Active discussions

Meet the Other Phone. Protection built in.

Meet the Other Phone.
Protection built in.

Buy now

Please or to access all these features

Talk

Back to thread
MNHQ

Site attacks, hackergate and resetting passwords - here's what we know, what we're doing about it and what we think you should do. PLEASE READ! PART TWO

41 replies

RebeccaMumsnet · 19/08/2015 07:31

Hi all,

This thread is about to max out please continue here and we will update with info as an when we have it.

We will get to all emails and reports but it may take some time Huge apologies.

Here is Justine's OP from the previous thread:

On the night of Tuesday 11 August, Mumsnet came under attack from what's known as a denial of service (DDoS) attack. Our servers were bombarded with requests, which required our internet service provider to massively increase server capacity to cope. We were able to restore the site at 10am on Wednesday 12 August. Meanwhile a Twitter account, @DadSecurity, claimed responsibility, saying in various tweets "Now is the start of something wonderful", "RIP Mumsnet", "Nothing will be normal anymore" and "Our DDoS attacks are keeping you offline".

To add to the 'fun', it seems @DadSecurity also resorted to Swatting attacks. Swatting is a criminal practice in which someone makes an emergency call to the police claiming that a crime is taking place at the house of the intended victim, in order to get them to send a swat team to the address.

An armed response team turned up at my house last week in the middle of the night, after reports of a gunman prowling around. A Mumsnet user who engaged with @DadSecurity on Twitter was warned to "prepare to be swatted by the best" in a tweet that included a picture of a swat team, after which police arrived at her house late at night following a report of gunshots. Needless to say, she and her young family were pretty shaken up. It's worth saying that we don't believe these addresses were gained directly from any Mumsnet hack, as we don't collect addresses. The police are investigating both instances.

@DadSecurity also claimed that he had access to Mumsnet user data. Later on 12 August, it became apparent that someone/ones had hacked into some of Mumsnet's administrative functions, at which point they were able to redirect our homepage to the @DadSecurity Twitter profile page, as well as to edit posts from two users' account and an MNHQ account on our forums.

Someone claiming to be the hacker also posted on the thread on which users were discussing the site outage. We immediately locked down all access to our admin functions and reported the attack to the police. We were confident that users' passwords had not been accessed, because MNHQ doesn't hold them as plain text; they're all encrypted, so that no one - not even us - can see them.

However, over the weekend, a user reported that posts had been made under her name which weren't by her, and we spotted two other cases where this had happened. This clearly suggested that the hacker had nonetheless been able to get hold of some users' passwords.

Our best guess at this stage (and it is just a best guess) is that this has been done via a form of phishing, in which the hacker creates a fake Mumsnet login page to which users are directed when clicking on our login button. The page would have had a different url but otherwise would look just like the usual page. The hacker would have been able to see passwords in plain text when they were typed in.

We take great care to protect the information you give us and not to ask for or store any more information than we need to run the site, but though we can't know how many accounts have been affected, there have been enough breaches for us to ask all Mumsnet users to change their passwords. As a result, you'll no longer be able to log in to Mumsnet with your current password, and will need to create a new one, here.

This will mean that any passwords the hacker has been able to harvest up to this point will be useless. We are looking into what we can do to strengthen our defences against phishing, but in the meantime we need to ask you to be vigilant, and to check the URL of the login page for the foreseeable future. The correct URL is www.mumsnet.com/session/login and it reads rather than at the beginning. We will place a warning on the login page reminding you to do this.

Alternatively use the social login option (ie Facebook/Google) as then you won't be required to enter a password. And if you log into any other sites using the same password that you use on Mumsnet, it makes sense to change your password on those sites, too.

We're really sorry for the alarm and inconvenience this might cause, and we realise you're likely to have further questions about what's been happening, so here's a summary of answers to the most obvious questions.

