Site attacks, hackergate and resetting passwords - here's what we know, what we're doing about it and what we think you should do. PLEASE READ! PART TWO

[RebeccaMumsnet]

Hi all,

This thread is about to max out please continue here and we will update with info as an when we have it.

We will get to all emails and reports but it may take some time Huge apologies.

Here is Justine's OP from the previous thread:

On the night of Tuesday 11 August, Mumsnet came under attack from what's known as a denial of service (DDoS) attack. Our servers were bombarded with requests, which required our internet service provider to massively increase server capacity to cope. We were able to restore the site at 10am on Wednesday 12 August. Meanwhile a Twitter account, @DadSecurity, claimed responsibility, saying in various tweets "Now is the start of something wonderful", "RIP Mumsnet", "Nothing will be normal anymore" and "Our DDoS attacks are keeping you offline".

To add to the 'fun', it seems @DadSecurity also resorted to Swatting attacks. Swatting is a criminal practice in which someone makes an emergency call to the police claiming that a crime is taking place at the house of the intended victim, in order to get them to send a swat team to the address.

An armed response team turned up at my house last week in the middle of the night, after reports of a gunman prowling around. A Mumsnet user who engaged with @DadSecurity on Twitter was warned to "prepare to be swatted by the best" in a tweet that included a picture of a swat team, after which police arrived at her house late at night following a report of gunshots. Needless to say, she and her young family were pretty shaken up. It's worth saying that we don't believe these addresses were gained directly from any Mumsnet hack, as we don't collect addresses. The police are investigating both instances.

@DadSecurity also claimed that he had access to Mumsnet user data. Later on 12 August, it became apparent that someone/ones had hacked into some of Mumsnet's administrative functions, at which point they were able to redirect our homepage to the @DadSecurity Twitter profile page, as well as to edit posts from two users' account and an MNHQ account on our forums.

Someone claiming to be the hacker also posted on the thread on which users were discussing the site outage. We immediately locked down all access to our admin functions and reported the attack to the police. We were confident that users' passwords had not been accessed, because MNHQ doesn't hold them as plain text; they're all encrypted, so that no one - not even us - can see them.

However, over the weekend, a user reported that posts had been made under her name which weren't by her, and we spotted two other cases where this had happened. This clearly suggested that the hacker had nonetheless been able to get hold of some users' passwords.

Our best guess at this stage (and it is just a best guess) is that this has been done via a form of phishing, in which the hacker creates a fake Mumsnet login page to which users are directed when clicking on our login button. The page would have had a different url but otherwise would look just like the usual page. The hacker would have been able to see passwords in plain text when they were typed in.

We take great care to protect the information you give us and not to ask for or store any more information than we need to run the site, but though we can't know how many accounts have been affected, there have been enough breaches for us to ask all Mumsnet users to change their passwords. As a result, you'll no longer be able to log in to Mumsnet with your current password, and will need to create a new one, here.

This will mean that any passwords the hacker has been able to harvest up to this point will be useless. We are looking into what we can do to strengthen our defences against phishing, but in the meantime we need to ask you to be vigilant, and to check the URL of the login page for the foreseeable future. The correct URL is www.mumsnet.com/session/login and it reads rather than at the beginning. We will place a warning on the login page reminding you to do this.

Alternatively use the social login option (ie Facebook/Google) as then you won't be required to enter a password. And if you log into any other sites using the same password that you use on Mumsnet, it makes sense to change your password on those sites, too.

We're really sorry for the alarm and inconvenience this might cause, and we realise you're likely to have further questions about what's been happening, so here's a summary of answers to the most obvious questions.

You say the hacker was able to access Mumsnet users' data: was data from my personal account accessed?
We have no way of knowing how many Mumsnetters were affected - so far we have evidence of 11 user accounts being hacked but it's an ongoing investigation. Those users have been informed, and their passwords have been reset. We think it prudent, however, that everyone reset their passwords - which in any case is a sensible thing to do from time to time.

What data could the hacker see?
By using your password and login, he would have been able to see the data on your profile - so that includes your username or email plus your password, your postcode if you've supplied it, your username history and your Mumsnet inbox.

Now that I've changed my password, can you guarantee that my data is safe?
Unfortunately, we can't give you a cast-iron guarantee of this - no site can. By forcing a password reset the hacker won't be able to log in as you; however, if phishing was the cause, the page could be phished again, which is why it's important that you check the URL of the login page when you enter your details, or use your social login. If the URL is anything other than www.mumsnet.com/session/login, don't use it.

Final thoughts
The internet is of course brilliant, but it's not 100% safe and secure. Whenever you share anything on the web, either publicly (such as on a Mumsnet thread) or privately (such as the data you give to a website when signing up), have a think about how happy you'd be for that information to fall into the hands of someone else. Make your passwords as secure as possible and change them every few months. Use different passwords for different accounts. Close redundant accounts that you no longer use.

And if you read nothing else...
I do realise this post is long, so here's a quick summary:

DO reset your Mumsnet password
DO make passwords really strong to reduce the risk of them being guessed
DO check the URL of any login page to reduce risk of phishing
DO verify that is being used on login pages
DO use social login to avoid typing passwords
DON'T give out information to any organisations without verifying they are who they say they are (such as the fake @mumsnetsupport twitter account that had also been started but has now been removed by Twitter)

Please post here or mail us on [email protected] with any questions or thoughts. As you can imagine our inbox is fairly voluminous at the moment but we'll get back to you as quickly as we can.

Thanks very much for reading,

Justine

yes change password

I don't have any details on reg form. You don't have to.

Hey everyone,

Sorry we've been slow to respond on this thread - it's a bit crazy over here. OliviaMumsnet is going to go through now and answer everything we're able to. Thanks again for your patience and support - we're very aware how stressful and alarming this has been. I can promise that we're working as hard as possible behind the scenes to sort things out, which is why our responses haven't been as fast as they might have been.

