Site attacks, hackergate and resetting passwords - here's what we know, what we're doing about it and what we think you should do. PLEASE READ! PART TWO

[RebeccaMumsnet]

Hi all,

This thread is about to max out please continue here and we will update with info as an when we have it.

We will get to all emails and reports but it may take some time Huge apologies.

Here is Justine's OP from the previous thread:

On the night of Tuesday 11 August, Mumsnet came under attack from what's known as a denial of service (DDoS) attack. Our servers were bombarded with requests, which required our internet service provider to massively increase server capacity to cope. We were able to restore the site at 10am on Wednesday 12 August. Meanwhile a Twitter account, @DadSecurity, claimed responsibility, saying in various tweets "Now is the start of something wonderful", "RIP Mumsnet", "Nothing will be normal anymore" and "Our DDoS attacks are keeping you offline".

To add to the 'fun', it seems @DadSecurity also resorted to Swatting attacks. Swatting is a criminal practice in which someone makes an emergency call to the police claiming that a crime is taking place at the house of the intended victim, in order to get them to send a swat team to the address.

An armed response team turned up at my house last week in the middle of the night, after reports of a gunman prowling around. A Mumsnet user who engaged with @DadSecurity on Twitter was warned to "prepare to be swatted by the best" in a tweet that included a picture of a swat team, after which police arrived at her house late at night following a report of gunshots. Needless to say, she and her young family were pretty shaken up. It's worth saying that we don't believe these addresses were gained directly from any Mumsnet hack, as we don't collect addresses. The police are investigating both instances.

@DadSecurity also claimed that he had access to Mumsnet user data. Later on 12 August, it became apparent that someone/ones had hacked into some of Mumsnet's administrative functions, at which point they were able to redirect our homepage to the @DadSecurity Twitter profile page, as well as to edit posts from two users' account and an MNHQ account on our forums.

Someone claiming to be the hacker also posted on the thread on which users were discussing the site outage. We immediately locked down all access to our admin functions and reported the attack to the police. We were confident that users' passwords had not been accessed, because MNHQ doesn't hold them as plain text; they're all encrypted, so that no one - not even us - can see them.

However, over the weekend, a user reported that posts had been made under her name which weren't by her, and we spotted two other cases where this had happened. This clearly suggested that the hacker had nonetheless been able to get hold of some users' passwords.

Our best guess at this stage (and it is just a best guess) is that this has been done via a form of phishing, in which the hacker creates a fake Mumsnet login page to which users are directed when clicking on our login button. The page would have had a different url but otherwise would look just like the usual page. The hacker would have been able to see passwords in plain text when they were typed in.

We take great care to protect the information you give us and not to ask for or store any more information than we need to run the site, but though we can't know how many accounts have been affected, there have been enough breaches for us to ask all Mumsnet users to change their passwords. As a result, you'll no longer be able to log in to Mumsnet with your current password, and will need to create a new one, here.

This will mean that any passwords the hacker has been able to harvest up to this point will be useless. We are looking into what we can do to strengthen our defences against phishing, but in the meantime we need to ask you to be vigilant, and to check the URL of the login page for the foreseeable future. The correct URL is www.mumsnet.com/session/login and it reads rather than at the beginning. We will place a warning on the login page reminding you to do this.

Alternatively use the social login option (ie Facebook/Google) as then you won't be required to enter a password. And if you log into any other sites using the same password that you use on Mumsnet, it makes sense to change your password on those sites, too.

We're really sorry for the alarm and inconvenience this might cause, and we realise you're likely to have further questions about what's been happening, so here's a summary of answers to the most obvious questions.

You say the hacker was able to access Mumsnet users' data: was data from my personal account accessed?
We have no way of knowing how many Mumsnetters were affected - so far we have evidence of 11 user accounts being hacked but it's an ongoing investigation. Those users have been informed, and their passwords have been reset. We think it prudent, however, that everyone reset their passwords - which in any case is a sensible thing to do from time to time.

What data could the hacker see?
By using your password and login, he would have been able to see the data on your profile - so that includes your username or email plus your password, your postcode if you've supplied it, your username history and your Mumsnet inbox.

Now that I've changed my password, can you guarantee that my data is safe?
Unfortunately, we can't give you a cast-iron guarantee of this - no site can. By forcing a password reset the hacker won't be able to log in as you; however, if phishing was the cause, the page could be phished again, which is why it's important that you check the URL of the login page when you enter your details, or use your social login. If the URL is anything other than www.mumsnet.com/session/login, don't use it.

Final thoughts
The internet is of course brilliant, but it's not 100% safe and secure. Whenever you share anything on the web, either publicly (such as on a Mumsnet thread) or privately (such as the data you give to a website when signing up), have a think about how happy you'd be for that information to fall into the hands of someone else. Make your passwords as secure as possible and change them every few months. Use different passwords for different accounts. Close redundant accounts that you no longer use.

