Hackergate thread part three - PLEASE read

[TheOnlyOliviaMumsnet]

Hi all,

This thread is about to max out please continue here and we will update with info as an when we have it.

We will get to all emails and reports but it may take some time Huge apologies.

Here is Justine's OP from the previous thread:

On the night of Tuesday 11 August, Mumsnet came under attack from what's known as a denial of service (DDoS) attack. Our servers were bombarded with requests, which required our internet service provider to massively increase server capacity to cope. We were able to restore the site at 10am on Wednesday 12 August. Meanwhile a Twitter account, @DadSecurity, claimed responsibility, saying in various tweets "Now is the start of something wonderful", "RIP Mumsnet", "Nothing will be normal anymore" and "Our DDoS attacks are keeping you offline".

To add to the 'fun', it seems @DadSecurity also resorted to Swatting attacks. Swatting is a criminal practice in which someone makes an emergency call to the police claiming that a crime is taking place at the house of the intended victim, in order to get them to send a swat team to the address.

An armed response team turned up at my house last week in the middle of the night, after reports of a gunman prowling around. A Mumsnet user who engaged with @DadSecurity on Twitter was warned to "prepare to be swatted by the best" in a tweet that included a picture of a swat team, after which police arrived at her house late at night following a report of gunshots. Needless to say, she and her young family were pretty shaken up. It's worth saying that we don't believe these addresses were gained directly from any Mumsnet hack, as we don't collect addresses. The police are investigating both instances.

@DadSecurity also claimed that he had access to Mumsnet user data. Later on 12 August, it became apparent that someone/ones had hacked into some of Mumsnet's administrative functions, at which point they were able to redirect our homepage to the @DadSecurity Twitter profile page, as well as to edit posts from two users' account and an MNHQ account on our forums.

Someone claiming to be the hacker also posted on the thread on which users were discussing the site outage. We immediately locked down all access to our admin functions and reported the attack to the police. We were confident that users' passwords had not been accessed, because MNHQ doesn't hold them as plain text; they're all encrypted, so that no one - not even us - can see them.

However, over the weekend, a user reported that posts had been made under her name which weren't by her, and we spotted two other cases where this had happened. This clearly suggested that the hacker had nonetheless been able to get hold of some users' passwords.

Our best guess at this stage (and it is just a best guess) is that this has been done via a form of phishing, in which the hacker creates a fake Mumsnet login page to which users are directed when clicking on our login button. The page would have had a different url but otherwise would look just like the usual page. The hacker would have been able to see passwords in plain text when they were typed in.

We take great care to protect the information you give us and not to ask for or store any more information than we need to run the site, but though we can't know how many accounts have been affected, there have been enough breaches for us to ask all Mumsnet users to change their passwords. As a result, you'll no longer be able to log in to Mumsnet with your current password, and will need to create a new one, here.

This will mean that any passwords the hacker has been able to harvest up to this point will be useless. We are looking into what we can do to strengthen our defences against phishing, but in the meantime we need to ask you to be vigilant, and to check the URL of the login page for the foreseeable future. The correct URL is www.mumsnet.com/session/login and it reads rather than at the beginning. We will place a warning on the login page reminding you to do this.

Alternatively use the social login option (ie Facebook/Google) as then you won't be required to enter a password. And if you log into any other sites using the same password that you use on Mumsnet, it makes sense to change your password on those sites, too.

We're really sorry for the alarm and inconvenience this might cause, and we realise you're likely to have further questions about what's been happening, so here's a summary of answers to the most obvious questions.

You say the hacker was able to access Mumsnet users' data: was data from my personal account accessed?
We have no way of knowing how many Mumsnetters were affected - so far we have evidence of 11 user accounts being hacked but it's an ongoing investigation. Those users have been informed, and their passwords have been reset. We think it prudent, however, that everyone reset their passwords - which in any case is a sensible thing to do from time to time.

What data could the hacker see?
By using your password and login, he would have been able to see the data on your profile - so that includes your username or email plus your password, your postcode if you've supplied it, your username history and your Mumsnet inbox.

Now that I've changed my password, can you guarantee that my data is safe?
Unfortunately, we can't give you a cast-iron guarantee of this - no site can. By forcing a password reset the hacker won't be able to log in as you; however, if phishing was the cause, the page could be phished again, which is why it's important that you check the URL of the login page when you enter your details, or use your social login. If the URL is anything other than www.mumsnet.com/session/login, don't use it.

Final thoughts
The internet is of course brilliant, but it's not 100% safe and secure. Whenever you share anything on the web, either publicly (such as on a Mumsnet thread) or privately (such as the data you give to a website when signing up), have a think about how happy you'd be for that information to fall into the hands of someone else. Make your passwords as secure as possible and change them every few months. Use different passwords for different accounts. Close redundant accounts that you no longer use.

