Hackergate part five - PLEASE READ

[RebeccaMumsnet]

Hi all,

A further continuation of this thread and the original thread here

FAQ page here

Please do keep an eye, ask us any questions and we will post updates as we get them.

I said this before but worth mentioning again.

For those of us on the list, it's not just Jeffrey we at risk from. Now our details are public, hackers the world over, from bored teenagers to professional criminals will be using them to see if they can crack any other accounts - bank accounts, PayPal, iTunes, eBay, Amazon and your own personal email as they could be the key to many more accounts.

We should change the passwords on any of our accounts with similar (not just identical) passwords / usernames as they are at risk, and will continue to be even if they catch Jeremy.

Actually everyone should do the above even if not on the list.

Someone else pointed out there are no email addresses on the published list. Why not? People can log in with them IIRC so for the emails gained from phishing there should be some on the list surely?

If there were emails on the list why has he not published them, is he planning something else with them?

I'm afraid that you should change passwords regularly even if it's a right PITA so if you find you have too many online accounts then consider whether you need them all. Those that are important to you, change and continue using. Those that are not that important, change and then delete the account so that it's a one time task. (And think carefully before you open any future accounts and/or consider how you pay for things.)

The old rules with phishing messages still apply I believe. (Please feel free to correct me if things have changed.) The bad guys initially send out eg hundreds of thousands of (still free at the moment) messages to anything which might be an internet address expecting a hit rate which is very low indeed. When they hit a live address, they can usually be flagged up as having done so, so never ever be tempted to reply to them using eg daft made up details. It may get a few things off your own chest temporarily but potentially, it just flags up that the address is not only alive but also active - so that it can be upgraded to target with even more emails. If they get as high a hit rate as eg 1 active account in 1000 potential addresses, those then become worth targeting with even more messages so that the number will probably just increase hoping that one catches you in an unguarded moment.

None of this is personal at these stages, just automated so that the process can keep going while they're having their supper, so if you get anything you're not expecting, just delete it and move on. If, for example, an email causes you concern - which is what they're designed to do - then contact the site concerned in another way to confirm that everything is fine.

Morning
I wish I could say that I feel better this morning but I really do not. I have sent MN a few emails over the past week and I know they are busy and not replied yet but I can't carry on being anxious over this.

I too logged on with my email address and was active on the site in the past few weeks. I don't feel like I have a full answer from MN on what info was taken.

Have you taken all the appropriate and recommended precautions, radiantradish?

Remember that although this may feel as if you're being ravished, it's not personal. They don't know that you're a mother of two called Sally with an ailing bank account and an old jalopy which needs replacing - you're just a collection of letters, I'm afraid.

(If any of you are deeply rich or deeply famous then, of course, different rules might apply - but in those cases, I would imagine you would have your own security advisers to sort things out for you. )

Simurgh
I have shut down my old account and set up a new email address to use MN and new account with a stronger password. The only thing that my MN account and other internet dealings had in common was the email address.

It does feel like I've been ravished and not in the way I'd like to be ravished by Poldark.

Yes- it does feel as if grubby fingers have been pawing at your personal life. Even ordinary phishing emails are disconcerting to people so you just have to try and get them into perspective. You're always a target for the bad guys - be it eg your house (which is why people have locks on their doors) or via the internet.

Just take the best precautions you can.

I had no idea Devilish.
My query though is was there anything to link your MN log in to your Facebook page? If you MN name was Jane Smith and your Facebook was in the name of Jane Smith I can understand. Otherwise how did it link?

And I've just been notified that I've had two (failed) keylogging attempts on my machine while I was accessing a certain site. (Not MN) Off to clean it again. It's almost worse than toilets!

They probably aren't connected. People attempt fb login all the time. One good way to limit this is to deny searches on your name and have the notification mentioned set up.

Radiant The simple answer is that they can't give you a comprehensive answer to that.

