Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

@JustineMumsnet @MNHQ well if I have received this email message because I had my account accessed then it is very worrying because I haven't had to log in at all during the time of the breach - so the idea that it was two users simultaneously logging in is erroneous! And that means it could potentially affect anyone and not only those who needed to log in - I stay automatically logged in so have not to the best of my knowledge had to actively log in. Also the email I received is very generic so it is not clear whether I have had my account compromised or not! Emails need to be clearer because the amount of confusion this is causing is absolutely unacceptable!

Emails get sent from organisations in batches usually so people will receive them at different times, as it would be too many to send all at once, that is if everyone was to get one.

Thanks for letting us know, but I really can't see the issue here. I never put anything on the internet I wouldn't share in public and anyone who does is an idiot really!

When I can understand emailing every user, however MN communication is so poor that they have said they will only email those directly concerned. Hence my question.

Endofrelationship - do you not see that people in abusive relationships posting for advice might now be at risk, and they're not idiots for seeking advice

I've had to rejoin mumsnet, new email address (solely for mumsnet) and new password.

I am worried re: data breach as I posted some very sensitive information over last weekend.

I have contacted MNHQ twice regarding this and haven't even received an acknowledgement. I am acutely aware they're all busy so am not having a tantrum, just saying.

I need to close my previous account. I can’t contact MN because the fecking adverts are covering the screen. So I am reporting this post. Mumsnet please email me

End You honestly can’t see an issue at all?!

I have emails that people have sent me with information on them. No one else should be able to access that info but because MN is so careless with users data, strangers can read that.

Endofrelationship, maybe it's narrow minded people like you that forces people like me to share private info online and get advice from open minded people....

@endofrelationship people in awful situations post on here everyday, are you that stupid to not realise the issues this may cause for them?

Also e mailed and no reply.

@TopBitchoftheWitches no. I've posted some pretty awful stuff on here, but I take precautions. Change enough detail to reduce being identified, don't share location etc. People should know that the internet and any information contained in it is not safe and act accordingly.

[quote TheSassyAssassin]**@MNHQ* I have had what I thought was a generic blanket email to inform me of this breach (essentially the text in this thread's OP*) but now I am wondering if it isn't generic and is in fact because my account has been accessed? [/quote]

We sent a mail out to every email on our database about the breach. We've also sent a different and very specific mail to the 15 or so people whose accounts we know for sure had a switched log in. You'd know if you got that one because it specifically said your account had been subject to a breach. Thanks

End It doesn’t matter what info posters post or don’t post. Due to MN their privacy has been breached and that’s unacceptable.

And I’m not one to get bothered about data breaches but this one, and MN’s laid back attitude has really fucked me off.

What @Bombardier25966 said.

These things do happens, we're dealing with computers not a rational mind. Pathways, codes get mixed up.

@Overtheborder

I've had to rejoin mumsnet, new email address (solely for mumsnet) and new password.

I am worried re: data breach as I posted some very sensitive information over last weekend.

I have contacted MNHQ twice regarding this and haven't even received an acknowledgement. I am acutely aware they're all busy so am not having a tantrum, just saying.

Hi Overtheborder - as you rightly imagined we've got a lot of incoming but we'll make sure to get back to you tonight.

They should also trust that their log in details are secure.

Clearly not in this case.

Yes, I'm the same TheSassyAssassin always logged in . Still have what reads like a generic email.

If they are contacting everyone fair enough but it doesn't read as a "heads up - it's you, you been breached". That's not what @Mumsnet said they were doing?

Tchuh to nosey noses, ta SoMu I'll live

@Nicknacky

End It doesn’t matter what info posters post or don’t post. Due to MN their privacy has been breached and that’s unacceptable.

And I’m not one to get bothered about data breaches but this one, and MN’s laid back attitude has really fucked me off.

We're really not laid back Nicknacky, honest.

Thanks for letting us know, but I really can't see the issue here. I never put anything on the internet I wouldn't share in public and anyone who does is an idiot really!

Right then. Everyone stop panicking. Endofrelationship is fine thanks. 🙄

JustineMumsnet So why didn’t you post an update like you said you would, prior to sending out generic emails and worrying people?

Honestly, this should be a wake up call to you. It’s unacceptable how poor your communication is.

@JustineMumsnet ok thanks for the clarification. I initially thought that was the case but think the confusion has been caused by lots of other posters saying they hadn't received an email at all? But ok, it seems this was just the generic notification in that case.

@mnhq i haven't received an email from you at all today.

@JustineMumsnet - if someone deactivates an account, how long does it take for you to delete all data you have for them?

Every email? No email here