More about the Technical side of the attacks on Mumsnet

[JustineMumsnet]

Hi all,
There are have been, understandably, a lot of questions about the tech side of the attack on Mumsnet, so here - courtesy of the tech team is some more detail. We obviously do have to be a bit careful with the details because we don't want to give away information that could help other hackers. Whilst it's true that "security through obscurity" isn't real security, we have no wish to make it easier for a future attacker.

We've spent a lot of time since the attacks began, proactively defending against them, minimising the impact of it and protecting against future attacks. With a busy site like Mumsnet there is a lot of information to go through. When we uncover a new snippet of information, perhaps a new suspicious user account, we have to go back to the start and reanalyze, so it can be slow going at times. We are working with our technology partners who have a lot of experience of these kind of attacks and we have used lots of resources available to us.

Some aspects of our technology stack have already been extensively tested by external specialists. Some of our software code is quite old - nearly as old as Mumsnet itself - and things have moved on a lot over that time. However, we have a program of code review whereby all new code is checked by someone other than the person who created it. It's not perfect and everyone makes mistakes, but we take the quality of our code very seriously.

The Denial Of Service (DOS) attack against Mumsnet was a heavy, sustained attack which initially overwhelmed our ability to respond to legitimate requests. Mumsnet might typically get something like 50-100 requests per second. During the attack we were getting around 17,000 requests per second. Each request carried more data than is normal as well.

The hacking attack on our website was separate from the DOS, though we believe perpetrated by the same person or people. We follow many of the industry's best practices, such as using HTTPS for our login pages, keeping our database separate from our cluster of web servers and not accessible from the internet, and so on. We don't necessarily use the same standards of security as say your online banking service might use, for example requiring multiple passwords or using two factor authentication. We try to balance security against usability and the sensitivity of the information we hold. After all, as pointed out by one of you in an earlier thread, the majority of information we have about a user is what that user publishes in Talk, which is there for all to see.

As has been mentioned several times, we keep our passwords encrypted and we use the recommended algorithms for this, with high "strength" settings. This means that if someone somehow obtained the password data from our database they wouldn't be able to make any use of them - they wouldn't work on our site or on any other site even if the user used the same password on that other site. This remains the case even for MNHQ staff; they cannot un-encrypt the passwords either.

We are now pretty confident it was a phishing attack. Phishing, where a hacker gets a user to enter their username and password into a form from which they can capture that information, fits all the data we have. The hacker doesn't need to decrypt anything, because they capture the password in the browser as it is entered (either by typing it, or if it was automatically remembered by the user's browser or password manager). The list of passwords that has been published includes some that users have identified as being ones that they've mistyped. Our database wouldn't have mistyped ones, only accurate ones, whereas those collected by recording what a user submits would and does contain errors.

It's not obvious how it has been conducted though. We have been able to create a proof of concept which shows that it could work, but that relies on some steps that would be difficult or virtually impossible for a hacker. Phishing attacks sometimes use social engineering to "trick" people into using the fake website rather than the real one, but again, for various reasons, we can rule some of these out. Other phishing attacks are more technical and use other means to get people to visit the fake page. One such example is Cross Site Scripting (XSS). XSS is ranked number three on Open Web Application Security Project top ten list of web site security problems. If the hacker can get the website to put his own code on pages which are to be viewed by other users, s/he can modify the page to either redirect the login process to their own site, to a page which looks just like our login page but is actually recording the details and sending them to the hacker. Also possible, but even less likely, is modifying our login page to submit the details to the hacker as well as to us. If the hacker had gained access to our Content Management System he could have done the former, though not the later. However, we record all changes that are made and there are no suspicious ones.

It's impossible for us to know how many users' passwords have been collected. It's a reasonable assumption, and our working one, that the passwords of everybody that has logged since 6th August 2015, and possibly some time before that, have been collected.

In light of the attacks, we've bolstered some aspects of our security, particularly around our administrative functions. We have further changes planned and will be working on these in the coming days.

Forcing everyone to reset their password, as we have done, would render the list useless provided that users don't choose the same new password and they've not used the same username and password elsewhere.