If you log in with your username and password, they definitely have those. Likewise with your email address and password, if you log in using both (sometimes your email, sometimes your password) then they probably have your email address, username and password.

It's also possible that they read your profile, and if they accessed your account, they could possibly have read your PMs, although it's incredibly unlikely that they did this for everyone. Or anyone, really.

If you had any accounts using the same email/password combination, like Facebook or Amazon or eBay, they may also attempt to access these sites.

The hack seems to have been targeted at MNHQ, though, with the aim of making this a less popular place. It was supposed to make it feel insecure and stop the support network that is here. Personal details of users were only published to add to that feeling of MN being insecure, and the only Mumsnetters who have had any further acts against them have been those that engaged with the idiot on Twitter.

Does that help at all?

The more I think about it, the more useful those suggested 'After the storm' webchats (one on IT security and one on use of social media) start to appear.

Sheepy there were some email addresses on the list.

Thank you so much Simurgh and JustOne. You have made me feel a lot better.
Your contributions are really helpful.

By the way what do you think of software such as 1Password? With this you don't key in but are automatically linked securely (so they say!)

I wasn't using this at the time of the hack but my DH says you cannot be phished with this.

radiantradish I use 1password, and I got phished.

The good thing: my password was random gibberish (look it up if you have a copy of The List!), generated and remembered by 1password. So it was unique to this site (as is my username). By getting my username and password, the hacker could have logged in as me and seen all my info (including my email address and what I've posted, including what I've posted under different nicknames), but those details can't help them or anyone else to log in to anything else (facebook, email, bank...).

How I got phished, and what your DH means by it being impossible to get phished:
I don't know the technical details, but either...

• Mumsnet got hacked so that the genuine log in page sent the details off to the hacker as you entered them, or redirected you to an alternative login page but one that was still within the mumsnet.com site. In either of these cases, 1password would have recognised this as Mumsnet and happily filled in my password for me.

... or ...

• the login page got redirected somewhere else, 1password didn't fill it in (as it shouldn't), I had a daft moment and didn't think to check the url and copied&pasted my password from 1password into the fake login page. 1password does have moments when it doesn't play nicely (particularly when Chrome is updating itself), so I do sometimes have to c&p.

So, I am certainly glad that I do use 1password, but it isn't a panacea.

In tangential news, I now have an earworm. This was a triumph! I'm making a note here: huge success. Thanks for that .

Have had visitors for a few days and it took me ages to catch up on all of this.

Does anyone know much about those password keepers or whatever they are? I have no idea how they work but my worry would be that any site can be hacked so presumably they would be a very attractive target for hackers.

I do have different passwords for everything but am struggling with keeping track at this stage! Not sure I trust an on-line solution though.

all round for MNHQ and lots of . You can have gin in your mugs if you wish! (Memories of working in the sales department of a truck company in Dublin in the 80s and for the two weeks before xmas every cup of coffee I made for clients had whiskey in!)

Spin I had JUST got rid of that, and now it's back. "It's hard to overstate my satisfaction..."

Actually, I think this hacker gate is doing us all a lot of good. We know about internet safety, we tell our kids how to behave online and that internet is never 100% safe. Yet, when the bad guy knocks on your screen, it's takes another dimension. And now my words and my attitude with my kids are a lot more serious.
It's a reality call. Like moving to Australia, and yes we know there are deadly snakes and spiders, but looking at them in a book or on wikipedia is one thing, and finding them in your garden, another . It gives a totally new perspective, and that's when you start to be careful.

And we start to notice things which probably were there before, but as they are so common, a page slower than usual, difficulties entering a site, a strange looking page we would just refresh, we would ignore these signs. But not anymore

My son just asked to register on an online game website he discovered during a sleepover so he could play with his friends. Before Jeffrey, the hack and everything, I may have said "ok, go on, thanks for asking". Now I am creating an email address just for this kind of sites and a 12 characters long password with 4 numbers and 2 symbols. For example, the title of a song I like and converting the S in $, the I in 1, the T in + and so on. Such a password would take a couple of millennia to crack.

