Site attacks, hackergate and resetting passwords - here's what we know, what we're doing about it and what we think you should do. PLEASE READ!

[JustineMumsnet]

On the night of Tuesday 11 August, Mumsnet came under attack from what's known as a denial of service (DDoS) attack. Our servers were bombarded with requests, which required our internet service provider to massively increase server capacity to cope. We were able to restore the site at 10am on Wednesday 12 August. Meanwhile a Twitter account, @DadSecurity, claimed responsibility, saying in various tweets "Now is the start of something wonderful", "RIP Mumsnet", "Nothing will be normal anymore" and "Our DDoS attacks are keeping you offline".

To add to the 'fun', it seems @DadSecurity also resorted to Swatting attacks. Swatting is a criminal practice in which someone makes an emergency call to the police claiming that a crime is taking place at the house of the intended victim, in order to get them to send a swat team to the address.

An armed response team turned up at my house last week in the middle of the night, after reports of a gunman prowling around. A Mumsnet user who engaged with @DadSecurity on Twitter was warned to "prepare to be swatted by the best" in a tweet that included a picture of a swat team, after which police arrived at her house late at night following a report of gunshots. Needless to say, she and her young family were pretty shaken up. It's worth saying that we don't believe these addresses were gained directly from any Mumsnet hack, as we don't collect addresses. The police are investigating both instances.

@DadSecurity also claimed that he had access to Mumsnet user data. Later on 12 August, it became apparent that someone/ones had hacked into some of Mumsnet's administrative functions, at which point they were able to redirect our homepage to the @DadSecurity Twitter profile page, as well as to edit posts from two users' account and an MNHQ account on our forums.

Someone claiming to be the hacker also posted on the thread on which users were discussing the site outage. We immediately locked down all access to our admin functions and reported the attack to the police. We were confident that users' passwords had not been accessed, because MNHQ doesn't hold them as plain text; they're all encrypted, so that no one - not even us - can see them.

However, over the weekend, a user reported that posts had been made under her name which weren't by her, and we spotted two other cases where this had happened. This clearly suggested that the hacker had nonetheless been able to get hold of some users' passwords.

Our best guess at this stage (and it is just a best guess) is that this has been done via a form of phishing, in which the hacker creates a fake Mumsnet login page to which users are directed when clicking on our login button. The page would have had a different url but otherwise would look just like the usual page. The hacker would have been able to see passwords in plain text when they were typed in.

We take great care to protect the information you give us and not to ask for or store any more information than we need to run the site, but though we can't know how many accounts have been affected, there have been enough breaches for us to ask all Mumsnet users to change their passwords. As a result, you'll no longer be able to log in to Mumsnet with your current password, and will need to create a new one, here.

This will mean that any passwords the hacker has been able to harvest up to this point will be useless. We are looking into what we can do to strengthen our defences against phishing, but in the meantime we need to ask you to be vigilant, and to check the URL of the login page for the foreseeable future. The correct URL is www.mumsnet.com/session/login and it reads rather than at the beginning. We will place a warning on the login page reminding you to do this.

Alternatively use the social login option (ie Facebook/Google) as then you won't be required to enter a password. And if you log into any other sites using the same password that you use on Mumsnet, it makes sense to change your password on those sites, too.

We're really sorry for the alarm and inconvenience this might cause, and we realise you're likely to have further questions about what's been happening, so here's a summary of answers to the most obvious questions.

You say the hacker was able to access Mumsnet users' data: was data from my personal account accessed?
We have no way of knowing how many Mumsnetters were affected - so far we have evidence of 11 user accounts being hacked but it's an ongoing investigation. Those users have been informed, and their passwords have been reset. We think it prudent, however, that everyone reset their passwords - which in any case is a sensible thing to do from time to time.

What data could the hacker see?
By using your password and login, he would have been able to see the data on your profile - so that includes your username or email plus your password, your postcode if you've supplied it, your username history and your Mumsnet inbox.

Now that I've changed my password, can you guarantee that my data is safe?
Unfortunately, we can't give you a cast-iron guarantee of this - no site can. By forcing a password reset the hacker won't be able to log in as you; however, if phishing was the cause, the page could be phished again, which is why it's important that you check the URL of the login page when you enter your details, or use your social login. If the URL is anything other than www.mumsnet.com/session/login, don't use it.

Final thoughts
The internet is of course brilliant, but it's not 100% safe and secure. Whenever you share anything on the web, either publicly (such as on a Mumsnet thread) or privately (such as the data you give to a website when signing up), have a think about how happy you'd be for that information to fall into the hands of someone else. Make your passwords as secure as possible and change them every few months. Use different passwords for different accounts. Close redundant accounts that you no longer use.

And if you read nothing else...
I do realise this post is long, so here's a quick summary:

DO reset your Mumsnet password
DO make passwords really strong to reduce the risk of them being guessed
DO check the URL of any login page to reduce risk of phishing
DO verify that is being used on login pages
DO use social login to avoid typing passwords
DON'T give out information to any organisations without verifying they are who they say they are (such as the fake @mumsnetsupport twitter account that had also been started but has now been removed by Twitter)

Please post here or mail us on [email protected] with any questions or thoughts. As you can imagine our inbox is fairly voluminous at the moment but we'll get back to you as quickly as we can.

