Active discussions

Meet the Other Phone. Only the apps you allow.

Meet the Other Phone.
Only the apps you allow.

Buy now

Please or to access all these features

Talk

Back to thread
MNHQ

Hackergate thread part three - PLEASE read

56 replies

TheOnlyOliviaMumsnet · 19/08/2015 12:10

Hi all,

This thread is about to max out please continue here and we will update with info as an when we have it.

We will get to all emails and reports but it may take some time Huge apologies.

Here is Justine's OP from the previous thread:

On the night of Tuesday 11 August, Mumsnet came under attack from what's known as a denial of service (DDoS) attack. Our servers were bombarded with requests, which required our internet service provider to massively increase server capacity to cope. We were able to restore the site at 10am on Wednesday 12 August. Meanwhile a Twitter account, @DadSecurity, claimed responsibility, saying in various tweets "Now is the start of something wonderful", "RIP Mumsnet", "Nothing will be normal anymore" and "Our DDoS attacks are keeping you offline".

To add to the 'fun', it seems @DadSecurity also resorted to Swatting attacks. Swatting is a criminal practice in which someone makes an emergency call to the police claiming that a crime is taking place at the house of the intended victim, in order to get them to send a swat team to the address.

An armed response team turned up at my house last week in the middle of the night, after reports of a gunman prowling around. A Mumsnet user who engaged with @DadSecurity on Twitter was warned to "prepare to be swatted by the best" in a tweet that included a picture of a swat team, after which police arrived at her house late at night following a report of gunshots. Needless to say, she and her young family were pretty shaken up. It's worth saying that we don't believe these addresses were gained directly from any Mumsnet hack, as we don't collect addresses. The police are investigating both instances.

@DadSecurity also claimed that he had access to Mumsnet user data. Later on 12 August, it became apparent that someone/ones had hacked into some of Mumsnet's administrative functions, at which point they were able to redirect our homepage to the @DadSecurity Twitter profile page, as well as to edit posts from two users' account and an MNHQ account on our forums.

Someone claiming to be the hacker also posted on the thread on which users were discussing the site outage. We immediately locked down all access to our admin functions and reported the attack to the police. We were confident that users' passwords had not been accessed, because MNHQ doesn't hold them as plain text; they're all encrypted, so that no one - not even us - can see them.

However, over the weekend, a user reported that posts had been made under her name which weren't by her, and we spotted two other cases where this had happened. This clearly suggested that the hacker had nonetheless been able to get hold of some users' passwords.

Our best guess at this stage (and it is just a best guess) is that this has been done via a form of phishing, in which the hacker creates a fake Mumsnet login page to which users are directed when clicking on our login button. The page would have had a different url but otherwise would look just like the usual page. The hacker would have been able to see passwords in plain text when they were typed in.

We take great care to protect the information you give us and not to ask for or store any more information than we need to run the site, but though we can't know how many accounts have been affected, there have been enough breaches for us to ask all Mumsnet users to change their passwords. As a result, you'll no longer be able to log in to Mumsnet with your current password, and will need to create a new one, here.

This will mean that any passwords the hacker has been able to harvest up to this point will be useless. We are looking into what we can do to strengthen our defences against phishing, but in the meantime we need to ask you to be vigilant, and to check the URL of the login page for the foreseeable future. The correct URL is www.mumsnet.com/session/login and it reads rather than at the beginning. We will place a warning on the login page reminding you to do this.

Alternatively use the social login option (ie Facebook/Google) as then you won't be required to enter a password. And if you log into any other sites using the same password that you use on Mumsnet, it makes sense to change your password on those sites, too.

We're really sorry for the alarm and inconvenience this might cause, and we realise you're likely to have further questions about what's been happening, so here's a summary of answers to the most obvious questions.

You say the hacker was able to access Mumsnet users' data: was data from my personal account accessed?
We have no way of knowing how many Mumsnetters were affected - so far we have evidence of 11 user accounts being hacked but it's an ongoing investigation. Those users have been informed, and their passwords have been reset. We think it prudent, however, that everyone reset their passwords - which in any case is a sensible thing to do from time to time.

What data could the hacker see?
By using your password and login, he would have been able to see the data on your profile - so that includes your username or email plus your password, your postcode if you've supplied it, your username history and your Mumsnet inbox.

Now that I've changed my password, can you guarantee that my data is safe?
Unfortunately, we can't give you a cast-iron guarantee of this - no site can. By forcing a password reset the hacker won't be able to log in as you; however, if phishing was the cause, the page could be phished again, which is why it's important that you check the URL of the login page when you enter your details, or use your social login. If the URL is anything other than www.mumsnet.com/session/login, don't use it.

