Active discussions

Meet the Other Phone. Protection built in.

Meet the Other Phone.
Protection built in.

Buy now

Please or to access all these features

Talk

Back to thread
MNHQ

Site attacks, hackergate and resetting passwords - here's what we know, what we're doing about it and what we think you should do. PLEASE READ!

47 replies

JustineMumsnet · 18/08/2015 15:37

On the night of Tuesday 11 August, Mumsnet came under attack from what's known as a denial of service (DDoS) attack. Our servers were bombarded with requests, which required our internet service provider to massively increase server capacity to cope. We were able to restore the site at 10am on Wednesday 12 August. Meanwhile a Twitter account, @DadSecurity, claimed responsibility, saying in various tweets "Now is the start of something wonderful", "RIP Mumsnet", "Nothing will be normal anymore" and "Our DDoS attacks are keeping you offline".

To add to the 'fun', it seems @DadSecurity also resorted to Swatting attacks. Swatting is a criminal practice in which someone makes an emergency call to the police claiming that a crime is taking place at the house of the intended victim, in order to get them to send a swat team to the address.

An armed response team turned up at my house last week in the middle of the night, after reports of a gunman prowling around. A Mumsnet user who engaged with @DadSecurity on Twitter was warned to "prepare to be swatted by the best" in a tweet that included a picture of a swat team, after which police arrived at her house late at night following a report of gunshots. Needless to say, she and her young family were pretty shaken up. It's worth saying that we don't believe these addresses were gained directly from any Mumsnet hack, as we don't collect addresses. The police are investigating both instances.

@DadSecurity also claimed that he had access to Mumsnet user data. Later on 12 August, it became apparent that someone/ones had hacked into some of Mumsnet's administrative functions, at which point they were able to redirect our homepage to the @DadSecurity Twitter profile page, as well as to edit posts from two users' account and an MNHQ account on our forums.

Someone claiming to be the hacker also posted on the thread on which users were discussing the site outage. We immediately locked down all access to our admin functions and reported the attack to the police. We were confident that users' passwords had not been accessed, because MNHQ doesn't hold them as plain text; they're all encrypted, so that no one - not even us - can see them.

However, over the weekend, a user reported that posts had been made under her name which weren't by her, and we spotted two other cases where this had happened. This clearly suggested that the hacker had nonetheless been able to get hold of some users' passwords.

Our best guess at this stage (and it is just a best guess) is that this has been done via a form of phishing, in which the hacker creates a fake Mumsnet login page to which users are directed when clicking on our login button. The page would have had a different url but otherwise would look just like the usual page. The hacker would have been able to see passwords in plain text when they were typed in.

We take great care to protect the information you give us and not to ask for or store any more information than we need to run the site, but though we can't know how many accounts have been affected, there have been enough breaches for us to ask all Mumsnet users to change their passwords. As a result, you'll no longer be able to log in to Mumsnet with your current password, and will need to create a new one, here.

This will mean that any passwords the hacker has been able to harvest up to this point will be useless. We are looking into what we can do to strengthen our defences against phishing, but in the meantime we need to ask you to be vigilant, and to check the URL of the login page for the foreseeable future. The correct URL is www.mumsnet.com/session/login and it reads rather than at the beginning. We will place a warning on the login page reminding you to do this.

Alternatively use the social login option (ie Facebook/Google) as then you won't be required to enter a password. And if you log into any other sites using the same password that you use on Mumsnet, it makes sense to change your password on those sites, too.

We're really sorry for the alarm and inconvenience this might cause, and we realise you're likely to have further questions about what's been happening, so here's a summary of answers to the most obvious questions.

You say the hacker was able to access Mumsnet users' data: was data from my personal account accessed?
We have no way of knowing how many Mumsnetters were affected - so far we have evidence of 11 user accounts being hacked but it's an ongoing investigation. Those users have been informed, and their passwords have been reset. We think it prudent, however, that everyone reset their passwords - which in any case is a sensible thing to do from time to time.

What data could the hacker see?
By using your password and login, he would have been able to see the data on your profile - so that includes your username or email plus your password, your postcode if you've supplied it, your username history and your Mumsnet inbox.

Now that I've changed my password, can you guarantee that my data is safe?
Unfortunately, we can't give you a cast-iron guarantee of this - no site can. By forcing a password reset the hacker won't be able to log in as you; however, if phishing was the cause, the page could be phished again, which is why it's important that you check the URL of the login page when you enter your details, or use your social login. If the URL is anything other than www.mumsnet.com/session/login, don't use it.

