Hackergate thread part three - PLEASE read

[TheOnlyOliviaMumsnet]

Hi all,

This thread is about to max out please continue here and we will update with info as an when we have it.

We will get to all emails and reports but it may take some time Huge apologies.

Here is Justine's OP from the previous thread:

On the night of Tuesday 11 August, Mumsnet came under attack from what's known as a denial of service (DDoS) attack. Our servers were bombarded with requests, which required our internet service provider to massively increase server capacity to cope. We were able to restore the site at 10am on Wednesday 12 August. Meanwhile a Twitter account, @DadSecurity, claimed responsibility, saying in various tweets "Now is the start of something wonderful", "RIP Mumsnet", "Nothing will be normal anymore" and "Our DDoS attacks are keeping you offline".

To add to the 'fun', it seems @DadSecurity also resorted to Swatting attacks. Swatting is a criminal practice in which someone makes an emergency call to the police claiming that a crime is taking place at the house of the intended victim, in order to get them to send a swat team to the address.

An armed response team turned up at my house last week in the middle of the night, after reports of a gunman prowling around. A Mumsnet user who engaged with @DadSecurity on Twitter was warned to "prepare to be swatted by the best" in a tweet that included a picture of a swat team, after which police arrived at her house late at night following a report of gunshots. Needless to say, she and her young family were pretty shaken up. It's worth saying that we don't believe these addresses were gained directly from any Mumsnet hack, as we don't collect addresses. The police are investigating both instances.

@DadSecurity also claimed that he had access to Mumsnet user data. Later on 12 August, it became apparent that someone/ones had hacked into some of Mumsnet's administrative functions, at which point they were able to redirect our homepage to the @DadSecurity Twitter profile page, as well as to edit posts from two users' account and an MNHQ account on our forums.

Someone claiming to be the hacker also posted on the thread on which users were discussing the site outage. We immediately locked down all access to our admin functions and reported the attack to the police. We were confident that users' passwords had not been accessed, because MNHQ doesn't hold them as plain text; they're all encrypted, so that no one - not even us - can see them.

However, over the weekend, a user reported that posts had been made under her name which weren't by her, and we spotted two other cases where this had happened. This clearly suggested that the hacker had nonetheless been able to get hold of some users' passwords.

Our best guess at this stage (and it is just a best guess) is that this has been done via a form of phishing, in which the hacker creates a fake Mumsnet login page to which users are directed when clicking on our login button. The page would have had a different url but otherwise would look just like the usual page. The hacker would have been able to see passwords in plain text when they were typed in.

We take great care to protect the information you give us and not to ask for or store any more information than we need to run the site, but though we can't know how many accounts have been affected, there have been enough breaches for us to ask all Mumsnet users to change their passwords. As a result, you'll no longer be able to log in to Mumsnet with your current password, and will need to create a new one, here.

This will mean that any passwords the hacker has been able to harvest up to this point will be useless. We are looking into what we can do to strengthen our defences against phishing, but in the meantime we need to ask you to be vigilant, and to check the URL of the login page for the foreseeable future. The correct URL is www.mumsnet.com/session/login and it reads rather than at the beginning. We will place a warning on the login page reminding you to do this.

Alternatively use the social login option (ie Facebook/Google) as then you won't be required to enter a password. And if you log into any other sites using the same password that you use on Mumsnet, it makes sense to change your password on those sites, too.

We're really sorry for the alarm and inconvenience this might cause, and we realise you're likely to have further questions about what's been happening, so here's a summary of answers to the most obvious questions.

You say the hacker was able to access Mumsnet users' data: was data from my personal account accessed?
We have no way of knowing how many Mumsnetters were affected - so far we have evidence of 11 user accounts being hacked but it's an ongoing investigation. Those users have been informed, and their passwords have been reset. We think it prudent, however, that everyone reset their passwords - which in any case is a sensible thing to do from time to time.

What data could the hacker see?
By using your password and login, he would have been able to see the data on your profile - so that includes your username or email plus your password, your postcode if you've supplied it, your username history and your Mumsnet inbox.

Now that I've changed my password, can you guarantee that my data is safe?
Unfortunately, we can't give you a cast-iron guarantee of this - no site can. By forcing a password reset the hacker won't be able to log in as you; however, if phishing was the cause, the page could be phished again, which is why it's important that you check the URL of the login page when you enter your details, or use your social login. If the URL is anything other than www.mumsnet.com/session/login, don't use it.

Final thoughts
The internet is of course brilliant, but it's not 100% safe and secure. Whenever you share anything on the web, either publicly (such as on a Mumsnet thread) or privately (such as the data you give to a website when signing up), have a think about how happy you'd be for that information to fall into the hands of someone else. Make your passwords as secure as possible and change them every few months. Use different passwords for different accounts. Close redundant accounts that you no longer use.