Some users have questioned why certain other changes aren't being made already, such as a move to enforcing stricter passwords, which makes sense. However, given how crucial the part of our system that deals with passwords is, we have to be really cautious when making changes to it so we don't want to rush and end up creating bigger holes but we will certainly take steps to encourage users to strengthen passwords as soon as practicable.

Any questions do post here - we'll answer as transparently as we can - bearing in mind the caveat about helping future hackers mentioned earlier.

We do have 2-step verification in place for staff mails. ta for thought.

and a sleep, Justine - for all of you, I think. You must all be weary - and probably over-caffeinated.

hi I accessed the site once it was back up this afternoon (was still logged on from a session a couple of days ago), I then logged out. I just came back on about 10 mins ago and am still logged in - nor have I been asked to reset my password as you state I should be. (I was asked to reset it after the first DoS attack and did so). This is worrying, frankly. And on another note the creatures behind this attack are frankly hateful. and to all at MNHQ I only realised quite how much I love the site when it was down for so long

I am de-registering, at least for a while. Not feeling comfortable thanks to the hackers. I don't have any " friends" on mumsnet, but I will miss posting. Will still be reading though. Good luck mumsnet.

hang on if people are getting fake emails, emails with other usernames etc (re: maybe on that one they forgot to change the user name before sending to next user on list) then they do have access to emails surely?

doesn't that equate to 'reason to believe' there are further breaches?

I wasn't on the list. I haven't been asked to reset since the site went down day before yesterday. Should I have been? I haven't had any emails either, only when I reset my password twice back in the beginning. I've done what I can re security and other passwords and I'm not and don't want to be on Twitter.

One thing which helps security for me I think is... I keep everything seperate, I have different email addresses for different functions in my life and nothing is linked to FB which I use fairly infrequently and I regularly check my privacy settings on there as I know FB moves the goalposts regularly. Also I don't sync across devices and log out of email accounts and manually log back in when I want to check my inbox.

I have been thinking of one central point for passwords such as some of the apps/programs suggested but I am nervous about it, (one central point to get all my passwords...) plus I believe they autofill password boxes (might be wrong) which I have turned off on Chrome as I don't like that.

Why is no-one fro HQ commenting on the questions

1. were you or were you not made aware of this breach in the middle if July

2. why, after the previous hack, was security not tightened?

3. why were admin passwords so very simple?

4. when MNHQ said We believe the hacker has used a password from the old hack to gain access to another system (external to Mumsnet) on which we store client information does that mean you didn't change the password on other systems?

I've just received an email from mumsnet saying "I've requested a new password" and click on the link. I haven't and old password is working.
Anyone else had this? Should I ignore?

ignore!!!!

i DO feel sorry for mumsnet, i do attribute the blame on the perpetrator but i am not impressed that there were hacks made in july, moderator accounts accessed back in july and the attacks reported to mnhq back then by tumblr users without us being warned allowing this situation to go forward and for many of us to have our data stolen and published. when we found the pages on which the discussion from the july attacks had taken place and reported to mnhq they said they had become aware of those pages the same day we'd reported them - yet tumblr users (a group offended by the way the hackers had been representing a particular sub-culture on the boards here as part of their trolling whilst using accounts to report posts and use their profile ((once the mod went to it)) to phish the mods powers and access) reported it to mn with links to the site the hackers had been chatting on back in july.

i have not see mnhq address this - it has been swept away and a few threads on people mostly forgot about it it seems.

in light of this, and ongoing attacks and reassurances that prove false (re: they have no email addresses - well of course they do if they phished from the log in page and many people use their email address to log in) i am not happy about the lack of proper response to people asking about names and addresses stored by mn for prize winners, survey takers etc. saying 'they're stored separately and we change passwords frequently' is not enough. i for one would like any such data deleted and am shocked that it has ever been 'held on file' when there is clearly no need for it to be. can we have it deleted? a yes or no is a sufficient answer to that really - though if it is no i'd like to understand why we don't have the right to ask you to delete info on us that we didn't even knowingly agree to being stored.

