Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

Having re joined on desktop as mumsnet seems to no longer recognise my email address and password since being logged out, I still can not access MN through the app. Whats going on?

These things happen, no harm done.

Well I’ve lost my old account because of this, as it’s associated with an email address I can no longer access.

I had to log in and I'm on the app. Have I been affected ?

First I've heard....no email or anything

This 'data breach' kind f thing seems to happen a lot on mumsnet doesn't it

Beanaseireann Everyone has been logged out. Apparently, if you've been affected they will email you, though some posters are saying they were affected but haven't yet received an email.

These things happen and mnhq say never again each time

Thank you @RedToothBrush for the explanation. I can kind of get it now. Still don't understand how they managed to do that though.

Does it mean if no’ones emailed you or inboxe you or data is fine?

Something similar happened on three, recently. People opened up the three app, which requires you to be connected to their data to use, only to find other people's info on their screens.

@mnhq why are you so bad at handling data? I've only been on MN for 18 months but this sort of thing just keeps happening & you just keep reacting with the management equivalent of a tinkly little laugh and a shrug as you merrily trot along the same path. Bizarre way to operate an online business.

They always do that oh we’re just bumbling through thing

Getting a bit old now

@JustineMumsnet
Are you firing whoever was responsible? Do you outsource IT or was this an internal employee?
The world probably isn't going to end, like it might if it was a bank who made such an error, but it would appear from some explanations I've read on the thread, that this was a preventable error if someone knew what they were doing.

I was logged out when i came online does that mean my account has been hacked?

No, everyone was logged out. During the day, they also logged out the App users, even though they hadn't been affected by the breach (or so they say).

@RedToothBrush
Can you ask whoever explained what happened, why it was simultaneous logging in that affected the data being mismatched/copied? Hope that question makes sense.
I'm just wondering whether everyone's data was mixed up? And why it only came to light when there were simultaneous logins.

As I've said above, I haven't been affected, and even if I was it would be no big deal, but this seems like a Royal fuck up that other companies can prevent happening, so I'm curious as to what sort of half assed system they have in place really.

Its a common thing.

Again think of it like using a spreadsheet.

If you delete or add a single cell it can throw the whole spreadsheet out if you aren't careful.

Its easy to do, which is why you are supposed to test your code before you go live to ensure that all the data is correctly lined up.

This type of security breech is most common when proper testing isn't carried out routinely whenever you do an update - which is why DH recommended a ISO protocol because you systematically do the testing if you follow the protocol.

It doesn't stop security breeches but it greatly reduces the chances of them. Which is why the protocol was designed. It helps to give people using a site which complies with ISO protocol, greater confidence in the security of their data.

TSB have fallen foul of the same sort of glitch and it was catatrosphic because it let people log into other people's accounts.

Knowing the nature of the glitch should make people a little more aware that MN can be reasonably confident (and all of us) that it was an internal issue rather than an external hack.

And if they have just reversed the update to a previous backup, the issue won't be on going, and will have been time limited to the period the update was live.

I'm not an expert. DH is. He just explains it to me in a 'dummy's guide to web security' kind of way. He said immediately that it was a tech thing when I told him what happened, and not a hack before I said that MN had just done an update on User Logins. What MN have said is consistent with what he said.

He comes across the problem a lot. MN are unfortunate in the sense that when it has happened to them its public to a lot more people than is normal and they have no where to hide from it. They should do better, but I don't think they are necessarily worse than a lot of other places who handle your data. As I say TSB had a similar issue.

Don ifyou imagine as each record gets lifted from its normal rest ing place and moves across to the new platform (cloud), someone logs in, and it gets misappropriated because of the routines having parallel processes for instances, so it plucks the wrong data at a given point (record searching as a result of login request)

Hopefully MNHQ will be along to give a definitive so we can all stop second-guessing worrying about potential threats to privacy.

^Can you ask whoever explained what happened, why it was simultaneous logging in that affected the data being mismatched/copied? Hope that question makes sense.
I'm just wondering whether everyone's data was mixed up? And why it only came to light when there were simultaneous logins.^

DH is out on the piss tonight, and I don't know what happened or if thats an accurate reflection of what happened. I'll pose the question to him and see if he can answer tomorrow. Sorry I can't help right now.

CH810N, I don't think my post was smug and I'm not going to apologise for it, it was mostly annoyance at the rudeness of some posters who use every excuse to kick off and give others a kicking. MNHQ don't deserve that, nobody does.

Yes, this is awful, it's the second time it's happened (as far as I know), I don't post personal stuff anywhere online, not just here, it's just not how I use the site. I don't know what the relevance of your saying 'some posters post personal details' and that it's encouraged. It really isn't.

What I do have though, in my PMs, are addresses of other people who've given me those to send things. I've deleted those but perhaps not as quickly as I should. I'm deliberating whether to keep my own account here myself.

That's cool, thanks for explaining to an IT dummy like moi. Hadn't heard of the TSB breach.

@Justinemumsnet What's with having to accept cookies every single time I open a page? Driving me nuts.

Yes, I've had the cookies thing a couple of times.

I've also been wondering about that.

LEM every user was logged off when the problem was found