Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

These things do happens, we're dealing with computers not a rational mind. Pathways, codes get mixed up.

deadsexy. You do realise that actual humans give the computer the instructions?

Coolio, thanks for answering that @JustineMumsnet

Am I right in thinking these generic emails are sent out in batches so some won’t appear until tomorrow because of the amount and the more specific emails have already been sent

@Nicknacky

JustineMumsnet So why didn’t you post an update like you said you would, prior to sending out generic emails and worrying people?

Honestly, this should be a wake up call to you. It’s unacceptable how poor your communication is.

I don't think I said that did I Nicknacky?

I haven't received an email.

It's no point saying you aren't layed back about it, actions speak louder than words.

Every email? No email here. None here either.

I haven't received an email.
Events have been popping up on my google calendar that's linked to my email account, same one I use for mumsnet. Definitely not things I've added myself.
Now wondering if that strange happening is connected to mn data breach.
This happens too much.
I will be deactivating my account and tightening security on everything.

So any explanation as to why some of us haven't had an email? @JustineMumsnet @MNHQ

@WhentheDealGoesDown1

Am I right in thinking these generic emails are sent out in batches so some won’t appear until tomorrow because of the amount and the more specific emails have already been sent

The specific mails were all send personally by me in the early afternoon. The non-specific update - which is pretty much what was posted here in the OP were sent to the entire database in late pm and would have taken a little while to get to everyone but should have all gone by now for sure. If you didn't get one it's either gone to spam or you're not on our database. Hope that helps.

@Tooldemont

I haven't received an email.

It's no point saying you aren't layed back about it, actions speak louder than words.

Ok I'll look into it - but as said it may have gone to spam or you may not be on our database..

I'm definitely on the database, I get emails about mentions and new posts.

No email and not in spam either.

Isn't it time mumsnet took this seriously and employed professional technical people? It's a joke how the site is run.

JustineMumsnet It’s in your original post that updates will be given and you would send another email when you had more info regarding the breach.

An update saying you were sending a generic email would have been appreciated.

@JustineMumsnet

Whether you said it or not, I think you have bigger issues to deal with, right now.

If we're registered with you and have dad replies in the past re post/spam reports etc, does that mean we're on your database?

I don't have an email either. Not in my spam or junk box.

No email in spam.
I'm guessing my email is on the database seeing as I've just used it 20 minutes ago to log in.
Where is my email?

Everyone uses an email address to join don’t they? So on the database?

@JustineMumsnet, I have also not received an email (generic), have checked spam, none there, and I think I should be on your database. Have been a MNer since 2006, always same email, don't even often namechange. I regularly get emailed the talk roundup for example.

No email either, checked junk folder x

@EnidButton

If we're registered with you and have dad replies in the past re post/spam reports etc, does that mean we're on your database?

I don't have an email either. Not in my spam or junk box.

We've had a big clear out post gdpr and deleted accounts that haven't opened mails for a bit, so not necessarily - only a proportion of those who've registered are on our email database. As said the email only contained the info in the OP here.

No email here, and I'm definitely on your database, as you'd know when you send over the info you said you would ASAP this morning.

As I asked up there ^ when someone deletes an account, how long does it take MN to delete all data held on them?

I haven't had an email, apart from the one replying to mine informing me that MN won't delete my posts before I dereg. Have checked Spam folder.

@mnhq I have received no email from you at all - generic or personal. I found out about the breech by looking on aibu

It's almost as if nobody at mnhq actually know what the fuck is happening.
There could be people needing emails about data breach specific to their personal account that they are not receiving.
This is really bad.

No email here either.

Anyone tell me how I go about doing a SAR?

@JustineMumsnet

Hope that helps?

You have had a few posters on this thread say they have not received an email and that is your response?

Your company have majorly messed up and you treat your users like that?