Hackergate part four - PLEASE READ!

[RebeccaMumsnet]

Previous thread here and original thread here

We will post here throughout the day with updates and info, please do post any questions and we will get to them as soon as possible.

If you need to get in touch off of the boards, please email [email protected], we have a team of people working through the inbox now and will get back to you ASAP but please do bear with us, it's very busy.

There is also a specific thread about passwords here.

Thanks all
MNHQ

Oh well, I've reset it anyway.

adora the latest ios 8.??? (Cant remeber the other digits) has got bugs in it which causes webpages to be re-loaded its very very irritating as i am constantly being logged out of various websites.

adora its apples new opperating system the latest update is causing some users real problems, i swear they are monitering everything i write as i tried to type this earlier and my screen froze!

I think it says a lot of the overall feel of MN that so many of us are thinking of the tech team etc as the local WI or knitting circle.
I tend to forget that this is actually a huge business and not a tea rooms.

Also - hackergate? Really? The 'gate' suffix is a lazy cliché.

Sorry for the two messages as i said my ipad is constantly in meltdown mode

twirly - yes, technically possible, but statistically unlikely... and I am sure that the MNHQ accounts will have been a priority to get fixed :)

to be honest, looking at the lack of issues that have come from this it would seem that embarassment rather than full on trashing is order of the day, so consequences are unlikely to be serious for most... even where reputedly they got into someone's itunes account they spent only £100 - I suspect that the thrill is in 'being the master' / 'taking on the system' showing how clever you are etc. - i.e. the hack is all - very different to organised crime which would not boast about it - but would strip as much cash and value out of accounts as possible...

At around 10pm last night my password was rejected, so I've re-set it again this morning, it could be my username but I don't know....

I think I have about £8 in my current account right now, so if poor Jeffrey is that desperate for the new disney app then he is welcome to splurge that on itunes from me.

Thanks for the reassurance all, I got a bit of a shock was all when was logged in under 2 diff passwords :)

98 - my children have made some cookies, but I am afraid they may have spittal, snot etc in them. But I would if I could, because it's good good be nice in this world and I liked your nice thought.

And I think I have been thinking too much about computer stuff as I am starting to think about computer cookies not the chocolate chip ones now!

akkakk - I agree. If they really were into it for money stealing or even just to trace people via PMs etc they would have done this and NOT released the list to all our attention. It is an attack on Mumsnet itself.

This doesn't mean that others (or even them) won't try and hack peoples Paypal using the details that have been obtained and obviously everyone should reset their passwords (and never have the same for more than one site).

The itunes thing could be (1) true - but only one user and only a relatively small amount to show what can be done (2) a coincidence (not related to MN) (3) Something posted by DadSec on here to get people into a tizzy, cause more panic.

Why try and take money from mnetters late August? Children are costly little things. Entertainment, holidays, exam results, going off to uni and New uniform. I thought they were loving Fathers. They should know the money would be tight this time of year. Unless...

FuckOffHacker - everyone should have had to create a new password at around 10.30 last night.

except loads of people who didn't but should have!

very different to organised crime which would not boast about it - but would strip as much cash and value out of accounts as possible...

Exactly - this is just willy waving really. If they were serious they would have fleeced as many people as possible as quickly as possible before anyone noticed.

MNHQ RebeccaMumsnet et al

My wish list of tech stuff not currently available:

In My Account a list of devices currently logged on.

A devices log on history

Remote log off from devices.

As well as security in general if anyone has ever posted about their ILs and then left their DCs with GOs & a logged in iPad you will know the panic/cataclysm potential there.

Wondering what the model set by more erm... Sensitive.... sites like that adultery one and online dating ones do re:this?

Just seeing if this name has worked - sending virtual gin to all at MNHQ. Changing all of my email and passwords on various accounts has been a total PITA. I don't blame MNHQ, I squarely lay the blame with the hacker/s, but have to take responsibility for myself as well. It's brought me up with a jolt to have stronger passwords and check what information I have logged on my account here and elsewhere - not a bad thing.