And if you read nothing else...
I do realise this post is long, so here's a quick summary:

DO reset your Mumsnet password
DO make passwords really strong to reduce the risk of them being guessed
DO check the URL of any login page to reduce risk of phishing
DO verify that is being used on login pages
DO use social login to avoid typing passwords
DON'T give out information to any organisations without verifying they are who they say they are (such as the fake @mumsnetsupport twitter account that had also been started but has now been removed by Twitter)

Please post here or mail us on [email protected] with any questions or thoughts. As you can imagine our inbox is fairly voluminous at the moment but we'll get back to you as quickly as we can.

Thanks very much for reading,

Justine

Dadsec has been booted off Titter again

Yes agree you're doing the right thing leaving the site up, important thing now is tightening security (all of us, seperate passwords etc not just MNHQ). Then we can forget about it and go back to and throwing

Ok. I have been dipping my fat toe back in Mumsnet waters after a long break ( nowt to do with MN). I know about the initial hacking, and got the MN email to change my password...which I did yesterday (or the day before I think).

Has owt else happened since then? Do I have to change PW again?

Am seeing "take the site down"

Am I ok with my new PW from 2 days ago?

Do i have to re-register?

*sticky

What's this list?

Thank you

"Sorry MeetMeInTheMorning - it's possible I'm being dense/my brain has short-circuited, but I'm not sure what you mean. We forced everyone to reset their passwords yesterday afternoon; it was up to you what you set it as, but you would not have been able to log in until you set it."

I am saying that my interpretation of a 'forced re-set' is that anyone trying to log in would be denied access until they changed their password.

However - if you pick a name at random from the list that has been published on-line, As I did, and log in using the password next to that name on the list it lets a person log-in.

I only did this after several people had posted that passwords did not seem to have been forced to re-set and had been ignored. I logged in then out again but was definitely logged in as the person I did the test on.

It is not right tor Mumsnet HQ to keep saying that list is not at threat as there has been an automatic forced re-set when this is clearly not the case. If I can do it as a test then there WILL be people out there doing it for real, looking at people's accounts, reading their messages and possibly even posting.

It is wrong to say that all those listed have had their passwords forcibly reset if any random person can come along, pick a name and log-in. It suggests that it is not a 'forced reset' but a request to self-reset which may not have reached everyone as not all users will be aware that there is any kind of a problem at all.

me for example... I am on the list (Under my usual name) but I was away all weekend in a place where I had no internet signal. I would have been unaware of any problems or emails or requests to change my password.

SarahMumsnet Some of the username and password combinations on "The List" still work. Presumably this means the user has used the same password when they were forced to reset it but do you want to know which accounts to double check it is that the user has decided to re-use the same password?

Cozie, I am sorry, I shouldn't have been flippant. It sounds horrifying.

Any advice on my biscuit link

No, Susan, I didn't read it as flippancy at all. You'll just have to forgive me if I don't go into too much detail.

For those of us who aren't on here during the working day so have missed the bulk of updates and query resolution is there a link where MNHQ are the sole posters with faqs and answers? I really Dont have the time to trawl through the thousands of posts on this and want to know where I can look quickly for reassurance before I go asking repeat questions. Thanks

for everyone affected. It's truly horrible. I don't think I'm on the list, but my heart goes out to everyone who is.

What a horrible, horrible arse bell end of a person to do this!

fearisdarkness - sorry you feel so bad. I know how that feels. CBT really helped me with that stuff. You have to close your mind to it, like drawing a curtain across the whole subject, in your mind, then refuse to even peak round it. If you hold off for a while, the panic subsides.

If you peak, then it re-ignites. Panic as an emotion actually requires you attention to exist. Like the old thing about the chair in the locked room, and does it exist if no one can see it?

Well if that chair was your panic, then no, it doesn't. It's adrenalin related and as such responds only to attention. Give it none, think about other stuff, do other stuff, ignore it totally and it will actually fuck off just like certain immature nobodies on twitter

Hope this helps at some point if not today xx

SarahMumsnet, the thread at www.mumsnet.com/Talk/site_stuff/2452268-CAN-YOU-CONFIRM-THERE-HAS-BEEN-A-FORCED-PASSWORD-CHANGE?pg=1&order= clearly indicates that it IS still possible, in some cases, to log in using username + password combos from before the site-wide password reset.

Sorry Sarah, me again. I don't think that is technically correct - I couldn't log in with my old one - didn't know what was going on but couldn't be bothered resetting - so logged in through facebook successfully without password changing. I only went back and changed it today after reading about what has happened.

Cozie - absolutely, of course.

MN - I think there needs to be another forced reset of PW with NO ONE being allowed into the site without changing their PW for a NEW password first. And it should happen ASAP. This is all over the news now (and these threads are linked from there). Any old bugger can now read this thread (get the idea), look on the list and search peoples accounts.

This should be a priority.

@dadsec has gone but they've hacked other accounts on Twitter such as @segw_ (which has been reported to Twitter)

MNHQ, I have NEVER in the last few weeks/days/hours been forced to reset my password. I was permanently logged in on the mobile site and have been for days years
I have now reset my password myself.

Cozie - I heard the sound track to the website too. A pretty clear indication of what this is all about (good old fashioned misogyny in the digital age)

fear

one still remaining Ark