Hackergate part four - PLEASE READ!

[RebeccaMumsnet]

Previous thread here and original thread here

We will post here throughout the day with updates and info, please do post any questions and we will get to them as soon as possible.

If you need to get in touch off of the boards, please email [email protected], we have a team of people working through the inbox now and will get back to you ASAP but please do bear with us, it's very busy.

There is also a specific thread about passwords here.

Thanks all
MNHQ

Snap.

I was logged out on the mobile site, and through that was it, but it let me log back in with the old password fine, no prompt to change it.

Just been forced out and relished in with most up to date password (the new system)

@ppeatfruit

Agree PegsPigs

Does anyone know if we should change our user names? Mn doesn't say anything.

This is up to you ppeat, if your password is reset you shouldn't need to but you can if you would like.

@RepeatAdNauseum

Snap.

I was logged out on the mobile site, and through that was it, but it let me log back in with the old password fine, no prompt to change it.

Old, old password or reset recently and matches new password parameters?

Just a short list of sites to make sure you haven't forgotten to update with better/dfferent passwords (please add to it if you like)

Facebook
Twitter
Amazon (important due to payment process being quite undemanding)
Bank
Paypal
Ebay
Google
Apple
Lottery
Mobile phone account

I can't think of any more.

Girlwhowearsglasses I can understand that would be a difficult situation, but that is really difficult for websites to manage... arguably if you have two ipads in a household (and many do) it becomes difficult for a website to differentiate without your trusting them with more personal information to identify each... even then, all they could do is give you the option to log a specific device out by killing the session remotely - a nice to have, but the lack of it is not a security risk / issue...

ultimately in that scenario the user shouldn't be leaving a device logged in - either remember to log out / use a password or fingerprint ID on the device...

I do think there is a balance of responsibility and ultimately a lot of the responsibility is actually ours - the websites might be a convenient scapegoat, but it is the user's choice what they post on there, if information is sensitive and at risk it shouldn't be posted...

I can add:

Gumtree
LinkedIn

to your list

I had forced log out on my laptop and on my phone - both on mobile website (via safari) and on mobile app (iPhone). Had changed password yesterday, but now redone. New password up and running.

God I'm fed up with this! You made me log off and change passwords yesterday and now again today? No way am I doing it again

I was on the list of 3000 United we Stand. Anyway I've now changed my password.

Why the need to frantically change all my passwords for any site I may have an account for? I'm not understanding the blind panic some people are having about this. Unless the majority of people have 1 password for all sites they visit, but that couldn't be true right?

I also don't think this was a phishing exercise, most likely it will be a disgruntled ex employee or ex tech company/employee MN has used in the past. I'm finding it hard to believe that this hacker was also the same hacker involved over a year ago and sat on that information until now to break into a server so they could take MN advertising partner details/emails. Plus that MN did nothing to change passwords or improve security on that server.

I know they really owe us no explanation, but jeesh we're not thickos.

I'm having trouble logging in.

I log in (or think I have!) & just get the log in page again.

Am checking the URL, but am concernd that once the log in page comes up again, I've already put my password in iyswim.

"Unless the majority of people have 1 password for all sites they visit, but that couldn't be true right?"

Oh, you'd be surprised.

"I also don't think this was a phishing exercise, most likely it will be a disgruntled ex employee or ex tech company/employee MN has used in the past."

If you look at the technical side of the attack thingy thread, their tech team seem to have found what looks like the security hole used to gather users details when they logged in.

I'm not sure why some people are being so WAKE UP SHEEPLE, DO NOT DRINK THE MUMSNET KOOLAID! about the claims by MNHQ that the passwords were compromised using some kind of phishing mechanism, it seems by far the most plausible explanation.

(goes off muttering about hackergate truthers, etc.)

Thanks Rebecca BTW is dh right in saying that when we click on 'links' we are leaving ourselves , and you? open to hacking?

Rebecca - Old, old password. It would fail the new password specification on two counts.

I will update it, when it kicks me out, but I thought it might be useful to know that it hasn't happened yet.

Hello all. Signed back in with brand new shiny password. Gosh it wasn't hard or time consuming.
Slight glitch on re entry as the page came up in text.
Seems fine now I have made my way to active convos.
Although the header bar flutters pink and has been doing for the last few days, is that usual?
Well done everyone at MNHQ and large gins all round as often as required.

(obviously the sheer fact that there was a security hole to exploit does mean they need to improve things to stop it happening again, I don't think it having been a phishing attack means that the Mumsnet systems themselves had nothing to do with it)

Leedy - yy I was talking about this to somebody yesterday who admitted that they have all of their passwords set to "password" or "password1".

Getting a bit fed up with this now. Kicked out yet again.

"I don't know if you've read the c&p stuff taken from the 8chan site last night but Jeffrey's claiming he piggybacked in via a fake profile here and planting IT voodoo thingmies (I know nothing about technology) on a member of staff. He sounds quite plausible and it would explain the more than phishing theory."

I also read this - MN please can you confirm that you have read it too and that your Tech people/ outside Tech people have considered whether this was possible or not and if so have stopped it and stopped it happening again.

@diddl

I'm having trouble logging in.

I log in (or think I have!) & just get the log in page again.

Am checking the URL, but am concernd that once the log in page comes up again, I've already put my password in iyswim.

Sorry diddl, have you reset at all?

My current situation: logged out and password changed. I can log in via google but CANNOT log in through Safari. I enter my details and then the the page goes into talk, but I am not signed in.

I have tried several times and I am certain my password is the same one that works fine for Google.

I reset this morning as it was the only way for me to get in.

(Had also reset a few days ago when asked)

I'm doing as I'm told!

@ppeatfruit

Thanks Rebecca BTW is dh right in saying that when we click on 'links' we are leaving ourselves , and you? open to hacking?

Potentially, yes. You need to be aware of that all important S at the end of the httpS when on a log in page. If you get an email that's dodgy, FB message, post etc with a link from an untrusted source that clicks through to log in info, it is best NOT to enter that info in.

It is not easy to tell and that's how phishing happens.

Always look for the s and make sure your source is a trusted one.

@PlayingSolitaire

"I don't know if you've read the c&p stuff taken from the 8chan site last night but Jeffrey's claiming he piggybacked in via a fake profile here and planting IT voodoo thingmies (I know nothing about technology) on a member of staff. He sounds quite plausible and it would explain the more than phishing theory."

I also read this - MN please can you confirm that you have read it too and that your Tech people/ outside Tech people have considered whether this was possible or not and if so have stopped it and stopped it happening again.

We are aware, yes. Thank you.