Site attacks, hackergate and resetting passwords - here's what we know, what we're doing about it and what we think you should do. PLEASE READ! PART TWO

[RebeccaMumsnet]

Hi all,

This thread is about to max out please continue here and we will update with info as an when we have it.

We will get to all emails and reports but it may take some time Huge apologies.

Here is Justine's OP from the previous thread:

On the night of Tuesday 11 August, Mumsnet came under attack from what's known as a denial of service (DDoS) attack. Our servers were bombarded with requests, which required our internet service provider to massively increase server capacity to cope. We were able to restore the site at 10am on Wednesday 12 August. Meanwhile a Twitter account, @DadSecurity, claimed responsibility, saying in various tweets "Now is the start of something wonderful", "RIP Mumsnet", "Nothing will be normal anymore" and "Our DDoS attacks are keeping you offline".

To add to the 'fun', it seems @DadSecurity also resorted to Swatting attacks. Swatting is a criminal practice in which someone makes an emergency call to the police claiming that a crime is taking place at the house of the intended victim, in order to get them to send a swat team to the address.

An armed response team turned up at my house last week in the middle of the night, after reports of a gunman prowling around. A Mumsnet user who engaged with @DadSecurity on Twitter was warned to "prepare to be swatted by the best" in a tweet that included a picture of a swat team, after which police arrived at her house late at night following a report of gunshots. Needless to say, she and her young family were pretty shaken up. It's worth saying that we don't believe these addresses were gained directly from any Mumsnet hack, as we don't collect addresses. The police are investigating both instances.

@DadSecurity also claimed that he had access to Mumsnet user data. Later on 12 August, it became apparent that someone/ones had hacked into some of Mumsnet's administrative functions, at which point they were able to redirect our homepage to the @DadSecurity Twitter profile page, as well as to edit posts from two users' account and an MNHQ account on our forums.

Someone claiming to be the hacker also posted on the thread on which users were discussing the site outage. We immediately locked down all access to our admin functions and reported the attack to the police. We were confident that users' passwords had not been accessed, because MNHQ doesn't hold them as plain text; they're all encrypted, so that no one - not even us - can see them.

However, over the weekend, a user reported that posts had been made under her name which weren't by her, and we spotted two other cases where this had happened. This clearly suggested that the hacker had nonetheless been able to get hold of some users' passwords.

Our best guess at this stage (and it is just a best guess) is that this has been done via a form of phishing, in which the hacker creates a fake Mumsnet login page to which users are directed when clicking on our login button. The page would have had a different url but otherwise would look just like the usual page. The hacker would have been able to see passwords in plain text when they were typed in.

We take great care to protect the information you give us and not to ask for or store any more information than we need to run the site, but though we can't know how many accounts have been affected, there have been enough breaches for us to ask all Mumsnet users to change their passwords. As a result, you'll no longer be able to log in to Mumsnet with your current password, and will need to create a new one, here.

This will mean that any passwords the hacker has been able to harvest up to this point will be useless. We are looking into what we can do to strengthen our defences against phishing, but in the meantime we need to ask you to be vigilant, and to check the URL of the login page for the foreseeable future. The correct URL is www.mumsnet.com/session/login and it reads rather than at the beginning. We will place a warning on the login page reminding you to do this.

Alternatively use the social login option (ie Facebook/Google) as then you won't be required to enter a password. And if you log into any other sites using the same password that you use on Mumsnet, it makes sense to change your password on those sites, too.

We're really sorry for the alarm and inconvenience this might cause, and we realise you're likely to have further questions about what's been happening, so here's a summary of answers to the most obvious questions.

You say the hacker was able to access Mumsnet users' data: was data from my personal account accessed?
We have no way of knowing how many Mumsnetters were affected - so far we have evidence of 11 user accounts being hacked but it's an ongoing investigation. Those users have been informed, and their passwords have been reset. We think it prudent, however, that everyone reset their passwords - which in any case is a sensible thing to do from time to time.

What data could the hacker see?
By using your password and login, he would have been able to see the data on your profile - so that includes your username or email plus your password, your postcode if you've supplied it, your username history and your Mumsnet inbox.

Now that I've changed my password, can you guarantee that my data is safe?
Unfortunately, we can't give you a cast-iron guarantee of this - no site can. By forcing a password reset the hacker won't be able to log in as you; however, if phishing was the cause, the page could be phished again, which is why it's important that you check the URL of the login page when you enter your details, or use your social login. If the URL is anything other than www.mumsnet.com/session/login, don't use it.

Final thoughts
The internet is of course brilliant, but it's not 100% safe and secure. Whenever you share anything on the web, either publicly (such as on a Mumsnet thread) or privately (such as the data you give to a website when signing up), have a think about how happy you'd be for that information to fall into the hands of someone else. Make your passwords as secure as possible and change them every few months. Use different passwords for different accounts. Close redundant accounts that you no longer use.

And if you read nothing else...
I do realise this post is long, so here's a quick summary:

DO reset your Mumsnet password
DO make passwords really strong to reduce the risk of them being guessed
DO check the URL of any login page to reduce risk of phishing
DO verify that is being used on login pages
DO use social login to avoid typing passwords
DON'T give out information to any organisations without verifying they are who they say they are (such as the fake @mumsnetsupport twitter account that had also been started but has now been removed by Twitter)

Please post here or mail us on [email protected] with any questions or thoughts. As you can imagine our inbox is fairly voluminous at the moment but we'll get back to you as quickly as we can.