Final thoughts
The internet is of course brilliant, but it's not 100% safe and secure. Whenever you share anything on the web, either publicly (such as on a Mumsnet thread) or privately (such as the data you give to a website when signing up), have a think about how happy you'd be for that information to fall into the hands of someone else. Make your passwords as secure as possible and change them every few months. Use different passwords for different accounts. Close redundant accounts that you no longer use.

And if you read nothing else...
I do realise this post is long, so here's a quick summary:

DO reset your Mumsnet password
DO make passwords really strong to reduce the risk of them being guessed
DO check the URL of any login page to reduce risk of phishing
DO verify that is being used on login pages
DO use social login to avoid typing passwords
DON'T give out information to any organisations without verifying they are who they say they are (such as the fake @mumsnetsupport twitter account that had also been started but has now been removed by Twitter)

Please post here or mail us on [email protected] with any questions or thoughts. As you can imagine our inbox is fairly voluminous at the moment but we'll get back to you as quickly as we can.

Thanks very much for reading,

Justine

Go to post
MNHQ

TheOnlyOliviaMumsnet · 19/08/2015 14:02

@Maryz

I'm sure you will all be delighted to know or maybe not that after being locked out since last night I'm now back Grin

Glad this is sorted - rest assured the lock out was nOT deliberate.

MNHQ

SarahMumsnet · 19/08/2015 14:25

@ExitPursuedByABear

I am sure this has been already asked several times but

WHY?

Why would someone do that? What were they hoping to gain?

Twats

That we don't know, Exit. There's a suggestion in some places online (places you really don't want to visit, trust me) that it's down to MN's reputation as a safe space for women/website with a feminist bent, but the hacker himself hasn't explicitly confirmed that AFAIK.

MNHQ

JustineMumsnet · 19/08/2015 14:33

@Maryz

I'm sure you will all be delighted to know or maybe not that after being locked out since last night I'm now back Grin

No idea wtf is happening, do I need to read 3,000 posts to find out?

You've got mail - just sent you an email - would you mind checking? thanks

MNHQ

SarahMumsnet · 19/08/2015 14:34

Hey everyone - just catching up with this thread now, and will answer qs as quickly as I;m able. For those asking why we haven't taken the site down, Justine has responded on the thread going into technical detail, which is over here.

MNHQ

SarahMumsnet · 19/08/2015 14:41

@SoleBizzzz

How do I find out if I was on the list as SoleBizzzz or SoleSource, please?

Neither that I can see, SoleBizzzz

MNHQ

SarahMumsnet · 19/08/2015 14:42

@Fugghetaboutit

How did he get Justine's and the other members addresses?! I hope you're both ok how disturbing.

What an arsehole twat to do. Women are an easy target for him I guess, fucking coward.

We think via Google, Fugghetaboutit - both very easy to find

MNHQ

SarahMumsnet · 19/08/2015 14:44

@fearisdarkness

Hi Christine, thank you for replying to me as feel quite suicidal right now

I understand my posts are public all the time but they are anonymous

otherwise I would NEVER have confided my deepest troubles desperately seeking advice and help

If there is a list with my nickname combined with my email address (identifying me) then my posts on the public forum are no longer anonymous but linked to my identity.

We're so sorry this has caused you such distress, fearisdarkness, and entirely understand - it's absolutely horrible. I've checked the list and your name's not on it, though we can't guarantee that that means the hacker doesn't have it. Please email [email protected] if you'd like to dereg?

MNHQ

JessicaMumsnet · 19/08/2015 14:49

@MadrigalElectromotive

WHAT ABOUT THE CENSUS DATA?

Just reposting again because I want to know about this too.

We do not keep census data in our Mumsnet database. It is processed, anonymised and disposed of securely outside of our databases and site administration. We have no evidence this has been accessed at all. It is an entirely separate system.

MNHQ

JessicaMumsnet · 19/08/2015 14:55

@MagpieCursedTea

I know it's probably low down on the priority list, but is it just me that the new app isn't working for or has it just been switched off (or whatever the technical term is) whilst we all go to the Winchester and wait for this to blow over?

Hello, yes sorry our API is down - we will fix it but it's not our highest priority - all our tech resources are focused on the task in hand. Thanks for flagging though!

MNHQ

JustineMumsnet · 19/08/2015 14:56

@UnsolvedMystery

If this was purely a phishing attack, why were 22 mumsnet staff accounts also on the list?

Well, assuming it is, they also were phished when loging in. Admins have to login too.

MNHQ

SarahMumsnet · 19/08/2015 15:00

@UnsolvedMystery

If this was purely a phishing attack, why were 22 mumsnet staff accounts also on the list?

