Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

Yes, we are all aware that threads are completely visible and often highly desirable for other to use and pay MN for that, plus the revenue from ads, but they are not at liberty to sell our private login details. Our passwords should have high level encryption, interesting then that it didn't require specific login to access user data, just any old login would have done, so basically a hack to access data by another name

WAG unnecessarily cruel post at a time when users are scared and cancelling accounts as a result. Nothing against being honesty, but that post was just nasty.

I've deregistered, set up a new email account to be used just for MN and re-joined.
Had a few name changes over the years but suppose will have to start from scratch. (Again. De-reg'd when the list of email addresses were published)

What I wish I'd raised before is the RIDICULOUS amount of spam I get to that account - now I'm thinking about it, given mn are the ONLY people I've EVER given this address to I'd like to know HOW these companies HAVE this address?

When you register on a website (e.g., Mumsnet), use the website name as a double barrel with whatever first name you're using. For example, Jane-Mumsnet Smith or Susan-Bounty Brown.

Then when you start getting spam you will know exactly which website sold your details as it'll show in whatever name the spam company is addressing you by.

Just realised mine are all spam free too!! Thats a sign of security

I've got a specific e-mail account for here as well, there's nothing on it except mails from MNHQ so nobody can get any other info from it, set it up after the other attack

Guardian article on the breach

Getting lots of local media coverage too, so hopefully MNers who dont' log on regularly will also be aware soon

I think you've got bigger problems than 'just' the data breach - I received an email purporting to be from MN about the data breach which was sent to an account which I don't use for MN. I haven't received any email from MN at the email address where I am registered with MN.

Ewits - but I literally only use that email account for mn. I have never ever given it to another company.

I cant change any details on my settings - clicking save and they just jump back to original information.

Think I will dereg and rejoin

Graphista I don't get spam on the account I use for MN either. Not doubting you, just wondering WTF is going on

I messaged this morning to say this happened to me. I have not received an email :(

I had to open a new account with a new name this afternoon-this one that I'm using now. Is it best to just shut the account altogether?

WAG unnecessarily cruel post at a time when users are scared and cancelling accounts as a result. Nothing against being honesty, but that post was just nasty.

It's not nasty. It's simply reality. I stand by my view and demonstrably others are beginning to see the harsh reality of over sharing online. Many have been very naive.

Every day people are teaching their children to withhold personal details to those they meet online, and take sensible precautions.

Yet here we are with those same people complaining they have given over the most sensitive and intimate data of their lives coupled with their addresses, health records, email addresses, family information.

It's time to take responsibility for your own actions. LEARN how to stay safe online yourself.

I've been logged out on both the app on my iPhone and on my laptop on the webpage.

I have been able to re-login on my phone but despite resetting my password several times I can't log in on my laptop - using email, not google/facebook.

Any one else having this problem?

@EwItsAHooman you evil genius you!

@MN, no words really. Piss poor planning....

I haven't had any emails from Mumsnet.

MNHQ, I think moving forward if you require our addresses, then you need to have them under a separate password protection in the users account.

I don’t think anyone from MNHQ most MN userswould like a rerun of what happened to Justine at her home address when the last time MN was attacked.

I know it’s a stressful time for All concerned, however other sites manage to keep there users data secure, twice in 3 years is completely unacceptable.

A PP mentioned the possibility of sending a Subject Access Request to find exactly what data MN hold on a user

No doubt there'll be plenty on their way, so given the time limit for responses I guess we can only hope HQ have the staff to cope with this, as well as sorting the original issue

Also I haven’t had an email!

What protection are you giving to those whose details have breached, and those of them that sensitive in their PM or those who are vulnerable?

It is staggering really, why wasn’t testing done, to ensure these breachs could be avoided.

*That have sensitive information in their emails

This latest data breach makes a clear case to have old data deleted. Say after 5 years?

I received an email purporting to be from MN about the data breach which was sent to an account which I don't use for MN. I haven't received any email from MN at the email address where I am registered with MN.

Often when there are data breeches there are people who use the data breech to carry out another scam.

I believe that bank customers have been victims of this after they have security breeches.

Which isn't going to reassure anyone, but its a known abuse so people should be aware and check where emails are coming from and whether its a legitimate email address.

Ironically I've not had an email about the security breech either (and I do regularly get MN emails relating to my account actively and no there is nothing in my spam filter).

Why is there is nothing on the Mumsnet twitter about it?

It'll be all over the press soon enough anyway.

It's already on the Guardian website.

oh there is stuff on twitter alright People saying that MN users can see other users privates.

The words laughing and stock spring to mind.