Hackergate thread part three - PLEASE read

[TheOnlyOliviaMumsnet]

Hi all,

This thread is about to max out please continue here and we will update with info as an when we have it.

We will get to all emails and reports but it may take some time Huge apologies.

Here is Justine's OP from the previous thread:

On the night of Tuesday 11 August, Mumsnet came under attack from what's known as a denial of service (DDoS) attack. Our servers were bombarded with requests, which required our internet service provider to massively increase server capacity to cope. We were able to restore the site at 10am on Wednesday 12 August. Meanwhile a Twitter account, @DadSecurity, claimed responsibility, saying in various tweets "Now is the start of something wonderful", "RIP Mumsnet", "Nothing will be normal anymore" and "Our DDoS attacks are keeping you offline".

To add to the 'fun', it seems @DadSecurity also resorted to Swatting attacks. Swatting is a criminal practice in which someone makes an emergency call to the police claiming that a crime is taking place at the house of the intended victim, in order to get them to send a swat team to the address.

An armed response team turned up at my house last week in the middle of the night, after reports of a gunman prowling around. A Mumsnet user who engaged with @DadSecurity on Twitter was warned to "prepare to be swatted by the best" in a tweet that included a picture of a swat team, after which police arrived at her house late at night following a report of gunshots. Needless to say, she and her young family were pretty shaken up. It's worth saying that we don't believe these addresses were gained directly from any Mumsnet hack, as we don't collect addresses. The police are investigating both instances.

@DadSecurity also claimed that he had access to Mumsnet user data. Later on 12 August, it became apparent that someone/ones had hacked into some of Mumsnet's administrative functions, at which point they were able to redirect our homepage to the @DadSecurity Twitter profile page, as well as to edit posts from two users' account and an MNHQ account on our forums.

Someone claiming to be the hacker also posted on the thread on which users were discussing the site outage. We immediately locked down all access to our admin functions and reported the attack to the police. We were confident that users' passwords had not been accessed, because MNHQ doesn't hold them as plain text; they're all encrypted, so that no one - not even us - can see them.

However, over the weekend, a user reported that posts had been made under her name which weren't by her, and we spotted two other cases where this had happened. This clearly suggested that the hacker had nonetheless been able to get hold of some users' passwords.

Our best guess at this stage (and it is just a best guess) is that this has been done via a form of phishing, in which the hacker creates a fake Mumsnet login page to which users are directed when clicking on our login button. The page would have had a different url but otherwise would look just like the usual page. The hacker would have been able to see passwords in plain text when they were typed in.

We take great care to protect the information you give us and not to ask for or store any more information than we need to run the site, but though we can't know how many accounts have been affected, there have been enough breaches for us to ask all Mumsnet users to change their passwords. As a result, you'll no longer be able to log in to Mumsnet with your current password, and will need to create a new one, here.

This will mean that any passwords the hacker has been able to harvest up to this point will be useless. We are looking into what we can do to strengthen our defences against phishing, but in the meantime we need to ask you to be vigilant, and to check the URL of the login page for the foreseeable future. The correct URL is www.mumsnet.com/session/login and it reads rather than at the beginning. We will place a warning on the login page reminding you to do this.

Alternatively use the social login option (ie Facebook/Google) as then you won't be required to enter a password. And if you log into any other sites using the same password that you use on Mumsnet, it makes sense to change your password on those sites, too.

We're really sorry for the alarm and inconvenience this might cause, and we realise you're likely to have further questions about what's been happening, so here's a summary of answers to the most obvious questions.

You say the hacker was able to access Mumsnet users' data: was data from my personal account accessed?
We have no way of knowing how many Mumsnetters were affected - so far we have evidence of 11 user accounts being hacked but it's an ongoing investigation. Those users have been informed, and their passwords have been reset. We think it prudent, however, that everyone reset their passwords - which in any case is a sensible thing to do from time to time.

What data could the hacker see?
By using your password and login, he would have been able to see the data on your profile - so that includes your username or email plus your password, your postcode if you've supplied it, your username history and your Mumsnet inbox.

Now that I've changed my password, can you guarantee that my data is safe?
Unfortunately, we can't give you a cast-iron guarantee of this - no site can. By forcing a password reset the hacker won't be able to log in as you; however, if phishing was the cause, the page could be phished again, which is why it's important that you check the URL of the login page when you enter your details, or use your social login. If the URL is anything other than www.mumsnet.com/session/login, don't use it.

Final thoughts
The internet is of course brilliant, but it's not 100% safe and secure. Whenever you share anything on the web, either publicly (such as on a Mumsnet thread) or privately (such as the data you give to a website when signing up), have a think about how happy you'd be for that information to fall into the hands of someone else. Make your passwords as secure as possible and change them every few months. Use different passwords for different accounts. Close redundant accounts that you no longer use.

