know, what we're doing about it and what we think you should do. PLEASE READ!

[JustineMumsnet]

On the night of Tuesday 11 August, Mumsnet came under attack from what's known as a denial of service (DDoS) attack. Our servers were bombarded with requests, which required our internet service provider to massively increase server capacity to cope. We were able to restore the site at 10am on Wednesday 12 August. Meanwhile a Twitter account, @DadSecurity, claimed responsibility, saying in various tweets "Now is the start of something wonderful", "RIP Mumsnet", "Nothing will be normal anymore" and "Our DDoS attacks are keeping you offline".

To add to the 'fun', it seems @DadSecurity also resorted to Swatting attacks. Swatting is a criminal practice in which someone makes an emergency call to the police claiming that a crime is taking place at the house of the intended victim, in order to get them to send a swat team to the address.

An armed response team turned up at my house last week in the middle of the night, after reports of a gunman prowling around. A Mumsnet user who engaged with @DadSecurity on Twitter was warned to "prepare to be swatted by the best" in a tweet that included a picture of a swat team, after which police arrived at her house late at night following a report of gunshots. Needless to say, she and her young family were pretty shaken up. It's worth saying that we don't believe these addresses were gained directly from any Mumsnet hack, as we don't collect addresses. The police are investigating both instances.

@DadSecurity also claimed that he had access to Mumsnet user data. Later on 12 August, it became apparent that someone/ones had hacked into some of Mumsnet's administrative functions, at which point they were able to redirect our homepage to the @DadSecurity Twitter profile page, as well as to edit posts from two users' account and an MNHQ account on our forums.

Someone claiming to be the hacker also posted on the thread on which users were discussing the site outage. We immediately locked down all access to our admin functions and reported the attack to the police. We were confident that users' passwords had not been accessed, because MNHQ doesn't hold them as plain text; they're all encrypted, so that no one - not even us - can see them.

However, over the weekend, a user reported that posts had been made under her name which weren't by her, and we spotted two other cases where this had happened. This clearly suggested that the hacker had nonetheless been able to get hold of some users' passwords.

Our best guess at this stage (and it is just a best guess) is that this has been done via a form of phishing, in which the hacker creates a fake Mumsnet login page to which users are directed when clicking on our login button. The page would have had a different url but otherwise would look just like the usual page. The hacker would have been able to see passwords in plain text when they were typed in.

We take great care to protect the information you give us and not to ask for or store any more information than we need to run the site, but though we can't know how many accounts have been affected, there have been enough breaches for us to ask all Mumsnet users to change their passwords. As a result, you'll no longer be able to log in to Mumsnet with your current password, and will need to create a new one, here.

This will mean that any passwords the hacker has been able to harvest up to this point will be useless. We are looking into what we can do to strengthen our defences against phishing, but in the meantime we need to ask you to be vigilant, and to check the URL of the login page for the foreseeable future. The correct URL is www.mumsnet.com/session/login and it reads rather than at the beginning. We will place a warning on the login page reminding you to do this.

Alternatively use the social login option (ie Facebook/Google) as then you won't be required to enter a password. And if you log into any other sites using the same password that you use on Mumsnet, it makes sense to change your password on those sites, too.

We're really sorry for the alarm and inconvenience this might cause, and we realise you're likely to have further questions about what's been happening, so here's a summary of answers to the most obvious questions.

You say the hacker was able to access Mumsnet users' data: was data from my personal account accessed?
We have no way of knowing how many Mumsnetters were affected - so far we have evidence of 11 user accounts being hacked but it's an ongoing investigation. Those users have been informed, and their passwords have been reset. We think it prudent, however, that everyone reset their passwords - which in any case is a sensible thing to do from time to time.

What data could the hacker see?
By using your password and login, he would have been able to see the data on your profile - so that includes your username or email plus your password, your postcode if you've supplied it, your username history and your Mumsnet inbox.

Now that I've changed my password, can you guarantee that my data is safe?
Unfortunately, we can't give you a cast-iron guarantee of this - no site can. By forcing a password reset the hacker won't be able to log in as you; however, if phishing was the cause, the page could be phished again, which is why it's important that you check the URL of the login page when you enter your details, or use your social login. If the URL is anything other than www.mumsnet.com/session/login, don't use it.

Final thoughts
The internet is of course brilliant, but it's not 100% safe and secure. Whenever you share anything on the web, either publicly (such as on a Mumsnet thread) or privately (such as the data you give to a website when signing up), have a think about how happy you'd be for that information to fall into the hands of someone else. Make your passwords as secure as possible and change them every few months. Use different passwords for different accounts. Close redundant accounts that you no longer use.

And if you read nothing else...
I do realise this post is long, so here's a quick summary:

DO reset your Mumsnet password
DO make passwords really strong to reduce the risk of them being guessed
DO check the URL of any login page to reduce risk of phishing
DO verify that is being used on login pages
DO use social login to avoid typing passwords
DON'T give out information to any organisations without verifying they are who they say they are (such as the fake @mumsnetsupport twitter account that had also been started but has now been removed by Twitter)

Please post here or mail us on [email protected] with any questions or thoughts. As you can imagine our inbox is fairly voluminous at the moment but we'll get back to you as quickly as we can.

Thanks very much for reading,

Justine

You couldn't register with the same email address. But nothing stopping you having five accounts all with thirty usernames.

I really did not want to post on this or identify myself but I think Justine is being treated a little unfairly here.