You say the hacker was able to access Mumsnet users' data: was data from my personal account accessed?
We have no way of knowing how many Mumsnetters were affected - so far we have evidence of 11 user accounts being hacked but it's an ongoing investigation. Those users have been informed, and their passwords have been reset. We think it prudent, however, that everyone reset their passwords - which in any case is a sensible thing to do from time to time.

What data could the hacker see?
By using your password and login, he would have been able to see the data on your profile - so that includes your username or email plus your password, your postcode if you've supplied it, your username history and your Mumsnet inbox.

Now that I've changed my password, can you guarantee that my data is safe?
Unfortunately, we can't give you a cast-iron guarantee of this - no site can. By forcing a password reset the hacker won't be able to log in as you; however, if phishing was the cause, the page could be phished again, which is why it's important that you check the URL of the login page when you enter your details, or use your social login. If the URL is anything other than www.mumsnet.com/session/login, don't use it.

Final thoughts
The internet is of course brilliant, but it's not 100% safe and secure. Whenever you share anything on the web, either publicly (such as on a Mumsnet thread) or privately (such as the data you give to a website when signing up), have a think about how happy you'd be for that information to fall into the hands of someone else. Make your passwords as secure as possible and change them every few months. Use different passwords for different accounts. Close redundant accounts that you no longer use.

And if you read nothing else...
I do realise this post is long, so here's a quick summary:

DO reset your Mumsnet password
DO make passwords really strong to reduce the risk of them being guessed
DO check the URL of any login page to reduce risk of phishing
DO verify that is being used on login pages
DO use social login to avoid typing passwords
DON'T give out information to any organisations without verifying they are who they say they are (such as the fake @mumsnetsupport twitter account that had also been started but has now been removed by Twitter)

Please post here or mail us on [email protected] with any questions or thoughts. As you can imagine our inbox is fairly voluminous at the moment but we'll get back to you as quickly as we can.

Thanks very much for reading,

Justine

Go to post
MNHQ

RebeccaMumsnet · 19/08/2015 07:51

@Minionoftruth

I too think they probably have everyone.

How long did they have control for

Hi Minionoftruth,

We believe at this time that the info they have is from phishing (see Justine's OP) rather than from access to the database.

MNHQ

RebeccaMumsnet · 19/08/2015 07:54

@Altinkum

Rebecca, can you let people know about de-reg please, I've emailed last week about it and many others want to do this, could someone let members know please.

Hi Altinkum,

We are currently ploughing through all of the emails, reports and de-reg requests, you will get an reply as soon as we get to your request. Apologies, but this may take some time.

MNHQ

RebeccaMumsnet · 19/08/2015 07:57

We will be mailing everyone who was on the list. We are pulling together a full list as we speak.

MNHQ

RebeccaMumsnet · 19/08/2015 08:11

@Mutt

Trouble is even if only your IP address, username and old password is on the list, until we were alerted and told to change our password they will have had access to all other info held in your MN account because they could in effect log in as us.

So they could see not only everything held in your profile (in my case my full name, email address and first part of my postcode which I had forgotten were even on there) but also any information held in any PMs sent or received to/from other MNers.

No wonder everyone is feeling vulnerable.

Hi Mutt,

We have forced a password reset so no one could log in and all MNetters will need to change their passwords.

MNHQ

RebeccaMumsnet · 19/08/2015 09:36

Hi,

All of those who have had the biscuit page when trying to dereg, we HAVE had your request. The page that is broken is the one that says 'Thanks for your request' Apologies.

We will be deregging you as the day goes on and will be mailing you to confirm that this is done.

MNHQ

JustineMumsnet · 19/08/2015 11:19

I've posted here some more detail on the technical side of what's happened.

MNHQ

SarahMumsnet · 19/08/2015 11:23

Hey everyone,

Sorry we've been slow to respond on this thread - it's a bit crazy over here. OliviaMumsnet is going to go through now and answer everything we're able to. Thanks again for your patience and support - we're very aware how stressful and alarming this has been. I can promise that we're working as hard as possible behind the scenes to sort things out, which is why our responses haven't been as fast as they might have been.

