Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

@nicky2016 you’ll get help and replies if you start your own thread, rather than posting on another one in an irrelevant catergory. try starting a new one in the right topic I’m sure posters will be hth.

"I've never known anywhere as shit as Mumsnet for data breaches tbh." and other such comments.

Understandable, but what can you think about this one?

I was obliged to register with an organisation in order to be able to access information which I needed. They required me to give them a password and an email address.

A few months later I got a blackmailing email to the address I had used for them, demanding bitcoin to stop the sender from passing on to my "address book" all the details of my "dodgy browsing history" complete with video from my "computer camera". (Since I had none of the above, I wasn't that worried, but I was angry about my data having been cracked.) This email used my password as a header, so the organisation must have been keeping my email address and my password in the same crackable location -- something which simply ought not to happen.

(As the letter from MNHQ above says: "They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.")

That was a disgusting data breach, and when I contacted them to report it they simply were not interested: I never heard back from them. Personally I think Mumsnet are doing a lot better than that, on their showing today.

Oh, the organisation I found so poor? It's called the BBC.

askin

I started a thread as I had a similar email that came from "me"

I hadn't emailed the BBC though.

How to delete account?

I received an email purporting to be from MN about the data breach which was sent to an account which I don't use for MN

Is the "from address". some-words*@mumsnet.com? If not from @mumsnet*.com its likely to be fake.

You can try checking here:

email-checker.net/check

Don't enter any information other than the "from" address in the mail.

www.theregister.co.uk/2019/02/07/mumsnet_breach/

I've also had no email yet about the breach. Is it only being sent to the people who reported a specific issue? I was definitely logged in during the period in question.

"I've never known anywhere as shit as Mumsnet for data breaches tbh." and other such comments.

In fairness, when it happens on MN you KNOW about it.

That doesn't mean it isn't happening elsewhere....

...just saying.

I can log in on chrome on phone but not on the app.
I get no new page on the app to fill in a new password, after clicking on the 'forgot your password' option.
No email being recieved to reset password.
This is on the app.
This happened two weeks ago also, but I thought it was just me

@red - if the breach was associated with simultaneous logins then I would not have expected it to be caught in unit testing - (I might guess at the session authentication hand-off between cloud and on-premise but it would be just as valid as guessing its down to cosmic rays ;) )

Unless a test specifically designed to check for this was present in the regression pack then its not surprising it was missed - otherwise only a stress test would have been likely to trigger it and your result analysis would have to be explicitly checking for it.

It is very difficult to trigger events to hit at the same clock tick though easier if it's associated with an overlap of authentication.

Apologies - the above waffle is to suggest that calling it a basic error is unfair if it really is associated with a simultaneous event corner case.

(arguably should have been caught at design stage - but the problem these days is the raft of library and framework dependencies that few individuals have the expertise to know in depth)

Same here, namaste.

Have MNHQ given reasoning behind refusing to delete posts?

Will everyone who this has happened to be alerted by mnhq?

Justine said at 13:51 "We are investigating which accounts have been affected - we don't think it's many and we will contact you if we think it is yours."

So I would assume they are only emailing affected accounts.

Teddy :
"as far as mass withdrawal goes, we very rarely delete posts".

It's not an issue for me, as I use a dummy email a/c just for MN. I don't have any PMs, and my posting history is available for all to see anyway. So all anyone would see on me, is my dummy email address.

I guess if posters have filled in all their personal details, have their real name in their email address, have pms with highly sensitive info shared, it's more of a concern.

It'll be all over the press soon enough anyway.

Already is. In the Guardian. With bonus author opinion about Emma Healey from someone who doesn't seem to understand how data protection law works:

The site last had to report itself to the information commissioner in 20188^, after a row about trans rights on the forum escalated when a former employee published screenshots of posts that contained the IP addresses of the user who wrote them. Despite the fact that the publication was accidental on the part of the ex-employee, Mumsnet treated it as a data breach, and passed the details on to the ICO.

www.theguardian.com/uk-news/2019/feb/07/mumsnet-reports-itself-to-regulator-over-data-breach

You can't require Mumsnet to delete your posts as they own them now. Which is how they are able to sell/publish them elsewhere whether you like it or not.

Lyin I don't have personal details on this site and I'm sure I'm not alone in that.

Nor do I. I don't feel that entitles me to write a smug self congratulatory post sneering at people who may have shared some personal information in a PM at a time of great distress.

On a site which encourages said sharing and dismisses posts flagging up over sharing as "troll hunting".

Nor do I think the fact that I'm probably fine excuses poor testing and a very weak response protocol. I don't think the ICO accepts it as an excuse either.

Teddy - I posted too soon as I tried to C & P

"Mumsnet is about parents searching, sometimes via Google, for valuable information, support and advice and it would be difficult for these users to arrive on a thread full of holes, especially in the areas where you have posted."

I agree that it wouldn't have been caught at testing stage, unless you were specifically looking for it.
That said, it's a massive fuck up, that just because User A and User B are both signing in at for e.g. 5pm on the dot, that somewhere, somehow, the system doesn't recognise the difference between them. Quite bizarre.

Beneath , there's nothing wrong with users asking nicely to have them removed though, especially under these circumstances.
They've said no, that's fair enough.