And if you read nothing else...
I do realise this post is long, so here's a quick summary:

DO reset your Mumsnet password
DO make passwords really strong to reduce the risk of them being guessed
DO check the URL of any login page to reduce risk of phishing
DO verify that is being used on login pages
DO use social login to avoid typing passwords
DON'T give out information to any organisations without verifying they are who they say they are (such as the fake @mumsnetsupport twitter account that had also been started but has now been removed by Twitter)

Please post here or mail us on [email protected] with any questions or thoughts. As you can imagine our inbox is fairly voluminous at the moment but we'll get back to you as quickly as we can.

Thanks very much for reading,

Justine

Also, could someone please explain how Facebook login to Mumsnet works?

Thanks altinkum

Altinkum thank you.

I changed my PW 48 hours ago in response to MN email.

Do I change it again?

Right am confused. I changed my email to and got a email to confirm and when I followed the link. I got the biscuit page. Was that mn or the hackers. Im not sure know how safe anything is now.

crazynanna

Yes, definitely change it again now, and if you use the same password anywhere else, change those to something completely different also.

There is a lot of speculation and panic, and I do understand the worry of those who have shared intimate details of their life on here.

Here's what I've done.

• Changed password and user name

• Changed password again

• Deleted all PMs, sent and received

• Requested dereg which hasn't gone through yet. When it does, I'll re-register with new email address for Mumsnet

• Checked to see which other sites I've used the same password on. This was embarrassingly long. I hadn't realised that I'd reused it.

• Changed lots of passwords to much more complex ones

I use 1Password app, which synchs automatically to iPhone and enables me to use complex passwords, while still not being locked out of sites that I use daily! agilebits.com/onepassword

From what I've seen, Mumsnet may have been slightly lax with security on some issues (I'm not an expert though, so won't speculate on that) but in other things, I have to take the responsibility for my mistakes.

It didn't occur to me to periodically delete PMs, some of which had personal details including addresses and phone numbers. (Btw, a quick delete of PMs would be very helpful, as that took ages!)

I was also lax re security and use of same or similar passwords on other sites. I'm taking the day to sort this out, and while it may be annoying, it is also good to know that I've done what I can to prevent worse happening.

It would be good if people could restrict themselves to contacting MNHQ if they have a really URGENT reason to do so, so that they can concentrate on those emails.

Truly truly sorry for all those affected. May it boomerang back with ten times the impact upon the sad, sick, twisted individual who did this. There will be a trail left, and in the fullness of time let's all hope and pray that it leads straight to his (presuming it's a his!) door.

Thanks Sarah,

I know she did - hence my comment about the support the site is still supplying even through all of this. I just wonder about the level of responsibility of "letting" (I use that word advisedly as ultimately it is of course personal choice) vulnerable people post things, in a manner that they think is anonymously, that might come back to haunt them.

Has mnhq emailed everyone who's on the list? I name change regularly so while I'm confident this name won't be on the list, short of posting my whole name history, not sure how I can check old names. (I have changed passwords etc, but concerned about possibility of anyone having logged into my account and accessed info there as seems to have happened some posters )

Altinkum I have just reset my PW through my account page...is that safe?

AllthatGlistens..thankyou. I have just reset it.

Looks like I need a new bus ticket to write all my new passwords on

forced to reset passwords

I think there is a misunderstanding here...
my understanding (which could be wrong!) but comes from also talking to tech at MNHQ is:

• all accounts can no longer be logged into until the password has been reset
• if you were already logged in, you are not being forced to log out (your session - different to your password - is being kept)
• if someone resets their password to the same as before the system will allow that (hopefully not in the future) and therefore some names and passwords from the list may still work - sadly if someone resets it with their current password then it makes it less secure than not resetting it as the reset needs an emailed link making it more secure
• if you log out now / reset your password now you are fine for the future

I'm not on the list afaik and have changed my password etc, but has anyone from MNHQ yet commented on the dadsec Twitter comment about this being an inside job/one of their people being on the staff at MNHQ? All these comments about passwords being old/old handles/pre-Heartbleed data surely can't be explained away that this is part of a phishing exercise?

On another note, Justine and anyone so far directly affected by this:

Thanksaltinkum I knew I was on the list I'd had the email. My problem now is I changed my email and details then when following the link in the email got a page with a biscuit on, so now not sure whether my changes have gone through. I know the password one has but I wanted to use a new email just for mn.

I'm not on the list and couldn't log in with my password last night so had to do reset password and used a new one. Wondering if the accounts that people say can be accessed are ones where the user has chosen to re-use their old password or maybe someone who stays logged in to the site. I always log out.

If it means anything, I haven't had any spam yet today. Which considering the amount I was having is a tremendous relief.

Would anyone mind seeing if I am on the list please? Thank you

MaryZ They would if people have just used the same password post-reset that they had before.

fearisdarkness I'm very sorry you have been so distressed by what has happened. I hope you will feel able to continue to post and get support on here when you need to.

If you haven't already perhaps you could use a password and email address just for Mumsnet, which is what I do.

Maryz Have you seen my last post on your Pm thread?