Apologies and thanks again
Flowers

MNHQ

TheOnlyOliviaMumsnet · 19/08/2015 11:28

@TheHoneyBadger

when you win a competition and need stuff sending you give mn your address - where are those stored?

These are stored separately and are not linked to your user details.

Also very few MNHQ staff have access to the user details - twas ever thus to keep security as tight as possible.

MNHQ

SarahMumsnet · 19/08/2015 11:37

@Toooldtobearsed

I have also always defended MNHQ regarding communication - but this is simply not good enough. We need one person, only one to pop on every hour or so with the latest info - even if there is nothing really to say.
At the moment, it feels a bit like the Marie Celeste - where is everyone?

You're right and we're sorry - it really has been crazy this morning. Olivia's on the thread now, there's a separate thread talking about the tech side of things here - please read if you've questions about that side of things. And I have a few general responses to common queries from tech which I'll post now.

MNHQ

JessicaMumsnet · 19/08/2015 11:54

There have been lots of tech questions which we'll try to answer individually but for now here are some general responses which cover some frequently asked questions

The emails about the password reset are still going out. It takes a while to send out the hundreds of thousands of mails and we're sorry we haven't been able to speed that process up.

If a user sets the same password again, the same as the one on the list, then yes someone can use it. We're working on something right now to prevent this, we'll also be introducing more forced complexity as part of that.

Everyone who has logged in recent weeks should assume their username (or email address if that's what they use to login) and password is on a list, even if not visible on the published one.

Only the login page is HTTPS. The important point is that when logging in the name should be www.mumsnet.com. Note, some browsers only show mumsnet.com which is also fine.

MNHQ

JessicaMumsnet · 19/08/2015 12:16

@Altinkum

MN, I've asked about de-reg and a few questions, about it, I then got a reply automatic reply asking if I am human Grin

Am I on the list to get answers?, no big deal in the grand scheme of things. Its just I've waited over a week to get these answers. I just do not want to add to your emails again.

Hi,
We're working this the emails we've had - there are a lot as you may imagine so it's taking us a while but we will get back to you as soon as we can.

MNHQ

SarahMumsnet · 19/08/2015 12:27

@SirChenjin

As if by magic I have just received an email advising me of the fact that I am on the list - several hours after another poster notified me by PM.

Really pissed off - that delay is not on.

Sincere apologies for the delay SirChenjin: this thread and MNers have definitely outpaced our email. We needed to pull together a list of everyone on the hacker's list's email addresses. We've mailed everyone whose password was posted now.

MNHQ

SarahMumsnet · 19/08/2015 12:35

@twirlypoo

sarahMumsnet I haven't received an email except in answer to a report I made about dedsecs post - I'm on the list though. I know you are snowed under, but I would appreciate a message if you get chance please

Hey twirlypoo - the mails have gone out, so it should be with you soon. Really sorry it isn't there yet; everything's a bit sluggish due to the volume of of mails we're sending. I'll speak to tech to see if there's anything they can do to speed things up.

MNHQ

SarahMumsnet · 19/08/2015 12:37

twirlypoo could you PM me your email address? We can check at this end for you.

MNHQ

SarahMumsnet · 19/08/2015 12:48

@Annimousey

Can someone please check if I'm on the list, please?

I thought something was amiss when I tried to sign in last night and the website said that my password was wrong so I changed it, but I've just changed it again making sure that I was on the correct https page.

:/

Hi Annimousey, I've had a look, and you're not there under this username, but let me know if there's another username I can check for you? Alternatively, you can look on DadSec's website (which I appreciate you may not wish to do). If you do Ctrl-F, you can search the list for any other MN nicknames you use.

MNHQ

SarahMumsnet · 19/08/2015 12:57

@SirChenjin

SarahMumsnet - thankfully other posters have outposted you, but why?? This has been going on for some time - apologies if you've already explained, but why on earth did you not send an automatic password reset as soon as it all kicked off?