I'm the poster who got swatted. Yes, it was related to the hacking however I don't blame MN, I blame the individual responsible. I contacted MN shortly after it happened and they rang me first thing the next day. I was tired, a little bit in shock, and worried, I made a complete showing up of myself bt crying at one point FFS. Since that initial call MN have kept in touch both to check we're okay and to keep us informed of the investigation at their end. They've been kind, courteous, and called a twat a twat.

When it happened it was part of an ongoing police investigation, it still is, and was being treated as a serious incident. In such a situation, putting all the card on the table would have fuelled it and would have encouraged Jeffrey. The police advised me that these sick types get off on the attention and the fallout of what they've done. I had no wish to feed the troll.

Before posting this thread they contacted me again to discuss it with me and to ask of they could mention me. I agreed but didn't want to have my username given, I'm breaking that now to defend the actions taken. There was stuff going on behind the scenes that couldn't be posted about. When deciding whether or not to agree that I could be mentioned in Justine's post I had to weigh up the pro's and cons of speaking out and giving him the reaction he wants or keeping quiet and possibly provoking further harassment as he continues to seek a reaction. It's a dammed if you do and dammed if you don't situation and one which I think MN have handled as best they could in the circumstances. On the one hand you want to keep people informed but on the other you don't want to help an attention seeker get his jollies by giving him the very reaction he was after in the first place.

I'm now off to name change.

You couldn't register with the same email address. But nothing stopping you having five accounts all with thirty usernames.

I suspect MN will have things in place (checking IP address etc) to prevent the same person registering multiple accounts.

Justine
my sympathies to you and your family (and your aupair) and to the other MNetter who was swatted. I'm glad that no one was hurt, but it must have been rather frightening.

I've heard of swatting before, as it's used in US gaming scene to frighten or troll people. I'm hoping that the UK police are somewhat less gung-ho in their response.

I do tend to agree with Mary re the response to this hack. While I understand that you didn't know that this person would escalate the attack, and that it took some time to find out what is going on, I'd have preferred to have had a clear message that passwords should be changed immediately.

I have an email address that I only use for Mumsnet, and have a fairly complex password that isn't easy to guess.

I read a really good way of remembering a password. You choose a phrase and add some letters.

So, say I wanted a new password for Twitter, I'd do

T for Twitter
tswco2m for The Sun Will Come Out 2Moro
R for twitteR

that would give Ttswco2mR (that is obviously NOT my Twitter password!)

You can use any phrase you like in the middle, as long as you can remember it! Favourite song, poem, family saying. Use the name of the site at either end e.g. so my Twitter password would be T......R, Mumsnet would be M.....N or M.....T

I also use a password app to save all my passwords, called 1Password, which has a very cryptic password.

Bearfrills

My profile is now empty - was that intentional? I might leave it that way to be honest!

Bearfrills, the one action I do agree with was not posting about the swatting. I'm sorry you went through that.

Christ what a mess.

Managed to change mine first time thankfully.

Oh bloody hell Bear ! I'm so sorry, hope you're okay now

I could only get my newly reset password to work by UNTICKING the keep me logged in option

and it has put me back to an OLD username.

I'm hoping that the UK police are somewhat less gung-ho in their response.

The police were professional but they were there to deal with what they thought was a hostage situation - that DH had a gun, shots had been fired, and someone was hurt. There were a fuck of a lot police in my house, all of them armed, and it was searched. DH was handcuffed and taken away until they realised he was no longer a suspect. My children, the eldest of whom is only 5yo, we're woken from their beds and had to be taken dow stairs so that the police could verify they were unarmed. I had to chase DS1 from bed to bed, which was sort of funny. I turfed him out of his bed so he got into mine, tracked him down and turfed him out of there so he went and got into DD's bed, turfed him out of there so he went and got back into his own all while this policeman is asking "can I see the children please? Can you bring the children here?" I had to call back that I was trying "but he keeps running back to bed!" :o

Bear that must have been traumatic.

Ttswco2mR is not really massively hard to crack tbh. Four common words separated by spaces is much more secure.

xkcd always has the perfect cartoon!

Bearfrills
I cross-posted with you. I'm not blaming Justine or MNHQ, as the blame lies squarely with the person who did this. And I can see your point re not giving him the attention he desires.

I actually changed my password when it happened, and then changed again now, but many people didn't even see the hack and may not have known that their details may have been compromised.

Verify they were unharmed, not unarmed

I said it last week, and i will say it again.

There is an entire CANYON of difference between feeding a troll/giving it attention and keeping your members informed without directly lying to them via short status updates.

It's all going to be fine

No they don't.

An automatic system would have no clue if [email protected] was the same person as [email protected]

Onky the email address has to be unique for the database record to be created.

I have multiple accounts on Mumsnet. I just created the Monkey SeeMonkeyDooDoo account to check the postcode thing.

Honestly the fact that after all this they didn't force users to have complex password is what concerns me!!

Lots of sites don't allow spaces in passwords

Love the cartoon though!

Lolo
I'm just going by advice I was given recently. I'm no expert. It's more secure than password1234, which a friend of mine was using!

My main security is having different passwords for all sites, even if that is a PITA.

But he wanted it to be posted about, I was sent a message the next day asking me how was my night so - in what is a very unusual set of circumstances - it would have been feeding him.

Mate, next cake is on me . Horrible for you all to go through.

Justine, if we log in with FB or Google, does that make those pages identifiable if MN is hacked again?

password strength checker

Bloody hell Bear. Sounds very stressful and frightening.

All changed.
for you all at the towers.