Thanks very much for reading,

Justine

[ThumbWitchesAbroad]

Errors - I got an error because when I clicked through to reset my password, it asked me if I wanted to use the password associated with my email, so like a fool I clicked on it. Of course that was the old one; but the drop down covers the box for the "confirm your new password", so that's helpful not

Then after I'd successfully changed it, I went to log in again, and it still had my old password in the password field (because I'm permanently logged in!) so it failed me again - just had to type in the new password in the field and here I am again.

Tiresome. But done.

[Myfoofneedspruning]

Gosh...the week before last I noticed something weird : I always stay logged in, one morning I wanted to go on mumsnet I was logged out and when I wanted to log in the username instead my usual username was Rodeomonkey. I remember calling dh and asking him what he was doing on mumsnet and he swore he didn't create a mumsnet identity. It freaked me out at the time, could it be linked ???

[Dawndonnaagain]

Okay,hopefully the fact that a certificate is saying I may not want to be here is to be ignored. I have changed password. HOWEVER I had to do it via password reset because it wouldn't take my old password. Any ideas?

[ouryve]

I had to do the same, Dawn. Presumably it's the same for everyone who had been logged out before they discovered this.

[StillStayingClassySanDiego]

This is really unnerving, I did change my password after that twat was bragging about what he was up to, I might change it again.

Thanks Justine.

[magimedi]

Same for me too - but I never stay logged in to any site. It takes but a moment to type in name & password.

[ThumbWitchesAbroad]

Dawn - I've quite often had the message saying the safety certificate for this site isn't "good" or whatever the actual message is - I tend to ignore it.

Everyone's passwords were reset - so if you were already logged in, you would still be logged in but if you had logged out then your old password wouldn't work, so yes, you needed to do it via password reset - that's pretty much what Justine said they had done.

[ItsAllGoingToBeFine]

I have changed password. HOWEVER I had to do it via password reset because it wouldn't take my old password. Any ideas?

No-ones original password will work, everyone will need to change password via the password reset email. MNHQ has basically wiped everyone's passwords to force them to create a new one.

,hopefully the fact that a certificate is saying I may not want to be here is to be ignored.

If you are getting site certificate errors screenshot it and send to MNHQ, its a very common error, but it could be something sinister. Either way, Tech will need to add to his list. They are usually okay to ignore if you do not enter any data on site like your username or password or credit card details - so in your case I might not ignore

[BertieBotts]

Same Dawn, I think they deactivated all passwords like they did after heartbleed.

[JustineMumsnet]

@Maryz

How has it taken a week to discover this?

Posters were repeatedly reassured that passwords were encrypted and safe, whereas presumably they aren't.

Now it doesn't bother me who knows my password (unless it's my teenagers), but really, this is all a bit too little, too late, isn't it?

[cynical]

Passwords were/ are encrypted Maryz so we can be sure they aren't being accessed from our database and it isn't/wasn't obvious how they he got hold of some. As it's become clear what data the hacker had got hold of we've done tonnes of investigation (which takes time) - and tested a few different hypothesis - and have come up with a possible route for the hacker but we can't know for sure I'm afraid. Nonetheless the security advice we've given re passwords and logins is sensible to bear in mind for any website you're using.

[SusanMichelson]

Well if it was a disgruntled ex you can totally see why she left him.

[Sparklingbrook]

And this is why the sudden influx of quite unfunny male posters lately is being viewed with suspicion.

[LurkingHusband]

Passwords were/ are encrypted Maryz so we can be sure they aren't being accessed from our database

Depends on the encryption scheme, and whether the encryption key was available. Assuming the worst, any attacker could just run a dictionary attack against the encrypted passwords, and look for a match. That could potentially net them 40-50% of passwords easily (probably a lot more, as even s33ml1ngly 0bscu43 passwords can be dictionary generated.

[LurkingHusband]

And this is why the sudden influx of quite unfunny male posters

Is there any other kind ?

[Fiderer]

So if MNHQ wiped all passwords then I didn't forget and can join Justine on the Not Quite Senile bench.

Must say, I did us the Contact Us email (before ItsAllGoingToBeFine helpfully pointed me in the right direction to reset) and got a personalised answer 7 minutes later. Which considering what's going on is pretty impressive.

[Dawndonnaagain]

Thank you folks.

[Castrovalva]

ROFL@ susan

[SusanMichelson]

I was told he had my password in plain text - not by MNHQ but by him.

I changed it then and have obviously changed it again now, but still - does this sound plausible?

[ItsAllGoingToBeFine]

No. He had no access to plaintext passwords, although because he had access to administration functions, he could make it appear that he had.

[Sparklingbrook]

LH the new ones are vvvv unfunny and a bit strange. There are lots of nice, funny male posters who are very normal.

[BoreOfWhabylon]

Justine I reset my password as you instructed and all was well until I went to another open browser window. When I came back to MN I was logged out. Tried to log in with the new password but not accepted. Tried with old one - nada. but The url didn't have the 'secure' https etc.

Aaaaaanyway, eventually I requested another pw reset, changed pw again and am now back - BUT the url when I lgged in was still only mumsnet.com

[LurkingHusband]

There are lots of nice, funny male posters who are very normal.

Normal for humans, or normal for men ?

[JessicaMumsnet]

@SusanMichelson

I've just tried to change my email address, got the confirmation email, clicked on the link, entered my password and it said 'sorry an error has occurred'.

Minor issue I'm sure but if you could.

Hello, can you try resetting your password by entering in the email you've just confirmed? Thank you