Final thoughts
The internet is of course brilliant, but it's not 100% safe and secure. Whenever you share anything on the web, either publicly (such as on a Mumsnet thread) or privately (such as the data you give to a website when signing up), have a think about how happy you'd be for that information to fall into the hands of someone else. Make your passwords as secure as possible and change them every few months. Use different passwords for different accounts. Close redundant accounts that you no longer use.

And if you read nothing else...
I do realise this post is long, so here's a quick summary:

DO reset your Mumsnet password
DO make passwords really strong to reduce the risk of them being guessed
DO check the URL of any login page to reduce risk of phishing
DO verify that is being used on login pages
DO use social login to avoid typing passwords
DON'T give out information to any organisations without verifying they are who they say they are (such as the fake @mumsnetsupport twitter account that had also been started but has now been removed by Twitter)

Please post here or mail us on [email protected] with any questions or thoughts. As you can imagine our inbox is fairly voluminous at the moment but we'll get back to you as quickly as we can.

Thanks very much for reading,

Justine

Go to post
MNHQ

JustineMumsnet · 18/08/2015 15:51

@Onetwothreeoops

Do the 11 users know that it was their information taken?

Yes - those users have been mailed, and their passwords have been reset.

MNHQ

JustineMumsnet · 18/08/2015 16:09

@BoreOfWhabylon

Thanks Justine. What a nightmare.

Do you think you should sticky this in chat and aibu?

Yes we will do - txs for the suggestion.

MNHQ

JustineMumsnet · 18/08/2015 16:34

@SecretSquirrels

Blimey Justine Swat at the door and all that! That is very nasty. Are you allowed to tell us whether they have got the perpetrator?

Not as far as I'm aware as yet.

MNHQ

JustineMumsnet · 18/08/2015 16:47

@Sparklingbrook

Do we know why the hacker chose MN in particular?

Well not really - I have in my head that I saw something from him about MN not being a support site for women but a site for men hating, or something like that - but I was on hols and a bit distracted and now can't find any evidence of it and no one else can remember it, so maybe I dreamt that. On the thread he hacked he claimed it was for entertainment purposes...

MNHQ

JustineMumsnet · 18/08/2015 16:50

@TheyGotTheMustardOut

Fucking hell.

Was today's down time another attack?

No it wasn't - database needed a reboot is all. It happens from time to time. But we are not complacent.

MNHQ

JustineMumsnet · 18/08/2015 16:51

@ItsAllGoingToBeFine

Justine You didn't imagine it. One of the first posts that was edited was spouting something about misandry...

Ah, thanks for confirming I'm not going senile (well not in this instance anyway Smile)

MNHQ

JustineMumsnet · 18/08/2015 17:10

@Maryz

How has it taken a week to discover this?

Posters were repeatedly reassured that passwords were encrypted and safe, whereas presumably they aren't.

Now it doesn't bother me who knows my password (unless it's my teenagers), but really, this is all a bit too little, too late, isn't it?

[cynical]

Passwords were/ are encrypted Maryz so we can be sure they aren't being accessed from our database and it isn't/wasn't obvious how they he got hold of some. As it's become clear what data the hacker had got hold of we've done tonnes of investigation (which takes time) - and tested a few different hypothesis - and have come up with a possible route for the hacker but we can't know for sure I'm afraid. Nonetheless the security advice we've given re passwords and logins is sensible to bear in mind for any website you're using.

MNHQ

JessicaMumsnet · 18/08/2015 17:22

@SusanMichelson

I've just tried to change my email address, got the confirmation email, clicked on the link, entered my password and it said 'sorry an error has occurred'.

Minor issue I'm sure but if you could.

Hello, can you try resetting your password by entering in the email you've just confirmed? Thank you

MNHQ

JessicaMumsnet · 18/08/2015 17:25

@BoreOfWhabylon

Justine I reset my password as you instructed and all was well until I went to another open browser window. When I came back to MN I was logged out. Tried to log in with the new password but not accepted. Tried with old one - nada. but The url didn't have the 'secure' https etc.

Aaaaaanyway, eventually I requested another pw reset, changed pw again and am now back - BUT the url when I lgged in was still only mumsnet.com

Confused

Thanks for letting us know BoreOfWhabylon am glad you're in now, sorry for the palaver

MNHQ

JustineMumsnet · 18/08/2015 17:34

@Maryz

I just don't understand how you have known for a week that this was serious (you must have know when police turned up, it doesn't get more serious than that), and yet mnhq have bee posting reassuring "it's all going to be fine" and amusing "oh he's at it again" type posts all over the place.

