Hackergate part four - PLEASE READ!

[RebeccaMumsnet]

Previous thread here and original thread here

We will post here throughout the day with updates and info, please do post any questions and we will get to them as soon as possible.

If you need to get in touch off of the boards, please email [email protected], we have a team of people working through the inbox now and will get back to you ASAP but please do bear with us, it's very busy.

There is also a specific thread about passwords here.

Thanks all
MNHQ

Thank you Polter and if solitare is around anywhere I'll take some of those cookies please if you are offering?

@MadrigalElectromotive

It is not ideal twirlypoo, agreed. However, you had an active session with us and so were able to access the site. IF anyone had attempted to get into your account last night with the old password, they would not have been able to.

But if they were already in twirlypoo's account, then they will be able to continue to access it for as long as their session continues?

They would have to log in with a password. If the password was reset, it should be fine.

I'm confused! Why would they have to log in with a password if they already had an open session?

I'm confused! Why would they have to log in with a password if they already had an open session?

Yes, that is what I am trying to ask too!

I only just got the email about this, too late to reset my password, so I just had to reregister. I was BathshebaDarkstone. Fucking hackers!

@twirlypoo

I'm confused! Why would they have to log in with a password if they already had an open session?

But they wouldn't have had an open session unless they went in and physically used your work computer. To access any account you in need log in details. If you reset your password, from that point, your account was secure. Sorry to confuse, does that make sense?

I've tried to set up a completely new account with a new email, but I am not receiving the verification email.

I am a bit concerned that someone might have a session open in my account, even though I have changed my password about a gazillion times.

It does, But......

I was on the list, so they had access to my username & password.

So lets say they opened up a tab with my log in.

I then open up a tab on MY laptop and change passwords etc. I am now logged in under that password.

They STILL have access under their open tab??

I was accessing my account this morning under both the new password (on my phone / the app) and the old password (open tab on laptop)

Theoretically, does that not mean that dad sec could still have access on his open session too?

twirly you are correct...

if your password was FRED on tuesday and they logged in as you

and you reset your password to MARY on wednesday... but they remain logged in...

then until they close their browser their session cookie will remain active as it was authenticated against your FRED password on tuesday when it was correct...

so they could still be logged in having used an old password...

two basic fixes for that - store the encrypted password in a cookie on the user's computer and check that every page (slows server down, but more secure) once you change your password - next check would fail...

terminate the session cookies from the server - not sure of detail of MN setup or how, but that is possible and in theory is what they were doing when they said they would force everyone to log out - by killing the session cookie from their end your session cookie would no longer be valid and you would need to log in again...

if you were able to go to an already logged in computer after that apparently happened, then the termination at the server could not have worked as intended...

however it is unlikely that the hacker has really got 3,038 tabs open :) trying to maintain sessions...

I think the session applies to a specific computer. E.g a small file is stored on it that says you are a valid logged-in user, so they would have to be using that computer (or forge/steal the file) to have access to your account.

Ip addresses don't mean anything, half the time they refer to your ISP anyway, mine always says I am in Hull as that is where my ISP servers are based.

akkak glad I am not going mad!

Agree it is maybe not likely he has 3038 tabs open (though when I shop online it feels similar) but if he kept key admin accounts and a few members on there then he could still cause distrust and chaos by posting whatever he liked. I am SO not techy mind. But that is possible isn't it? Or not?!

I'm wondering how many passwords are now variants of 'fuckoffhackers' or 'diehackerdie' etc :)

I do like that people can change their passwords a zillion times... I haven't been able to change it once

Hi, I've just logged in using my old password.

Thought this wasn't possible after the forced reset and new complex password rules?

It is possible twirlypoo, but it seems MNHQ has forced a log out and password change of all but 10% of users so it is very likely if he/someone was doing this they would by now have been forced out anyway.

Justine confirmed that there was a bug in the forced password reset that was affecting around 10% of users and means they have not been forced out. I was forced to log in about an hour ago, but the new password from last night (pre any other forced log outs, which I never had) is still working. As it is unique to here I won't now change it unless I have to.

outtogetyou ha! I'd imagine quite a few

Just signed in with my new password and a message appeared at the top of the screen

There was a problem with this web page so you have been redirected.

Does that sound right?

@twirlypoo

It does, But......

I was on the list, so they had access to my username & password.

So lets say they opened up a tab with my log in.

I then open up a tab on MY laptop and change passwords etc. I am now logged in under that password.

They STILL have access under their open tab??

I was accessing my account this morning under both the new password (on my phone / the app) and the old password (open tab on laptop)

Theoretically, does that not mean that dad sec could still have access on his open session too?

It is highly unlikely that the hacker would have a computer on with lots of open accounts with logged in sessions. Obviously we cannot be sure of this but he would have to have many many devices available to him to facilitate this. If your password was reset last night, you should be fine.

We did attempt to force everyone out and this did work for many but not all, we are looking into why now.

For those people struggling with passwords, I suggest you use a password manager. I use Dashlane, but there are a number of others out there such as Roboforms and Norton. The password manager will keep track of hundreds of passwords for you & can generate strong passwords for you. The only password you need to remember is the one to your digital password safe.

What was the URL address on it Adora?

Adora does it say ridirected or reloaded?

HQ, you did prudently buy Cyber Risks Insurance, didn't you?

It didn't show one.

Just that message in a white box with a X I'm the corner. It wasn't a promenant message and I almost missed it. I'm using my iPhone, if that makes any difference.