Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

And to be honest, nearly 24 hours later before they send a generic email? Why did that take so long to send?

How, if we are registered users would our e-mail not be on your database?

I don’t have a. Email either.

@Endofrelationship are you for real? I posted on mumsnet when I was in abusive relationships, when I was bereaved, when my baby died, when I was made homeless, when I was forced into having an abortion, and the people on here helped me when I had fuck all and nowhere to go. So I am honestly so grateful to @justinemumsnet for everything she’s got here. But if people have my information I am scared, I get that little glitches but I disagree with @bombardier, if certain people gain access to my information and they join the dots I am not safe, and I need to know what @MNHQ are going to do about it?

We've had a big clear out post gdpr and deleted accounts that haven't opened mails for a bit, so not necessarily - only a proportion of those who've registered are on our email database. As said the email only contained the info in the OP here.

That can't be the reason I haven't received an email. I'm an active user.

@MarshaBradyo

Everyone uses an email address to join don’t they? So on the database?

No not necessarily we only keep emailing if you engage with the emails. If you open MN daily regularly and haven't received an email today and it hasn't gone to spam then we can check out to see if some have got stuck. But, as said - there's no new info in there that you can't see here. Everyone who we know has been breached we had a live email for and have mailed individually.

Worth noting here that there is no evidence of anyone doing anything nefarious, even when accounts were wrongly accessed. It doesn't mean it's not possible of course but this breach was caused by a bug in the code, not a hack.

No generic email here. Which is odd because MN email almost every time I breathe.

So how are the people whose personal accounts have been breached going to find out about it if their email addresses are not on your database???
@justinemumsnet

It doesn’t matter that nothing dodgy happened!

Honestly, no wonder I think you are laid back.

I don’t know if this is related to the incident today but there seems to be a lot of trolling right now. I have reported a couple threads.

@SinisterBumFacedCat

No generic email here. Which is odd because MN email almost every time I breathe.

Ok will check - thanks for that.

Thanks When I've managed to do it now (I think!).

Donmess I don't really care about that. I just don't want anyone accessing my email!

@JustineMumsnet

Will you please explain why numerous active users have not received emails yet?

@justinemumsnet I get these everyday and haven’t had an email?

@Bluebellsarebells

So how are the people whose personal accounts have been breached going to find out about it if their email addresses are not on your database??? *@justinemumsnet*

So far we've had emails for everyone whose account we've found has been breached. If we discover a breach and don't have an email we'll pm.

No email here @Justine. And I know I'm on the database because mnhq emailed me this evening about something else.

I'm definitely on the list as received a (spammy ) email about a new post on a thread yesterday...

Seriously you need to hire some professionals and know when it's beyond your capabilities. Should have happened a long time ago..

I get emails when anyone tags me or pms me.
Does that mean I'm on the database? No email from you today

No email for me even though I was a poster who logged in and it opened someone elses account! An email, generic or otherwise, would have been appreciated! It said at one point the accounts were switched so I still don't know if someone got into mine.

We've had a big clear out post gdpr and deleted accounts that haven't opened mails for a bit, so not necessarily - only a proportion of those who've registered are on our email database. As said the email only contained the info in the OP here.

Ah ok. Thanks Justine

This can't be Justine, having such a laid back attitude to users personal details etc.

If everyone is supposed to have got an email I didn't get one. I only get the 'Swears By' emails though.

^first paragraph there is a quote.

So how are the people whose personal accounts have been breached going to find out about it if their email addresses are not on your database???
@justinemumsnet

It's beyond a joke this attitude they have. They make millions a months from a glorified message board and can't even do the most basic things.

@WhentheDealGoesDown1

Am I right in thinking these generic emails are sent out in batches so some won’t appear until tomorrow because of the amount and the more specific emails have already been sent

I'm just chasing an answer on that.