It seems to me that this was serious enough that you should have warned people a week ago that you had a major problem with security and that people should be careful.

You didn't have to wait until you had all the details; a generic warning is the least you should have done, imo.

Because you didn't know if it was even more serious. You didn't know for sure that someone "out there" didn't have full access to everyones' email addresses and passwords for an entire week.

I think there are two distinct things you're conflating here.

RE the swatting, to be honest I wasn't overkeen on giving him his moment of drama - no doubt what he was after - and the Mnetter concerned was very shaken up and didn't want to post on the thread. Also we were liaising with the police and very much hoping for a quick conclusion or that he would out himself over time. So far, as said, the police have drawn a blank and the dust has settled a bit. So we consulted with the MNetter he'd swatted today and decided to inform you all just on the off-chance he does it again - I was mightily to be honest when I realised it was a hoax and not a real gunman prowling round my house - and thought it was right to put out there.

With regard to user data we didn't know he had access to member passwords until Sunday when he posted as a Mumsnet user - prior to that he was editing posts which is a different thing altogether and didn't indicate he knew user passwords. Even then it was very hard to work out how he might have got them - most likely guess was that he knew/ guessed an individual password of an MNHQ admin - and so we locked MNHQ admin down early last week.

It took a lot of digging into the logs to find further activity and it's only become apparent yesterday and today that he's accessed these 11 accounts - there may be more and we are still digging. I really don't think we've been negligent in not forcing a password change earlier and as said at length, if what we're dealing with is a phishing attack or the like then your vigilance is still required.

MNHQ

JustineMumsnet · 18/08/2015 17:41

@middlings

By the way, I've received a confirmation to my email address of my password change.

So, Brew, Wine and whatever else is needed to MNHQ. Justine, your children must have been terrified :(. Hope there's not much family fall out from that experience.

That's kind of you to think of us middlings and everyone who's sympathised but actually we were away and blissfully unaware. It was our poor au pair who was scared half to death.

MNHQ

JessicaMumsnet · 18/08/2015 17:45

@SusanMichelson

But I'm not getting an email notification of password change to either of the addresses, old or new.

Sorry to be a pain SusanMichelsom but would you mind mailing [email protected] please so we can look at which email addresses you are using? Thank you Smile

MNHQ

JustineMumsnet · 18/08/2015 17:46

@Maryz

I get that Justine.

But it seems to me that you hadn't a clue what was going on (which I have no issue with) but wanted to reassure posters that nothing was wrong (which I do have an issue with, because you didn't actually know).

You can't just hope everything is ok when you know that a hacker of some sort has one persons email address and password, and another poster's real life address.

Surely you owe posters at least a "something weird is happening, be careful" type of thread, instead of the reassurance you have been giving us.

It's not right.

I disagree - we were certainly in the dark about what was going on and needed to dig about a fair bit to be able to say something sensible to you all. In the meantime I'm not sure there was any point in posting something that would only cause alarm and exactly the effect the hacker would hope to achieve.

MNHQ

JessicaMumsnet · 18/08/2015 17:48

@badg3r

Hmmm... Pretty sure my password had been changed since I suddenly couldn't login to the app and my password is saved automatically. Anyone else have this problem?

Hi badg3r, we changed all user passwords as a precaution today, you seem to be in now fine but if you have trouble please do reset your password by entering your email address here

MNHQ

JustineMumsnet · 18/08/2015 17:48

@Maryz

I find it hard to believe that I'm the only person who thinks this just isn't funny.

I certainly don't think it's funny Maryz. I simply don't see what you'd have had us do other than perhaps adopt a more serious tone and you may be right about that. But I don't think it would have actually achieved any different outcome.

MNHQ

JustineMumsnet · 18/08/2015 17:49

@YeOldeTrout

Like any other company with lots of servers to run, MNHQ have constant hacker assaults to deal with. The rational business decision is to only issue an alarm to posters when they have credible evidence about any of these assaults being successful enough to directly matter to posters.

I couldn't have put it better myself - thank you YeOldeTrout - that's what I meant!

MNHQ

JessicaMumsnet · 18/08/2015 17:55

@BoreOfWhabylon

ouryve it was the login page though.

All this has given me brainhurt Sad

But probably not as much brainhurt as it's given MNHQ

Thanks BoreOfWhabylon we'll take a look into this, can you let us know if it is still happening if you visit the log in page and what browser you are using?

