Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

As a precaution, I deregistered, and re-registered using a new email address. I don't go on MN that much these days, so it didn't matter to me losing my NN etc. But this stuff happens all too frequently and it's making me rather nervous about all social media sites.

What's with having to accept cookies every single time I open a page? Driving me nuts.

GDPR. If you don't accept cookies, then the site doesn't know you've already opened a page. It has to ask you whether you want cookies the first time you open a page. The trouble is if you don't accept the cookie, then has no way of knowing that you've already opened a page and so it treats you as if its your first time opening a page and askes you about cookies. Rinse and repeat until you get to the point where you scream a bit and accept the fucking cookies cos its driving you mad.

I think this might be a bit of a flaw in the system tbh. And yes it drives me mad as its not just MN. I am remaining determined at this point to Fight The Cookie Monster on most sites but I confess that on some, I have given in.

Hmm I would say this should have been picked up by testing, specifically non functional testing which would include load and performance testing. These are often tests that can be automated so should be frequently repeated e.g. nightly.

But this stuff happens all too frequently and it's making me rather nervous about all social media sites.

You should be. Very.

Other social media sites have far more sinister and worse data privacy issues.

I got the log in notice on the app (I only use the app) about a week ago. I just reset my password as I couldn't remember the old one anyway.

I've got it again today. Is there anything else I need to do? Worried now

@mnhq

During a previous security breach, it became clear that MN held on to previous email addresses even if a user changed to a new one.

You undertook to delete completely all email addresses other than the one in current use.

Can you confirm that all required deletions took place as you promised?

Good question AuntieStella, I'd forgotten about that.

MNHQ - based on the OP it sounds like you're still trying to diagnose the issue. Just a suggestion but the observed behaviour seems typical of non-thread-safe code running in a multi-threaded environment. Issue only appears when running under high load as thread clashes are difficult to test for at low loads. You might want to look at automated thread-safety checkers for future releases. Apologies if not helpful.

By the way many thanks for open and honest statement of the breach.

How many people managed to access other posters data. @mnhq you do realise the implications of this with regards to doxxing?

Can’t log in onto the app at all on iphone. The password reset email arrived. The link sends me to the home page with no way to set a new password. Still working using FB login on Safari. FB login still not working for the app. Bit of a shit show now.

Is there a way to use a different email address without deleting account and making a new one?

I tried to reset password but I don't think it worked.

Still logged in on app.

I deleted my account and re-joined using a specially created email address. Seemed like the safest option.

I don't want to have to name change again!

DeanDeifir
It's actually wise to change your name frequently. TMI linked to you if you don't.

Not only written data issues, like the cookie monster, but the recording of voice and images being routinely collected and used!!! Now be scared! . All of this is currently done under the radar, like Google earth also logging all phone data as the go round innocuously stalking capturing street images

JaneJeffer

I think you must just change your email on the settings page and put in your password as I must have done this quite recently as my old email address became redundant. I can’t recall there was a problem and I just kept the same account

Surveillance and predatory capitalism

[https://www.independent.co.uk/life-style/gadgets-and-tech/news/google-voice-search-records-stores-conversation-people-have-around-their-phones-but-files-can-be-a7059376.html]

After previous breach I have a specific MN email account that's only used to sign in here!

Me too. But I posted only a few weeks ago that I do have two spam messages in there. Only two and in my inbox - nothing in my Spam folder. And from a dodgy political organisation.

@MNHQ - by the way it's probably worth allaying some concerns by stating that the breach looks to be an unintentional issue in your authentication software/code rather than a deliberate and successful breach by a malevolent actor to obtain/exploit people's details. It can be inferred from your "why this has happened" statement but perhaps its worth stating explicitly. People may be a relieved to know that it seems accidental rather than intentional.

*@mnhq

During a previous security breach, it became clear that MN held on to previous email addresses even if a user changed to a new one.

You undertook to delete completely all email addresses other than the one in current use.

Can you confirm that all required deletions took place as you promised?*

Re: the above - I have tried to sign up with a previously used e.mail account and received a message telling me it is already in use. Would assume that if the info had been deleted I could use it again.

I think its best we know what it actually is, when MN actually know. The fact that it hasn't been posted on here after all this time says quite a lot!

redtoothbrush, I have accepted the cookies about a zillion times. It's still asking me everytime I change page on here. Something's gone screwy with it.

What amazes me is how shocked people are about a breach. Seriously. As much as I love mumsnet, it's just a .middle of the road organisation. The FBI, governments, Facebook, huge global organisations banks ....they ALL get hacked at some point. It's when not if. The criminals/ antagonists are always one step ahead as that is their reason d'etre. People need to be more aware of their digital footprint because with the best will in the world, and even with the best IT staffs, digital platforms are not safe. So create a gmail account with fake details for shit like MN, don't put personal details in your profile and always think what you are typing could appear on the front page of the Sunday Times.

I am loving not having to wade through all the boring MN Stickies at the top of Active Conversations