Apologies and thanks again

Someone has just told me that I am on a list that has been published on Twitter? I haven't scrolled back through all of this thread but can anyone confirm if this is the case and what I should do? Don't want to inundate MNHQ unnecessarily......

whoa...

mumsnet fault or not
I hate to say this, but not totally.

Anyone can set up a phishing site - I could set one up in the next 20 minutes... there are a number of available domains where there is an additional / changed letter from mumsnet.com - would you notice immediately if logging into mumsneet.com?!

One question is how were people sent to the phishing website? If a hack to the mumsnet website then yes, they should take responsibility, but if perhaps an email appearing to be from mumsnet, then it would catch out a lot of people...

We all need to take responsibility:

• mumsnet that their site is as secure as possible
• each of us that we are logging into the correct URL - the URL you are logging into will show at the top...
• each of us that we run software to protect against phishing
• each of us that we don't use passwords / usernames / email addresses across lots of websites
• each of us that we protect important stuff as much as possible
• each of us that we don't over-share online - it might be made available to others...

ultimately most of these attacks succeed because of user innocence / naivety / poor security - rarely an issue with the underlying website (though that can happen)

this is not an attack which got usernames and passwords from MN - it got them directly from users giving them to the hacker :)

sorry if that is tough language, but lets give MN a chance to sort this out - I am sure they will be putting in new approaches...

meanwhile, it never harms to self-evaluate your own presence online... and its security

shopafrolic - yes you are - with IP and password

Shopafrolic the list has your username and password (a celebration) . Change password for this site, and any other site where you used same username and password.

How do we see the list? Could someone check for me please

Change your password Shop and make sure it is unique to MN.

Change any other passwords on websites that you use the same password for.

the full list of just usernames is on here:
www.mumsnet.com/Talk/_chat/2451977-Am-I-on-the-list

ItsAllGoingToBeFine thanks.

Thanks also to MNHQ, what a nightmare for you all.

Just remember there's only a limp dicked loner at the other end of all this fuss!

Changed passwords here and elsewhere so everything different now.

Please could someone check if I'm on the list. Thanks

Can someone check if I'm on the list please. I've just noticed this I've been busy, just changed passwords. Luckily I only use this email for mums net.
I logged on to that email today and all my emails have disappeared .

slkk not on list

@TheHoneyBadger

when you win a competition and need stuff sending you give mn your address - where are those stored?

These are stored separately and are not linked to your user details.

Also very few MNHQ staff have access to the user details - twas ever thus to keep security as tight as possible.

Am I on the list, please? I cannot log in on desktop but was still logged in on mobile. When I try to log in I get Oops! We encountered an error

I admit I thought everyone was getting their knickers in a twist over nothing when this first began because I believed MNHQ when they said that there was no access to passwords.
Now, currently living the the shitstorm caused by having my email address bombarded with 10000's of mails, my sense of humour has gone.
It has really brought home to me how some of MN users are so vulnerable - with access to your name, email address, postcode (at the very least) and potentially full address, those in difficult situations have been crapped on from a great height.

I have sympathy for MN, great sympathy. BUT, the second they got a sniff of a hack, all, and I mean ALL users should have been barred from posting on the site via a forced password reset. Waiting to see what happened was a huge mistake. In the time between the first hack and the forced reset, that arsehole had all the time in the world to grab more info.

I have also always defended MNHQ regarding communication - but this is simply not good enough. We need one person, only one to pop on every hour or so with the latest info - even if there is nothing really to say.
At the moment, it feels a bit like the Marie Celeste - where is everyone?

Some sterling Mner's are doing MNHQ's jobs for them.

I disagreed with Maryz yesterday, I though she was being curmudgeonly. I don't now - and apologies to Maryz for ever thinking she could be wrong!

I have created a new email account, then created a new MN account, so this one will go poof soon when I dereg.

I have not given my real name, postcode or any other details. I can live without the newsletters and other junk mails. I will feel a bit safer, but will always be mindful of this incident in the future and will not be making any pm's containing any personal information.

Such a shame.

Back to deleting the next 300 spam emails - it has slowed down to a trickle now, so the end is in sight. Strangely, amongst all the crap, I have not had one from MN regarding the password change......

I am pretty fucking pissed off with this tbh.

I had no idea about any of this until I tried to log on a couple of hours ago and could not, I managed to find the 'Am I on the list' thread before being directed to this thread from there.

WHY HAS THERE BEEN NO EMAIL SENT OUT TO EVERYONE? WHY HAS THE SITE NOT BEEN SHUT DOWN?

The way this has been handled is disgraceful, I have spent the last 2 hours changing passwords and emails for different things and now I am back on here I've just had to delete every fricken private message due to having quite a few Mumsnetters full names and addresses (think big scale due to setting up the christmas gift thread).

Please tell me how to de reg?

really adday not on list

akkakk - they have published the details of deceased users allegedly and others have said that they have had their old email addresses/log ins that they haven't used for years published.

how would that come from the users and phishing?

the phishing scam is nothing more than a working theory, or as someone else put it - a guess. it's one that doesn't fit the facts now either.

I know its what arseface wants, for people to get annoyed, but i just wish mnhq would update facebook and twitter saying that data has been accessed, so people who arent on the site this morning can know about it. (Still no sign of my email either)

The fact that it is contained to the sticky threads makes it look like they are trying to prevent advertisers finding out tbh

reallybadday sorry

Thank you so much for checking for me

I found the list and am on it under this name. I will double check my search history at home but I am pretty sure I did not try to log in to MN via a phishing page

Have changed my PW again, just to be sure.