Active discussions

Meet the Other Phone. Flexible and made to last.

Meet the Other Phone.
Flexible and made to last.

Buy now

Please or to access all these features

Talk

Back to thread
MNHQ

Mumsnet data breach - please read

46 replies

JustineMumsnet · 07/02/2019 12:40

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

Go to post
MNHQ

JustineMumsnet · 07/02/2019 12:46

@EspressoButler

I haven’t had an email from you.

And I reported a post made several hours ago, in my name, that wasn’t posted by me.

Sorry Espresso - you're right - it's not quite gone to you yet but it's on it's way.

MNHQ

JustineMumsnet · 07/02/2019 13:23

@CallMeSirShotsFired

I'm writing this on the app without any need to log back in.

Furthermore, I have just changed my password on desktop, so now I'm accessing my account on the app under an incorrect password.

I did actually try killing the app by swiping up to force a pw challenge - but it just happily opened up and here I am typing and submitting...

@JustineMumsnet @mnhq is this a gap in the process?

Hi CallMe, the app isn't affected by this breach. So no forced login required on that. (nb Passwords weren't able to be accessed anywhere either)

MNHQ

JustineMumsnet · 07/02/2019 13:31

@AornisHades

Is it fair to say that if you were logged in before Tuesday and remained logged in until the forced logout this morning, you should have been safe from anyone accessing your account?

Yes we're 99% certain this is the case Aornis. Investigations so far show that 5 out of 5 incidents on switched logins occurred when users logged in at exactly the same time as another user. We are checking every incidence of switched logins we know about to make sure that's how the problem occurred - we'll obviously update as soon as we're certain that's what happened.

MNHQ

JustineMumsnet · 07/02/2019 13:36

@bubblewire

Are you able to tell which accounts have been accessed?

We are working on it - as said there is a pattern that we've established which is pointing us to believe it's a case of a problem when there's synchronised login between 2 different accounts. That would mean that it's relatively rare and we should be able to systematically ascertain any other accounts where this occurred in the last few days and which user had access to them. Our team are working hard on this and we should have more definitive answers soon.

MNHQ

JustineMumsnet · 07/02/2019 13:41

[quote SophiaLovesSummer]**@JustineMumsnet* I know I was logged in over that time - can you please confirm that you absolutely will be letting me know if mine was breached? IE that your investigation has a goal outcome that includes ID'ing all and any affected accounts; ditto that every person affected will be informed?*
?[/quote]

Yes our intention is to try to find every incidence where there was a synchronised login and then to check each of those login histories with a view to uncovering if there was a breach and letting the user know immediately if so.

MNHQ

JustineMumsnet · 07/02/2019 13:46

@BBInGinDrinking

MNHQ believe it's the software change, but don't know for sure?

We're pretty certain of this, yes (and as said there have been no problems since we reversed the change). We should be able to confirm it unequivocally in due course, but we do think we should rule out every possible other explanation and leave no possible stone unturned before we say we're 100% sure.

MNHQ

JustineMumsnet · 07/02/2019 13:51

@Limensoda

I don't understand any of this. I had to log in today after I had left myself logged in. All I want to know in simple English is how am I affected and do I need to do anything.

You do not need to do anything. We have reversed the change that caused the problem. We are investigating which accounts have been affected - we don't think it's many and we will contact you if we think it is yours.

There is no evidence that anyone who's account was switched has done anything malicious but of course we cannot be sure until we tracked down every incidence and contacted the affected posters. If you're at all worried please [email protected].

MNHQ

NellMumsnet · 07/02/2019 14:20

Hi, there have been worries about not being asked for a password when you log back in after having been forcibly logged out.

If you use Google or Facebook to log in to Mumsnet, and you are already logged into those accounts, then you will NOT be asked for a password when you go to log in to Mumsnet. This is how it should work.

If you are logged in to the app, you are still able to use the app until you log out, even if you have changed your password on the site. Given today’s issues, we are going to forcibly log out all app users in the next 30 minutes. You should then be asked for your password if you try to load a thread or create a post.

It’s also worth knowing that if you are already logged in when you go to the sign in page, it will just accept your email and take you back to the home page. A password isn’t requested as you are already logged in (we appreciate this is an unusual case).

In other cases, a password should be required, so if you think you’ve seen something different, please send details to [email protected]. It is helpful to know whether you are using the site or the app, what browser you are using, and what device (e.g. iPhone).

Thanks so much for your help on this.

MNHQ

NellMumsnet · 07/02/2019 14:32

Just to clarify my message above, on the app you can view threads without being logged in, but you shouldn't be able to load the list of threads I'm watching. Apologies for the lack of clarity.

This does mean that you may not know that you have been logged out. Hitting "reply" or clicking the menu at the top right will help you check your status.

MNHQ

JustineMumsnet · 07/02/2019 15:18

@HankNPat

So finally MNHQ stickies this thread in Site Stuff and AIBU at nearly 1pm today - but still hasn't stickied it in Chat as well. Why on earth not?

Hi we stickied it in Active (by far the most active page on the site as soon as it was written). It's a manual process to sticky all over the site so it took a little while. We're not in any way trying to bury this - the opposite.

MNHQ

JustineMumsnet · 07/02/2019 15:20

@JustineMumsnet

[quote HankNPat] So finally MNHQ stickies this thread in Site Stuff and AIBU at nearly 1pm today - but still hasn't stickied it in Chat as well. Why on earth not?

