Site attacks, hackergate and resetting passwords - here's what we know, what we're doing about it and what we think you should do. PLEASE READ!

[JustineMumsnet]

On the night of Tuesday 11 August, Mumsnet came under attack from what's known as a denial of service (DDoS) attack. Our servers were bombarded with requests, which required our internet service provider to massively increase server capacity to cope. We were able to restore the site at 10am on Wednesday 12 August. Meanwhile a Twitter account, @DadSecurity, claimed responsibility, saying in various tweets "Now is the start of something wonderful", "RIP Mumsnet", "Nothing will be normal anymore" and "Our DDoS attacks are keeping you offline".

To add to the 'fun', it seems @DadSecurity also resorted to Swatting attacks. Swatting is a criminal practice in which someone makes an emergency call to the police claiming that a crime is taking place at the house of the intended victim, in order to get them to send a swat team to the address.

An armed response team turned up at my house last week in the middle of the night, after reports of a gunman prowling around. A Mumsnet user who engaged with @DadSecurity on Twitter was warned to "prepare to be swatted by the best" in a tweet that included a picture of a swat team, after which police arrived at her house late at night following a report of gunshots. Needless to say, she and her young family were pretty shaken up. It's worth saying that we don't believe these addresses were gained directly from any Mumsnet hack, as we don't collect addresses. The police are investigating both instances.

@DadSecurity also claimed that he had access to Mumsnet user data. Later on 12 August, it became apparent that someone/ones had hacked into some of Mumsnet's administrative functions, at which point they were able to redirect our homepage to the @DadSecurity Twitter profile page, as well as to edit posts from two users' account and an MNHQ account on our forums.

Someone claiming to be the hacker also posted on the thread on which users were discussing the site outage. We immediately locked down all access to our admin functions and reported the attack to the police. We were confident that users' passwords had not been accessed, because MNHQ doesn't hold them as plain text; they're all encrypted, so that no one - not even us - can see them.

However, over the weekend, a user reported that posts had been made under her name which weren't by her, and we spotted two other cases where this had happened. This clearly suggested that the hacker had nonetheless been able to get hold of some users' passwords.

Our best guess at this stage (and it is just a best guess) is that this has been done via a form of phishing, in which the hacker creates a fake Mumsnet login page to which users are directed when clicking on our login button. The page would have had a different url but otherwise would look just like the usual page. The hacker would have been able to see passwords in plain text when they were typed in.

We take great care to protect the information you give us and not to ask for or store any more information than we need to run the site, but though we can't know how many accounts have been affected, there have been enough breaches for us to ask all Mumsnet users to change their passwords. As a result, you'll no longer be able to log in to Mumsnet with your current password, and will need to create a new one, here.

This will mean that any passwords the hacker has been able to harvest up to this point will be useless. We are looking into what we can do to strengthen our defences against phishing, but in the meantime we need to ask you to be vigilant, and to check the URL of the login page for the foreseeable future. The correct URL is www.mumsnet.com/session/login and it reads rather than at the beginning. We will place a warning on the login page reminding you to do this.

Alternatively use the social login option (ie Facebook/Google) as then you won't be required to enter a password. And if you log into any other sites using the same password that you use on Mumsnet, it makes sense to change your password on those sites, too.

We're really sorry for the alarm and inconvenience this might cause, and we realise you're likely to have further questions about what's been happening, so here's a summary of answers to the most obvious questions.

You say the hacker was able to access Mumsnet users' data: was data from my personal account accessed?
We have no way of knowing how many Mumsnetters were affected - so far we have evidence of 11 user accounts being hacked but it's an ongoing investigation. Those users have been informed, and their passwords have been reset. We think it prudent, however, that everyone reset their passwords - which in any case is a sensible thing to do from time to time.

What data could the hacker see?
By using your password and login, he would have been able to see the data on your profile - so that includes your username or email plus your password, your postcode if you've supplied it, your username history and your Mumsnet inbox.

Now that I've changed my password, can you guarantee that my data is safe?
Unfortunately, we can't give you a cast-iron guarantee of this - no site can. By forcing a password reset the hacker won't be able to log in as you; however, if phishing was the cause, the page could be phished again, which is why it's important that you check the URL of the login page when you enter your details, or use your social login. If the URL is anything other than www.mumsnet.com/session/login, don't use it.

Final thoughts
The internet is of course brilliant, but it's not 100% safe and secure. Whenever you share anything on the web, either publicly (such as on a Mumsnet thread) or privately (such as the data you give to a website when signing up), have a think about how happy you'd be for that information to fall into the hands of someone else. Make your passwords as secure as possible and change them every few months. Use different passwords for different accounts. Close redundant accounts that you no longer use.

And if you read nothing else...
I do realise this post is long, so here's a quick summary:

DO reset your Mumsnet password
DO make passwords really strong to reduce the risk of them being guessed
DO check the URL of any login page to reduce risk of phishing
DO verify that is being used on login pages
DO use social login to avoid typing passwords
DON'T give out information to any organisations without verifying they are who they say they are (such as the fake @mumsnetsupport twitter account that had also been started but has now been removed by Twitter)

Please post here or mail us on [email protected] with any questions or thoughts. As you can imagine our inbox is fairly voluminous at the moment but we'll get back to you as quickly as we can.