I used a second new password about 9pm yesterday, which just happened to be suitable under new rules. It worked, I've heard nothing from Mumsnet, so am assuming this is now my new password unless I hear further. What a mess.
By the way Jeffrey, Idon't remember seeing men on Mumsnet referred to as rapists and paedophiles - almost any other word you can think of and lots of (sensible) advice to LTB. Why not have a look sometime; I honestly doubt you'd find us anti-men.

This is what we need:

PlayingSolitaire - exactly!

Girlwhowearsglasses - not sure that site's model is the best one to choose :) the sad reality is that no software is released without bugs, just not possible, no website can realistically keep up with every potential security issue, hackers have more time / incentive, the whole way in which the internet is designed is itself a massive security flaw - but it was designed for open-ness, not for security... ultimately it is up to each of us to consider how we manage our security...

as an example... I am thinking of a number:

• while it is in my head it is secure
• if I hadn't told you I was thinking of a number it would have been more secure as you would have had no starting point
• now that you know it is a number you can start to apply some stats / logic (number of digits probably 3 or less / certain numbers are more common / etc.)
• even though I haven't told you anyone the acutal number or put it anywhere, it is already less secure
• now if I write it down on my pad next to me, I have reduced security - but you would have to break in to find it - I could write it in code which would help a bit... but still less secure
• now I stick it in a computer database, not connected to the internet, you have to get to the computer to hack it...
• now I connect the computer to the internet - ahh, getting easy now - you can hack me from anywhere in the world - have I maintained security updates / was I aware of a security exploit / etc.
• then I put it on a web page - locked, but still more vulnerable

then I put it up in plain text form, but you need my account to get in...

each step makes it easier and easier to work out that number... I as the user generally control the security by deciding how / where I share information - a much bigger issue than the security of websites...

that adultery website - if people hadn't registered, would their details have been released? - we control our security

Sorry forgot the screen shot from Facebook. It's just taken me through my recent activity so I can see anything suspicious

All the people trying to be nice to MNHQ staff Stephanie & 98 in particular.

It's never wrong to be nice and anyone saying 'they work for a multi million pound business they can afford pizza' or 'it's their job, nurses don't get pizza bought for them and they do a fantastic job' is missing the point. Nurses sign up to put themselves in life or death dramas everyday. However they still have really bad days when they lose children or people they've worked on for a long time but don't pull through. They're allowed our sympathy and if we know them we should be buying them pizza. Or you could pay it forward in a hospital canteen and offer to pay for a coffee for the next health care professional who walks in looking down. So MNHQ are also allowed to have shitty days despite working for an online organisation who might reasonably be expected to be hacked occasionally. But this must rank as a really bad day at the office and are deserving of our sympathy and gestures.

Yes akkkk I know the security is a game of keepy uppy - I was referring to a more prosaic security breach that needs sorting - that of having a logged in device that allows someone in possession of that device to see your posting history: so your in-laws seeing you posted about them on an iPad you left with them while they babysit for you- for an actual life example. This isn't the same level as a password breach allowing widespread id theft, but could cause serious personal repercussions (imagine someone accessing help on MN for DV for example, or incredibly sensitive personal posts)

that of having a logged in device that allows someone in possession of that device to see your posting history

I believe that is the poster's own responsibility and no one else's. If you can't control that sort of thing yourself, you shouldn't be posting private stuff on a forum.

Agree PegsPigs

Does anyone know if we should change our user names? Mn doesn't say anything.

Right, i am off to a wedding.
If anyone posts as me, it isnt me!

Just FYI: I still haven't been forced to log out at any point, both on google chrome desktop (windows) or google chrome android mobile site.

I've just been able to log out and back in on the mobile site. I wasn't forced to change my password.

I've changed my password one (yesterday when the first load of shit hit the fan) and am personally fine because it already met the higher strength requirements so I haven't manually changed it. But I have not been hit by the second forced change at all.

Also as an FYI - the email about the first change only got to DH's email (he has an account of his own) this morning so some people might well still not have received it. I checked, it was genuine links not hacked.