Because the attack came in two stages. We keep our passwords encrypted and use the recommended algorithms with high "strength" settings, which means that if someone somehow obtained the password data from our database, they still wouldn't be able to make any use of them - they wouldn't work on our site or on any other site, even if the user used the same password on that other site. So last week, when the DDoS attack and the initial hacking took place, we were confident that passwords were secure. There was no evidence until Sunday that anyone had been compromised, and it was only on mon/tues that it became obvious there was more than a very small handful of cases. As soon as we thought we might be victims of a phishing attack we enforced a reset.

MNHQ

SarahMumsnet · 19/08/2015 12:58

@DoreenLethal

Dadsec has hacked the Civil Service World twitter account as well, by the way. Just in case you are in touch with the police MNHQ and didn't know about it...

Thanks loads Doreen - not sure if this is known so will pass on

MNHQ

SarahMumsnet · 19/08/2015 13:00

@ZylaB

Someone said I'm on the list, can I get a pm with the password that it showed please? I'd changed it when the idiot started stuff and I want to know which one was revealed. Thanks

I'll do this now, ZylaB

MNHQ

SarahMumsnet · 19/08/2015 13:01

@CantSee4Looking

sarah - i have a email from HQ asking me to confirm something. Am i to assume that the link contained is safe or is it best to email and ignore link atm. It was just to confirm a change I made. Will it have an expiry date on it which will cause me issues?

Btw - the new message saying to check the url is up and showing when I logged and and logged back in again.

I'm going to check this with tech now CantSee4Looking - gimme two secs

MNHQ

SarahMumsnet · 19/08/2015 13:08

@SirChenjin

But it's Wednesday afternoon now Sarah! if it became clear on Mon/Tues you've had 24/48 hours in which to act to protect the security of your members Confused

Hey there - we spent Monday/early Tuesday investigating and establishing the theory of a phishing attack, and as soon as we felt reasonably confident that had taken place (i.e. yesterday afternoon), we forced the reset on the possibility that passwords had been compromised. This was preemptive: it wasn't until after the reset had occurred that the hacker posted the list of passwords and usernames online. As far as we can tell, the passwords he posted were from prior to the reset, so we hope and believe that all passwords that have been changed since the reset are secure now. We moved as quickly as we could as soon as new information became available to us.

MNHQ

SarahMumsnet · 19/08/2015 13:12

@FuckOffJeffrey

I still haven't received the password reset email. I obviously have changed my password anyway but still no email from mumsnet.

Sorry again FuckOffJeffrey - there are a huge number of email addresses to send the mail to. They are all going out, it's just taking a long time. On a personal note, I was glad to be able to type out your username.

MNHQ

SarahMumsnet · 19/08/2015 13:17

@quietasamouse

Sarah do you know when he stopped collecting passwords?

I'm afraid we say definitively yet,quietasamouse, but rest assured tech are looking into it.

MNHQ

SarahMumsnet · 19/08/2015 13:19

@Cacan

* * SaraMumsnet the problem started a week ago when users informed you they were having problems with logging in and being logged out. MN said it was a techie problem.

There were separate technical issues at that point, Cacan - it's possible the phishing happened then too, but from our pov, because we had no suspicion that this was going on, we assumed that our own technical issues were the explanation.

MNHQ

SarahMumsnet · 19/08/2015 13:20

Apols for slightly brusque/brisk replies btw - trying to answer as many people as possible Flowers

MNHQ

SarahMumsnet · 19/08/2015 13:21

@WhirlyTwos

I'm confused. I checked, and I was on the list. With a password of a couple of weeks age, approx I think.

But if this was a "phishing" event, would my browsing history not show a url that I do not recognise and have not intentionally visited? I cannot find such a url, and I have gone back to 1st August.

I'm going to pass this one on to tech, WhirlyTwos - thanks for posting.

Watch this thread for updates

Tap "Watch" to get all the latest updates