MNHQ

JustineMumsnet · 18/08/2015 17:58

@Maryz

Well I don't agree with you.

You knew someone had accessed a mumsnetters real address and did nothing.

I'm off to change my password and my email address. I fact, I'm seriously considering deleting my account and linking a new one to a non-traceable gmail. NOT because of a hacker. But because mnhq continually down-playing it and essentially lying that everything is ok has seriously pissed me off. It's just not on to treat us like small children.

I think this was a very poor show.

That Mumsnetter's address - and mine for that matter - is accessible without any information we store - we've googled and checked. So I don't accept your criticism Mary and don't think we've been lying to you.

An awful lot of the country are vulnerable to swatting I suspect if someone has a mind to do it and no one needs Mumsnet data to do it. But it's obviously completely up to you whether you trust us want to use the site or not.

MNHQ

JessicaMumsnet · 18/08/2015 17:58

@WicksEnd

Take a look at this MNHQ. This page is a screen shot of the MN tab I've been using all day. As you can see it says Https at the top. (Well obviously not all day I might have done a load of washing Grin

This is a screen shot of the tab I'm on now and posting from. It doesn't have the Https. What does that mean?

Hello, the login page should be https not other pages including this thread.

MNHQ

JustineMumsnet · 18/08/2015 17:59

I need to step out for a bit now as have 6 kids (not all mine) who I've neglected all day and who need taking to the cinema - but I'll be back on later.

MNHQ

JessicaMumsnet · 18/08/2015 18:04

@WicksEnd

MNHQ Please have a look at my recently reported post if you possible can. I'm sure you're very busy but it's quite important. Thanks.

We've replied to you and sorted that now Wicksend Smile

MNHQ

SarahMumsnet · 18/08/2015 19:15

@ItsAllGoingToBeFine

I agree with MaryZ.

We didn't need to know about the "swatting".

We did need to know about the DDOS
We did need to know about the administration functions being compromised.
We did need to know about the (few) user accounts being compromised.
We did need to know about the potential phishing.

Users should have been informed of these events as they were happening/as soon as MNHQ became aware in a low key matter of fact way. MNHQ presumably has some sort of SOPs in place for a cyber attack, may I respectfully suggest that after this debacle they update this to include keeping their users informed so that they can take action.

I also agree with other posters that MN should require a secure password, it is good practice, and will hopefully encourage users to think about their passwords for other sites too.

We posted to tell users about the DDoS attack as soon as it happened, ItsAllGoingToBeFine, and updated the thread to say that we were looking into how the hacker had got into our administrative functions. At that point, we locked down all access to our administrative functions, and the hacker went quiet, so we assumed (incorrectly as it turns out) that we'd locked him out. We kept a close eye on things, but didn't see any more suspicious activity until Sunday, at which point tech directed all their resources at investigating any other possible routes into the site. We didn't want to alert the hacker to our investigations, but as soon as we got to the point that we had a robust theory (though as Justine said in her OP, it does remain only a theory) we posted to say what we thought had happened and what we proposed to do about it.

The whole thing has unfolded very quickly, and we've done our best to investigate as fast as we could, and update you as soon as we were able - which we'll keep doing, as new information surfaces.

MNHQ

SarahMumsnet · 18/08/2015 19:16

@MrsBertMacklin

Can I make a quick suggestion - there's another thread running called I've Had to Reset My Password and people are talking about having reset with the same password because they haven't seen this thread.

Can Tech, instead of directing people to the LogIn page, direct them to this sticky, which has the reset link in it?

Thanks for the suggestion, MrsBertMacklin - I'll put it to tech

MNHQ

SarahMumsnet · 18/08/2015 19:20

@quietasamouse

My question was never answered. I gave the benefit of the doubt at first, but tbh it seems to sum up the contempt with which I'm starting to feel we are being treated.

Sorry quietasamouse - it's been fairly full on. I'll go back through the thread and find your question now.

MNHQ

SarahMumsnet · 18/08/2015 19:24

@quietasamouse

But Justine surely if people have supplied their postcodes when signing up a hacker could find out where they lived?

Yes, it's possible - as Justine said in the OP, if you entered your postcode when you signed up with MN, then it will be visible in your account, and if the hacker phished your password and logged in as you, they would have been able to see it. FWIW, in the case of Justine and Bearfrills, this isn't how we think their addresses were obtained; again as Justine said in one of her follow-up posts, both were easily googleable.

Watch this thread for updates

Tap "Watch" to get all the latest updates