Thanks very much for reading,

Justine

fab wrote
"We take great care to protect the information you give us and not to ask for or store any more information than we need to run the site, but though we can't know how many accounts have been affected, there have been enough breaches for us to ask all Mumsnet users to change their passwords. As a result, you'll no longer be able to log in to Mumsnet with your current password, and will need to create a new one, here.

This will mean that any passwords the hacker has been able to harvest up to this point will be useless. We are looking into what we can do to strengthen our defences against phishing, but in the meantime we need to ask you to be vigilant, and to check the URL of the login page for the foreseeable future. The correct URL is www.mumsnet.com/session/login and it reads rather than at the beginning. We will place a warning on the login page reminding you to do this"

So this is incorrect, as some users are still able to log in with the stolen passwords confused

YES it means it's bollocks and they still don't know what they're talking about and yet are still keeping the site live allowing continued access to people's accounts, posting history, pms etc. is there any legal precident here? are they allowed to stay up when they are insecure?

Oh how boring. Someone's tried to access the email account I linked to my mn id. So I'm changing every single password I have anywhere.

What really pisses me off, is that I'm generally so alert to phishing, and other online scams, but I didn't spot this was a fake.

Anyhow, doesn't matter that I'm on the list, everything has been changed, and not just for MN.

I do get a trickle of spam normally, but it was interesting that I received 2 emails over the last week, supposedly from my friend, that went into spam. She's changed her details now, I let her know as soon as I knew.

From MN Privacy Policy:

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical and electronic procedures to safeguard and secure the information we collect online.

I was locked out of MN last night so changed password, was that the hacker or MN? Also, would a deleted account I use to have be vulnerable?

If the guy is still posting on twitter, can the police not track him via that somehow?

FFS! I've just found this thread after not being online for a week! Thought it odd that I needed to reset my password but reset it to the same again AS I WASNT NOTIFIED BY MUMSNET THAT THEY HAD BEEN HACKED!! So frikkin irresponsible!

I'm out - if they care that little I'm off to Net Mums instead...

001 with an admin account, conceivably they could automate a harvesting process from all accounts.

AuntieDee you are on the list.

I only became aware of this about an hour ago and have been able to log in with my (hacked) username and password until I changed it fifteen minutes ago. I've obviously NC for this.

Yes, posters are adults and have a responsibility to ensure their online information is safe, but a lot of people (me included) use MN on their phones, where the address bar is automatically hidden in order to optimise the screen size. Seeing the discrepancies in the web address wouldn't have been obvious unless you suspected an issue, which leads me on to....

Given the chaos on MN recently (I've been getting logged out repeatedly for several weeks - an issue that MN have been aware of and posting about) having to keep logging in wasn't a surprise and so I merrily entered my password on what now seems to have been a phishing page. I imagine others affected were caught out in the same way.

The sticky threads are great.... but often there's so many that are utterly pointless that I would imagine a great number of people just scroll past them. Can I suggest that in future, any REALLY IMPORTANT ones (such as this) are in a different colour or something, otherwise they just blend into the endless surveys, web chat and AN Other threads.

I agree with the others than MN need to shut down until they get a handle on things.

AuntieDee, MN DID send out an email to everyone, but with so many users, it's taking time. I didn't receive my email until 5am this morning, so you could still get that email.

Re the addresses in PMs - I was given a useful tip, don't know if it will help anybody.

Never put your address in a PM, instead put it on a document in Dropbox, and make the document visible to those who have the link. Then send the link.

It's a bit safer because you can then delete the document, but you don't lose your message trail if you want to keep it. The other person won't have your actual address in their PMs either, only a link which will be broken as soon as the document has been deleted.

This is prob gonna turn out to be a F4J publicity event....

Honey it is perfectly possible that people when changing their passwords simply changed it to the same one. Hence people can login with the details on the list.

this is the thing we do not know how many times the password info has been raided or if they still have a door in.

that's say the list they got the other day - how does anyone know or trust they haven't got ones from today.

what is reckless is people have come to log in not knowing about this, had to change their password and quite possibly changed it to a 'memorable' one (re: in use on other sites) without a clue that they shouldn't. the log in page didn't say 'we have been hacked - please ensure you change your password to a new unused one and please be aware that your old password and email address may have been identified'.

this has been handled appallingly and i cannot believe the site is still up and we are nto hearing from MNHQ when accounts are STILL being accessed by people trying out the info on the list right now.

Can somebody check if im on it ? please

chdmum20 not on list

ta

There are over 3000 names, with ip addresses and passwords including Mumsnet staff/tech etc on the list.
There is a pastebin dump, totally public.

I couldn't find you on it chdmum

Would someone please tell me if I'm on the list?

bobinsky not on list

Thanks ItsAllGoingToBeFine

Could someone check for me please.
I don't post often but have been here years in differing guises and still haven't received an email from HQ to change my password.
Have changed it now though, luckily I thought about the attack and used a completely new one.