I just returned from mat leave, UnsolvedMystery, so know for certain I logged back onto the site in my official guise (and my pw was top of the list). Other MNHQers will have logged out and in again too.

MNHQ

SarahMumsnet · 19/08/2015 15:02

@randallflagg1

I've rejoined. My previous incarnation was on the list. Seeing your username, IP and password published does give one a case of the willywags. I can only imagine how the people who were swatted must feel.

As a longtime mumsnet user I am not going to let this spoil my enjoyment of the site.

Peace and love.

We're properly delighted to hear that randallflagg1 - and thank you all very much indeed for the support.

MNHQ

SarahMumsnet · 19/08/2015 15:06

@middlings

MNHQ, please take the site down until you've sorted this.

I don't understand it all, but it would appear that you don't either and as much as the support offered here is invaluable, I think that keeping the site up is only going to cause more worry. I don't think there is any point in deregging as I suspect that's a case of shutting the stable door. But I would like me posting history deleted.

I'm sure that's way down your list but I can't be the only one.

I'll report this post now.

Mail [email protected] with a request to delete your history middlings? Justine responded to the question of whether or not to take the site down on this thread

MNHQ

SarahMumsnet · 19/08/2015 15:10

To those waiting for dregs, apologies again; we're working as fast as we can.

MNHQ

SarahMumsnet · 19/08/2015 15:11

@MissDuke

I just posted on the techy thread, but the password published on the list for me is over a year old I think - it is 7 digits so pretty sure that proves it is old? I checked my emails and it looks like I changed it from that in April last year. So certainly in my case, not a recent phishing thing Confused

Thanks MissDuke - feeding this info to tech

MNHQ

RebeccaMumsnet · 19/08/2015 15:18

@wickedlazy

6th August this year or last? Defo read a date somewhere.

This year wicked

MNHQ

SarahMumsnet · 19/08/2015 15:19

@wickedlazy

One of the intial question I posted last night but wasn't answered, was if hackers could access personal files through the app. Don't some apps require you agree to allow access to photographs etc?

Passing that one on too, wickedlazy, as I'm not sure of the answer - will get back to you asap

MNHQ

RebeccaMumsnet · 19/08/2015 15:21

@auntpetunia

What's with the biscuit page? Just changed my email to a brand new one and the link takes me to a biscuit is that mn or the hackers. help

Do you have the URL please aunt ?

MNHQ

SarahMumsnet · 19/08/2015 15:24

@MeetMeInTheMorning

Why are mumsnet still saying there was a forced password reset for all when you can pick a name and password at random and log in as that person with no problem?

Sorry MeetMeInTheMorning - it's possible I'm being dense/my brain has short-circuited, but I'm not sure what you mean. We forced everyone to reset their passwords yesterday afternoon; it was up to you what you set it as, but you would not have been able to log in until you set it.

MNHQ

SarahMumsnet · 19/08/2015 15:27

Hi everyone,

Thanks for all the information you're posting; it's hugely useful. The fact that some of the passwords were very old is our current chief line of enquiry. Could anyone with information on that please email [email protected] ?

Thanks again
MNHQ

MNHQ

SarahMumsnet · 19/08/2015 15:28

@Fiderer

SarahMumsnet Come to think of it, what with the all the kerfuffle and panic I've only just realised that my password on the list is also pre-Heartbleed.

That's why when I wasn't logged in recently, I thought I'd just forgotten the new one.

Thanks loads Fiderer; could you email [email protected] with that info? Much appreciated.

MNHQ

SarahMumsnet · 19/08/2015 16:20

Hey all, SO sorry I went awol - was speaking with the police. Will go back and try to respond to everyone now.

MNHQ

SarahMumsnet · 19/08/2015 16:23

Just before I do: can I say again that if folk have specific information wrt old emails, pws, anything else out of the ordinary, could you mail [email protected] ? Thanks very much.

MNHQ

SarahMumsnet · 19/08/2015 16:25

And: a further update. We hope to have code in place that will force users to choose a complex password in the next hour. At that point, we will force a log out and oblige everyone to reset their password. Please don't worry when this happens: it is MNHQ doing it, not the hacker. I'll start another thread alerting people to the fact this is going to take place.

MNHQ

SarahMumsnet · 19/08/2015 16:31

@Gruntfuttock

I haven't got to think of another secure password have I? The one I changed to yesterday was very secure so will I be able to use that one again?

Very sorry Gruntfuttock, but yes, you will have to think of a new one. I know it's a total pain, but we think it's essential at this point.

Watch this thread for updates

Tap "Watch" to get all the latest updates