Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

No, you shouldn't have to keep accepting cookies. We all know its a one-off. I've got a weird thing where none of the strpline ads are appearing (which is nice!!). Its just blank with a cross in the corner...bit like ghost town though!

2019 There hasn’t been a hack though. It’s MN poor business practice that have left posters completely exposed. It IS their fault and is totally unacceptable.

For the last 2 nights my phone has reverted to "safe mode". It has never done this previously. I am not that clued up re tech but could this be related to the MN issue?

Answers would be good @justinemumsnet

This isn't the first time Mumsnet have messed up badly with users data.
@mnhq

People saying that MN users can see other users privates

Blimey, I'm never using a webcam again!

Taking the sage advice offered - which didn't occur to me I'm afraid {blush} - I've created a new email account with fake details. But will MN hold onto my now de-registered details?

If MN have emailed the generic message, does that mean I have been subject of a breach?

Or is it a generic email?

@MNHQ I have had what I thought was a generic blanket email to inform me of this breach (essentially the text in this thread's OP) but now I am wondering if it isn't generic and is in fact because my account has been accessed?

Your phone doesnt sound well serin ms windows uses safe mode, is that what you mean?

brizzle all you conversations have been recorded as well ifyou have google et all, and camera images! Happy much? You are notsofar from the truth there.

@mnhq
So - if we have not received a personal e-mail from mumsnet HQ can we be assured we have not had a breach of security?

Holy fuck MNHQ, how about giving an update?!

Is this why I had to log in again? I usually just click on my app and it opens.

It's a complete fuck up, mnhq can't be arsed to reply to us, even though we are the ones who generate the most interest in this site.

There is a lot of people possibly now in danger due to this 'mistake'.

Everyone had to log in again as soon as problem was found

Smotheroffive, Thanks, phone is only a couple of months old, and works fine now I have switched safe mode off.
Good to know it's not linked.

@Nicknacky @TheSassyAssassin I'd say as most people didn't receive that email then yes, you had been.

Again 🙄

During a previous security breach, it became clear that MN held on to previous email addresses even if a user changed to a new one.

You undertook to delete completely all email addresses other than the one in current use.

When I went to log in today I accidentally typed in an email address I'd used with a previous MN account - it was accepted, and I only realised when my current password didn't match the email address. So it does seem that not all previously stored email addresses are deleted.

MNHQ - could you comment on this, please?

I was just going to ask about an email - I've had one, just reads the same as on the sticky message.

It's not hard for someone to accidentally add an extra cell in a data sheet and knock the entire thing out of whack.
It happened in my workplace with bank details. Not my circus not my monkeys, thank God. But you'd be amazed by how much data still has to be manipulated by people and the mistakes that can be made.

And yy, if banks can be hacked then it wouldn't take much to hack MN. Separate email addresses for everything IMO.

wire If that’s the case, I’m well annoyed with how piss poor MN are at contacting users.

@oldsilver I haven't had an email.

Are all emails other than the current one deleted as you promised earlier?

Many posters changed their email after Jeffrey , but that would be utterly pointless unless the old email addresses were deleted.

Is that the case?

LyndaBr Think you might have posted on the wrong thread. If you ask MN they will move it for you.
Sorry for what appears to have been a horrible situation for you both.