And if you read nothing else...
I do realise this post is long, so here's a quick summary:

DO reset your Mumsnet password
DO make passwords really strong to reduce the risk of them being guessed
DO check the URL of any login page to reduce risk of phishing
DO verify that is being used on login pages
DO use social login to avoid typing passwords
DON'T give out information to any organisations without verifying they are who they say they are (such as the fake @mumsnetsupport twitter account that had also been started but has now been removed by Twitter)

Please post here or mail us on [email protected] with any questions or thoughts. As you can imagine our inbox is fairly voluminous at the moment but we'll get back to you as quickly as we can.

Thanks very much for reading,

Justine

I'm a bit concerned that the original message made no mention of the list of usernames and passwords which had been published online.

I'm not sure about the 'hacker' being a disgruntled ex, I come across as many women who don't like Mumsnet.

My money is on Katie Hopkins ????

Same here madwoman
Will head downstairs and see if the laptop is any different

My email about what is going on turned up around 3am.

It is very similar to the front page of MN except the link to change password does not start with https like the one one here. It does say to make sure it has the https and when you follow it comes up with what is on the MN home page but the slight difference is unnerving.

I have already changed password via the website so not doing again but the little difference make me worry it could be another bloody good phishing attempt.

When MN refer to a password used from an "old hack" I took it to mean last week's. Isn't it? Whether it is or not, the fact that they've just released the client company addresses doesn't necessarily indicate to me that they've only recently accessed them, they could have done so at the time of the original hack and kept them for later use.

Thank you KateMumsnet

I have tried to deregister again this morning and didn't get the biscuit page. I did get an email explaining about the hack and that it may take some time. So fingers crossed.

Oh and I've haven't had an email or had to change my password.

Nope - no forced reset via laptop either.

Still not had the forced log out. I was also on the list.

I was forced to logout (on phone though). Thought MN had just crashed again at first! addicted

I have tried 50boiledCabbagesShovedUpYourArse but it said that one was taken.

(only kidding - I already have mine but loads of people are having trouble)

Can someone from MNHQ PLEASE state what the new password parameters are?

Thanks

I've just managed to create a new password but couldn't do it last night; I didn't know what the new rules were and the error message didn't tell me.

We need a sticky thread with the new rules!

Wasn't on the list but I still haven't had the forced log out. I changed email and password yesterday so will wait to be booted out rather than change it myself then have to reset it anyway.

ok i had to log in and do a reset but didn't have a minimum characters or anything like that requirement. interesting that some do and some don't.

i'd like to know if the 'separate area' where these contacts addresses were kept is the same as, or has the same standard of security as, the separate area we've been reassured prize winner and panelists etc addresses are kept?

I've not been forced to reset either.
However yesterday I gave myself a new email address and password that meets the new criteria.

I'm on mobile site anyway which doesn't stay logged in but didn't have any issues changing mine. The rule I used for new password is:

*at least one upper case letter
*at least one alternative character
*at least one number

Tried phone, iPad and laptop - no forced reset. I have a new password since being on the list and new email but the password doesn't fit the new criteria that you are all stating here. Total PITA

I was force logged out and have set a new password but nowhere did it say what the parameters are, just that it needs to be a new one. The one i entered was complex anyway so I don't know if an error message would have told me the parameters if it hadn't been.

WannaBe - I didn't need the uppercase letter.

Morning all,

We are here and will be working through your questions.

We are waiting for Tech to confirm the exact parameters of the passwords, apologies that this was not clear last night, we have a team of people working long hours to keep on top of all of this and the communication side of things is difficult when things happen at the rate in which they have. Apologies.

We will post the correct parameters when we have them (asap) but we know loosely, it will be a long password (around 12 characters) Upper and lowercase and contain numbers/ symbols. This is my best guess from discussions yesterday, we will confirm shortly.

For those who were not forced out, what device are you on? This may help us.

Thank you all for your comments and support, it's been a very busy few days and we are pedalling as fast as we can, please do bear with us and we will respond to your questions.

Strength and gin...

tbh i wouldn't link another email address until you are sure things are resolved.

I've not been forced out on my iPhone.

Wasn't forced out, but password that I reset on Tuesday, has the correct paramaters. Log in url looked good to me.

Desktop + firefox.

RebeccaMumsnet I was on the 3,000 list. I changed my password when you emailed me yesterday.
I have not been forced out on any device, laptop, phone or email.
Hope this helps - I posted this on another page but would appreciate an answer if poss....

Not sure what to do now. Sit tight with my new password I did yesterday (totally different to the one leaked on Twitter and a mix of characters, numbers etc) but doesn't fit the new password criteria. Or change it to the new criteria and risk then being forced out and having to change again.
I need a coffee and / or a lie down. Poor MNHQ I feel for you I really do but some more info would be very helpful.......

Should add - iPad, iPhone and MacBook if that helps - all on Safari

Hi Rebecca, yesterday MNHQ said that the census data was safe because it was on a different system, but this was also the case for the second leaked data as I understand it. How sure are you that the census data is safe?