Hi we stickied it in Active (by far the most active page on the site as soon as it was written). It's a manual process to sticky all over the site so it took a little while. We're not in any way trying to bury this - the opposite.[/quote]

Oh and we also removed all other stickied threads from Active so it was v prominent...

MNHQ

JustineMumsnet · 07/02/2019 15:27

@BeneathTheBoughs

I don't think your posts belong to you once they are on the site but to Mumsnet. Hence, the reason they can sell/allow other sites to use them as they want.

Mumsnet - please clarify - is this correct?

We have shared copyright on posts BeneaththeBoughs. You retain all your rights to use but effectively grant MN a license to publish it/ sell ads etc.

MNHQ

JustineMumsnet · 07/02/2019 21:35

[quote TheSassyAssassin]**@MNHQ* I have had what I thought was a generic blanket email to inform me of this breach (essentially the text in this thread's OP*) but now I am wondering if it isn't generic and is in fact because my account has been accessed? Sad[/quote]

We sent a mail out to every email on our database about the breach. We've also sent a different and very specific mail to the 15 or so people whose accounts we know for sure had a switched log in. You'd know if you got that one because it specifically said your account had been subject to a breach. Thanks

MNHQ

JustineMumsnet · 07/02/2019 21:37

@Overtheborder

I've had to rejoin mumsnet, new email address (solely for mumsnet) and new password.

I am worried re: data breach as I posted some very sensitive information over last weekend.

I have contacted MNHQ twice regarding this and haven't even received an acknowledgement. I am acutely aware they're all busy so am not having a tantrum, just saying.

Hi Overtheborder - as you rightly imagined we've got a lot of incoming but we'll make sure to get back to you tonight.

MNHQ

JustineMumsnet · 07/02/2019 21:38

@Nicknacky

End It doesn’t matter what info posters post or don’t post. Due to MN their privacy has been breached and that’s unacceptable.

And I’m not one to get bothered about data breaches but this one, and MN’s laid back attitude has really fucked me off.

We're really not laid back Nicknacky, honest.

MNHQ

JustineMumsnet · 07/02/2019 21:44

@Nicknacky

JustineMumsnet So why didn’t you post an update like you said you would, prior to sending out generic emails and worrying people?

Honestly, this should be a wake up call to you. It’s unacceptable how poor your communication is.

I don't think I said that did I Nicknacky?

MNHQ

JustineMumsnet · 07/02/2019 21:46

@WhentheDealGoesDown1

Am I right in thinking these generic emails are sent out in batches so some won’t appear until tomorrow because of the amount and the more specific emails have already been sent

The specific mails were all send personally by me in the early afternoon. The non-specific update - which is pretty much what was posted here in the OP were sent to the entire database in late pm and would have taken a little while to get to everyone but should have all gone by now for sure. If you didn't get one it's either gone to spam or you're not on our database. Hope that helps.

MNHQ

JustineMumsnet · 07/02/2019 21:47

@Tooldemont

I haven't received an email.

It's no point saying you aren't layed back about it, actions speak louder than words.

Ok I'll look into it - but as said it may have gone to spam or you may not be on our database..

MNHQ

JustineMumsnet · 07/02/2019 21:53

@EnidButton

If we're registered with you and have dad replies in the past re post/spam reports etc, does that mean we're on your database?

I don't have an email either. Not in my spam or junk box.

We've had a big clear out post gdpr and deleted accounts that haven't opened mails for a bit, so not necessarily - only a proportion of those who've registered are on our email database. As said the email only contained the info in the OP here.

MNHQ

JustineMumsnet · 07/02/2019 21:57

@MarshaBradyo

Everyone uses an email address to join don’t they? So on the database?

No not necessarily we only keep emailing if you engage with the emails. If you open MN daily regularly and haven't received an email today and it hasn't gone to spam then we can check out to see if some have got stuck. But, as said - there's no new info in there that you can't see here. Everyone who we know has been breached we had a live email for and have mailed individually.

Worth noting here that there is no evidence of anyone doing anything nefarious, even when accounts were wrongly accessed. It doesn't mean it's not possible of course but this breach was caused by a bug in the code, not a hack.

MNHQ

JustineMumsnet · 07/02/2019 22:00

@SinisterBumFacedCat

No generic email here. Which is odd because MN email almost every time I breathe.

Ok will check - thanks for that.

MNHQ

JustineMumsnet · 07/02/2019 22:01

@Bluebellsarebells

So how are the people whose personal accounts have been breached going to find out about it if their email addresses are not on your database??? *@justinemumsnet*

So far we've had emails for everyone whose account we've found has been breached. If we discover a breach and don't have an email we'll pm.

MNHQ

JustineMumsnet · 07/02/2019 22:05

@WhentheDealGoesDown1

Am I right in thinking these generic emails are sent out in batches so some won’t appear until tomorrow because of the amount and the more specific emails have already been sent

I'm just chasing an answer on that.

MNHQ

JustineMumsnet · 07/02/2019 22:08

@Tooldemont

This can't be Justine, having such a laid back attitude to users personal details etc.

It would be more reassuring if that was a troll that had hacked her account, sadly I think it is her Envy

I'm sorry but I don't get that?

MNHQ

JustineMumsnet · 07/02/2019 22:11

[quote ChristmasHumper]@JustineMumsnet I've had no email and nothing in my spam. I'm logged in and access MN daily. Please check where my email has disappeared to.[/quote]

Given the number of you who've said that on this thread I imagine it's a batch issue - we have about a million emails to send so would take a while to go. But I'm checking for sure and will revert.

Watch this thread for updates

Tap "Watch" to get all the latest updates