No forum website can be hacker proof at 100%. You can't encrypt the content like in a financial website. And as far as I am concerned MNHQ has handled it brilliantly, answering my emails, coming back to me with answers and suggestions. So I can only praise them. They had a very shitty situation to solve, yet they've taken the time to answer hundreds if not thousands of emails.

It takes a lot more to make me turn my back on MN. I am learning new tricks even from this, so MN at its best and purest!

"Aperture Science... We do what we must, becuase we can."

Cider - one option for less important sites is to use a core password that you tinker with according to the details of the site.

So you create a core password that is gibberish. Take a line from a poem, or song, or quotation and take, e.g the first and third letters from every word. Easy to remember (even if some counting on fingers might be involved) but not a real word.

Then use the name of the website to govern how you tinker with it. E.g Mumsnet is six letters so a string of symbols go in after the sixth digit. But maybe on goodreads the same string goes in after the ninth. Then eg take the third letter of the website name and always insert it as a capital after letter 7 and 11.

Obviously there are a million systems like that (this is obviously not an account of what I do!!!). As long as you use the same system to get a different password each time it's actually quite easy to remember.

The other good thing is that it makes a really long password memorable and, as I understand the maths, you are best off making your password as long as possible from the viewpoint of brute force attacks. All other things being equal, a 25 digit password is waaaay harder to brute force hack than a 12 digit one.

I mix and match as long as things (eg particular types of security software) are not conflicting. (If I were being posh, I would call it 'spreading the risk'. ) Not only is there 'no castle so strong that it cannot be overpowered by money' (eg the Chief Software bod's expensive Jones) but also you're only as secure as the latest IT bright spark's momentary lack of attention to their own detailed attacks (eg what is happening in the most recent second/minute/hour/day.)

Make a quick and honest assessment of your own and your family's risks (no biggie - you do it all of the time with your physical property such as houses) and then take the appropriate precautions all the time. (I'm sure none of you would think of going on holiday and leaving all your house windows and doors open - you might forget to do something but that's a different matter.) If a password system is better for you than nothing at all - because your realistic assessment of the way you and your family behave is that you would all do nothing for years - then use it.

I'd take the precautions which are appropriate to you and your family - and hope.

(I would also be pretty careful with youngsters in the family. They usually think that they're savvy and oftentimes that might be true - but sometimes it just seems to boil down to being able to manipulate certain devices and doesn't carry always a deep understanding of IT. My own experience is also that they're generally wide open to social manipulation and that's a difficult one for all of us.)

jason Look: we're both stuck in this place thread. I'll use lasers to inscribe a line down the centre of the facility thread, and one half will be where you live, and I'll live in the other half. We won't have to try to kill each other or even talk if we don't feel like it.

Thanks Libraries. Off out now but will re read when no I get back.

CiderwithBuda,
Does anyone know much about those password keepers or whatever they are? I have no idea how they work but my worry would be that any site can be hacked so presumably they would be a very attractive target for hackers.

I do have different passwords for everything but am struggling with keeping track at this stage! Not sure I trust an on-line solution though.

Things like 1password aren't on-line solutions. It's a piece of software that you install on your computer. If someone has sufficient access to your computer to hack it, they have sufficient access to install a keylogger and/or capture your data in several other ways.

You can install the software on several devices (laptop, phone, etc). You can keep those completely separate if you want, and copy the passwords individually from one to the other as and when you need to. Or, you can use a service like Dropbox to keep them synced (so that if you change a password on one computer, the copy of 1password on the other device finds out). The password database that you keep on Dropbox is encrypted with your master password, so neither Dropbox nor anyone else can get in (unless you choose teaandcustardcreams a crap password). And your passwords are never given to 1password - they just provide software for you to look after them all.

You do need to trust 1password - they could, in theory, write malicious software that sent the passwords off. But that would have to be malicious software that you install, rather than a 'hack' in the sense that this palaver has been.