Thanks very much for reading,

Justine

Thank you for posting Bear. I'm not surprised that you cried.
He threatened me on Twitter too and told me that I should watch out or I would be next.
I think the attack on Bear came as a result of him tracking her via Twitter rather than Mumsnet. Twitter encourages you to use your real name. With that and a little digging it isn't hard to find someone's detail. I had someone be disgustingly personally insulting to me on Twitter once. She had her real name on her profile. Within 20 minutes I knew everything about her, down to her phone number and her children's teachers. I did nothing with that of course, I have no idea what I was thinking I would do with the information but I was so cross that someone thought they could hide behind their Twitter name.

Anyway, I think that it is was the right choice not to come on here and post about the Swatting there and then as that is how Jeffrey would have got his jollies.
He personally was no where near Justine or Bear, he couldn't see what was happening so the only way he could 'enjoy' the fallout was from watching the posts on here. By not posting they didn't play up to his pathetic games.

He didn't get either Bear or Justine's addresses from MN he got them from a little digging.

Sorry you experienced that Bearfrills

I have no issue with how MNHQ responded. I think it's proportionate to the nature of the site and the risk. It's an internet forum and the main risk to a poster's security is what they post online, not in the data collected by MN, which is pretty minimal compared to many sites.

I think MNHQ have made it pretty clear over the years that posters have a responsibility to ensure that they keep themselves safe online and I'm happy that their priority was dealing with a poster who had genuinely been compromised in RL and dealing with an ongoing police investigation.

What this incident does highlight is how seriously invested some groups are in ensuring that women don't have a voice online and the lengths that they will go to silence them. That worries me much more and suggests to me that what we see on the public part of the site is a fraction of what MNHQ are dealing with behind the scenes.

Even without spaces, it's a big improvement. And yy MmeLindor password reuse is the biggest vulnerability - you're so right. Especially using the same password on your email as on any other site. Once they've got your email they've got your life.

Oh lookit hahah xkcd.com/792/

password strength checker

If I was being paranoid I'd be worried that site was checking cookies to see which site I came from, and storing that along with the password I've just handily given it...

It's probably completely unrelated but late last week my email account was compromised. Several people contacted me to say they'd received a spam email sent from my account. I'm very hot on keeping my antivirus up to date, never click on dodgy links/sites so I don't know how it happened.

Like I said, it could be totally unrelated but I thought might be worth mentioning in case it has happened to anyone else in the last week or so.

Lolo
I know someone whose laptop and iPad was stolen from car. They accessed email addresses, changed the passwords, and then were able to change passwords for a range of sites (via password resets). It was a nightmare.

I can't stand the 'answer these questions' password resets but they would have helped in this case.

You can find out a lot about a person from their Twitter account, especially if they use their real name.

DH was handcuffed and taken away until they realised he was no longer a suspect

Sweet baby Jesus and all the angels!!!
That is fucking dreadful!

I do hope you have put up a poster outside your house explaining what happened to stop all the gossip

How sure can you be it was only 11 users?
One of my posts was removed at the weekend apparently at my request when in fact I had requested no such thing
How sure can I be that I haven't been hacked?
Should I believe MNHQ even if they say I havent

Has anyone had to reset their pssword today?! Tried to log in and it said it was invalid, so sent a reset request and ive changed it but now im concerned my email is going to be compromised?!

We did need to know about the DDOS
We did, as it happened

We did need to know about the administration functions being compromised.
We did, as it happened

We did need to know about the (few) user accounts being compromised.
We do now that they have done their investigation

We did need to know about the potential phishing.
We do now that they have done their investigation

I think MNHQ has been communicating well on this but I do echo the calls for them to beef up their security as well as requiring complex passwords.

Yes, amazing that people don't have passwords on their laptops. I am required by work to have an automatic password screen lock on my laptop because I have some hefty commit privs, so I sort of forget that people don't even do that much. But I can relate. DH has the ironkey system but I can't be arsed. I'm sure I'll regret that someday.

I have been hacked and I have been doxxed and it is awful, and that wasn't anything close to being swatted. and to Justine and Bear!

Have you read the thread Watford?
Everyone's passwords have been reset.

I've not read all the thread, but all sounds hellish.

However, I've not been able to login since this morning and had no idea why. A message via email to users or a notification on FB would have been handy to know that we had to reset passwords. I believe that something's was done on twitter though.

Would MNHQ consider encrypting other info in the future? I've never really seen the point of having it there on your Account page.

I actually think this whole situation has been handled well. It is likely that in the case of the swatting they were advised not to release any information due to compromising a criminal investigation.

How frightening it must have been.

Let's hope this is the last of it and they are prosecuted.

I would assume if they had told people to change passwords during the attack then the attacker might get the new password.

Good post Blistory.

I was away and it was only the email I got from MNHQ that alerted me to the fact that my account had been hacked and messages not posted by me were on the site. It's very disconcerting.

I have changed my password and I'm going to name change shortly.

I found an MOD laptop on a train once (which is ironic because I worked for the MOD at the time)

It was a 'secret' laptop, one you have to sign your life away to get. The idiot it belonged to had left a piece of paper with his log in and password inside it.

I amused myself for a short period of time sending messages to his boss - who I then met for coffee and gave the laptop back to.

Luckily my security getting was as high as his, or I really could have had some fun.

If you are registered on the electoral roll- its easy for people to find your personal info

There is a UK based website called 192 People- and if someone is willing to pay and have your name andngeneral location, they can get your address.

password strength checker

Just to let you know that my security refused to open that link. It could well have been being over-protective (it sometimes is) but in the current climate.......

Ahem

Still can't change password