also cannot comprehend the ongoing risk of using email - you know people are at risk of phishing using mn format emails with links or asking for info etc. people having to individually ask 'oh is this is dodgy looking email i opened from you or not?' is ridiculous. don't send out newsletters or bulletins or anything by email, inform ALL members you will not be sending email other than password resets (and have them not click a link but go back to the site via google or whatever to do it) and inform everyone not to open mumsnet emails at all unless they have requested a reset and not to follow any links within that email.

you just seem to still be being rather free and easy with our security. if someone gets phished and damaged by an email appearing to be from mn during this time i won't be victim blaming and saying ah well you should have known better than to give info or click a link etc when the situation could have been avoided.

and i'm sorry! ^^that is so not intended to be personal at nice little names on the screen who i like and make jokes about gin you know? it's to a professional company and it's responsibiities - NOT to individual persons who i am trying to attack.

i hope that makes sense.

this is kind of what is 'awkward' about the situation. the management and owners of this place can seem like 'friends' and also have potentially quite intimate knowledge of us from our posting AND the power to ban us and cut us off from a source of community and support.

that makes complaining feel very awkward indeed.

i hope mnhq can take complaints about the handling of this situation and disatisfaction of site users professionally as it were rather than personally. we have some weird boundary issues going on that wouldn't happen between a user of and an owner of say amazon or tescos

Very well said, HoneyBadger - especially your last post.

agreed honeybadger.

I wonder why the 'list' didn't show a mixture of emails and user names if phished from the login page?

I wasn't on the list but under my previous name always logged in using my email address.

Also well said HoneyBadger.

Oythebumbler possibly because email address are more valuable to hackers. A user name and password that is changed is meh.
Emails and passwords that could have been used on more valuable account...

I'm with Honeybadger too. Any site can be hacked but to have such stupid passwords is a blatant disregard of security of users.
Given many posters on here are victims of DV , family abuse and on going issues it's all a bit shit.

On a system with changing passwords is not reasurring when the passwords of admin were so crap. Presumable the partner emails published was also held elsewhere?

I actually want to know if Mumsnet are holding our addresses after product tests are finished?

I agree TheHoneyBadger - although to a degree, I think it cuts both ways eg I very much doubt if we would have received any degree of openness whatsoever from Amazon and Tesco's - who are probably under attack most/all of the time. (So much more kudos in impacting on a Big Bertha like Amazon, I suspect.)

I'm hoping that Mumsnet have learned the appropriate lessons from all of this and I would welcome an official statement from them on that issue - and also addressing the issues which you raised on boundaries and professional responsibility.

Does that mean that the hackers will have all the email addresses of those who logged in through email?

Hopefully they'll be useless if people have different pw's for their email account but suggests they went through the list cutting the email addresses out.

I dunno. Ebay has been sending me emails addressed to other members, sometimes including their purchase details, for three years now. The other members have names similar to mine. I sporadically complained, thinking they ought to know about this data retrieval glitch, but kept getting formula replies saying "We are sorry we have been sending you emails intended for other users" but nothing changed

As a data bore, this pisses me off and - as I kept highlighting to them - is worrying because a system that makes this kind of error is wide open to exploitation.

Nothing changed, so now I filter those emails out and have carried on using ebay (with frequent password changes, just in case.) But it's a typical example of how data mismanagement is utterly rife around the Web. Mumsnet's being far more professional & transparent than most. I feel they should be praised for this, not constantly taken to task for imperfection.

Why are MN storing the details of prize winners, survey takers, etc? Surely this is a data protection issue. Personal data should not be kept for longer than necessary and should only be used for the stated purpose.

If I give my personal information for, say, a book giveaway, I don't expect it to be kept for much longer than it takes to send the book.

Does MN have a data protection policy, retention schedule or anything like that?

We haven't had a clear answer that they are aging. Just told address for product tests and insight panel are held elsewhere and passwords regularly changed.

And as you will know, Garrick, ebay were exploited to the extent that they had to require a password change for all users. (In addition to the casual technical exploitation that has been going on for many years.)