And if you read nothing else...
I do realise this post is long, so here's a quick summary:

DO reset your Mumsnet password
DO make passwords really strong to reduce the risk of them being guessed
DO check the URL of any login page to reduce risk of phishing
DO verify that is being used on login pages
DO use social login to avoid typing passwords
DON'T give out information to any organisations without verifying they are who they say they are (such as the fake @mumsnetsupport twitter account that had also been started but has now been removed by Twitter)

Please post here or mail us on [email protected] with any questions or thoughts. As you can imagine our inbox is fairly voluminous at the moment but we'll get back to you as quickly as we can.

Thanks very much for reading,

Justine

some points to make...

padlock
a padlock in your URL bar (the bit where you type which website to visit) simply means that there is an SSL certificate in place.
generally green means everything is under SSL
generally yellow means that some content has been pulled in from a non-SSL website (e.g. a graphic) and is not an issue
generally red means there is an issue with the SSL certificate
SSL certificates are all about encrypting the conversation between your computer and the server - it stops someone strange sitting at the next table to you at a cafe grabbing your typing over wifi - it will be encrypted...

It makes no difference to a phishing attack / this situation / keyloggers etc. where what you type is seen directly...

what data has been breached
perhaps surprisingly, probably not much...
I should say that I don't know the MN setup, but I do run a web company building websites :)

• your username and password will give the hacker access to your profile / account.
• they can post as you
• they can upload / remove photos
• they can see your email address
• they can see your PMs

as far as I know that is all - your account doesn't give access to anything else - the MN Admin account will probably let them delete people's posts / delete users / choose which biscuit appears on deleted threads - but I suspect that it is no longer compromised as if I had been the hacker I would have been deleting these threads :)

In reality, the hacker will not have had the time or interest to go through personal accounts reading PMs / or even as Admin to wreak a trail of havoc - the fact that more hasn't happened indicates that the publishing of the data was the goal = embarassment...

so probably there will be little issue for most people and in a few days all will be back to normal!

if you are worried - then it is only a few possible issues:

• your email address (if you use it elsewhere to log in, change the password)
• your PMs - if concerned, delete them.

everything else pretty much is public anyway...

I said last week their communication was atrocious.

I got sworn at and told i was being Hysterical and they were doing the best they could, and to fuck off if i didnt like it.

Funny that...

Am i allowed to say "I told you so" ?

TheQuickBrownFox is on list.

Depends what access they had through yours/MN administration passwords/accounts. Best to assume that anything "in" MN could have been accessed and shared.

Can anyone check for me please?

MonkeyainShoes is in list

HawkEyeTheNoo not on list (awesome username!)

I've only just come on here and seen this,anyone that's read some of my posts might remember that I have brain damage.I could really do with some help please.

Am I on the list and what is the list?
Should I be changing my password/is it safe to log on through facebook?

Personally I think we should support MNHQ. This is a horrendous thing for them to deal with as well as what happened to Justine.

It's difficult to know how to react in such a situation and I'm sure they're doing the best they can.

Mumsnet has been through attacks like this before (remember F4J M&S gate) and it will come through this. But attacking MNHQ is what this nasty piece of work wants. He's caused this not MNHQ.

have to say this is a joke, mn hq should really sort out their security. disgusting that this can happened and it took days for members to be told.\as for the posters who got flamed because they were right, mn hq should apologise to them and so should the flamers.

Thanks altinkum

dont' worry skully i'm still being told to calm down and everything will be fine. not sure if some people get some awesome lobotomy pills from their gps that i'm not aware of

I've posted here some more detail on the technical side of what's happened.

He's caused this not MNHQ.

Poor communication from MNHQ has caused some of the hysteria on this and previous threads.

Ontheholidays noit on list.

The list is if usernames/passwords that has been published on internet. Unclear how these were obtained, possibly via a fake login page.

Should be safe to logon through FB.
Yes, change passwords regularly (is good practice) Especially important if using the same username/password combo for multiple sites.

I would imagine MNHQ are flat out trying to sort this out. I would imagine they are getting appropriate advice, and I'd be surprised if the police haven't been made aware.

The hacker wanted people to panic and de-reg, and he wanted the site shut down. At this stage, MNHQ must be inundated with emails. It might be sensible if only members with a real security risk (in hiding, unusually sensitive job etc) make contact regarding de-regging/any other queries. This might give the really urgent emails some chance of getting through and being dealt with.

All people can really do until this is sorted out is to protect their data as far as possible. Remove postcodes etc from MN profiles and consider changing registration email address. Set up a new email address purely for online sites etc, and set it up to forward to your main email address. Change ALL passwords. Change MN password to something temporary, and expect to have to change it again in due course.

This is an attack on the site, not on individual members. The hacker isn't going to have time to sit down and trawl through people's posting history and try and marry it up with personal details. What's out there is out there. The most important thing now is that MNHQ are given a chance to do whatever they have to do to reduce future risk, and to liaise with the relevant authorities/tech to establish what other data might have been taken.

Balls. Thought I would be. Thanks for checking.

And thanks to it'sallgoingtobefine - "blushes"

Please could someone check to se if I am on the list? What about my other user names?