Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

Frankiestein
I would not have expected it to be caught in unit testing

I agree I wouldn't expect to find a syncronised login issue on unit testing. However I would expect to find it in integration testing or stress testing because it should be a standard NFR and security requirement on any site with a large login base. Especially one on social media which is routinely targeted.

When concerns were raised about this last year in the run up to GDPR day we were told it was being fully covered by the experts. It seems they were missing quite some chunks of the manual, especially when constructing the reponse model.

The weak testing is something which has been flagged up every time there has been a breach. Of which there have been too many in recent years to be justified as "bad luck".

I had to log in today on the PC. I share concerns about linking google and FB logins.

I also think MN needs to be hypervigilant about doxxing threats. Doxxing will have an immediate and very negative effect on MN's bottom line.
...............

I tried the android app too.
I am apparently logged in but access to TIO is denied.

I have been having this issue with the android app for the last week, maybe a little more.
I try to see TIO but am denied access, with the message 'you have to be logged in to see TIO'.

So I go to log in and find I am actually logged in.

I can usually post on a thread in Active, which solves my problem, but clearly something is awry.

I’d put in an SAR request then, it’s much more of a ballache to send you every single bit of data they hold on you rather than deleting your posts!

Or you could pull the time-honoured MN tradition of crying “I’ve been outed!” Which in this case is actually a high possibility.

I love MN and it’s seen me through some rough times, but this is ridiculous. The fact hat they STILL using unpaid volunteers to police the boards at night is something that’s been annoying me for months (and they refuse to do anything about). It’s a joke.

Can you explain why 2 users simultaneously logging in can have their accounts mixed up? In simple English please.

An equivalent is 2 LLoyds bank users logging in to their a/c's online getting access to someone else's bank account. That doesn't happen, so what sort of shambles have you here, that it can happen on MN?

In fact, since I don't expect a response from MNHQ to my question, can anyone with IT knowledge explain how this could have happened. Simple English preferably.

Can you explain why 2 users simultaneously logging in can have their accounts mixed up?

See that wasn't what happened to me.

I logged into my account and found I was in someone else's, but that poster wasn't in mine, she was in her own too.

Weird.

Got logged out of the app, and could not log back in, it would not recognise my email or password. Have set up a new account with same email address as mumsnet seems to have forgotten I exsist!

Like I said WAG I am all for honesty, I said that, for reality. It was the tone that came across poorly.

I’ve been logged out and can’t reset password.
Also, I don’t know if it’s a coincidence but at the same time I was logged out of MN my iCloud wouldn’t let me in or to reset it either.

The fact hat they STILL using unpaid volunteers to police the boards at night is something that’s been annoying me for months

I was aware they used to do this, but not that they still are

Yet another thing I wonder is why a company with a healthy bottom line considers this appropriate ...

Weird shit going on still then...

Well, I'd quite fancy managing to log into someone else's bank account lol. They could happily get access to mine and maybe pay off my overdraft haha.
But, I still don't understand how it could have happened. It's like your a/c isn't actually linked to your login details somehow. Which almost seems impossible to me. It's like something you'd need to try very hard to engineer, rather than something that could happen accidentally IYKWIM?

In hindsight it seems beneficial that news of this was not widely shared immediately because of the open breach being potentially further abused.

It might be to do with record (data) numbering/ IDs, where duplicates could have been temporarily created and records transposed. I've seen that happen exploited its advantages
As one possibility of how these things could happen.

The evidence of trolling and actions to curtail overnight are still down to the volunteer night watcher s afaia

Smother
So, in simple terms, instead of User #s 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, they have 1, 2, 2, 3, 4, 4, 5, 6, 7, 7, 8, 9, 10?
That doesn't even make sense. And what are the odds of Users 2 and 2 logging in simultaneously?

Puzzledandpissedoff perhaps now that a major data breach has occurred when there are only unpaid volunteers with no more power than the ability to hide threads means MNHQ will actually start looking into sorting it out.

Did you get any juicy info @Worraliberty?

Wasn't there a "heartbeat" data breach a couple years back too?

If a system is static and no upgrade taking place, likelihood of duplicates randomly happening, no. When a system update underway and records potentially being copies and moved etc, the record identifiers could then potentially be more at risk. Although even in a static system there can be room for using a record identifier to call up and replace another, its the record being open and active whilst other software changes are being implemented causing the mix. I am in no way saying that's what happened here as I wouldn't have a clue what's gone on, but just saying, its not just a software upgrade but data transfers.

I'll certainly put in an SAR teddy and not just for this account but also for my original account that I deregistered a couple of years ago. I'd been on MN for about 10 years on that one. I don't know how long MN holds user info after an account is deleted so will be interested to find out.

Yes its to do with account IDs.

Think of it like a spreadsheet with numbers. When the tech went live the data in the adjoining cells moved down a line so didn't match up with the correct user ID.

So if you are ID 345 then instead of showing the data for your ID, everything shifted down and you saw all the data relating to ID 344 instead.

Until your computer updated, you might have a situation where someone who just logged in was seeing the updated data but the other person was still seeing their own data. Thus two people seeing the same thing at the same time.

This is a bit of a simplified explanation, but its essentially how it was explained to me by DH.

I just had to re log in and change password I a guessing mine was affected

Or the data from one line was duplicated so users 345 and 344 were both seeing the same thing.

Me too im going to have to delete my acc, fed up of this