Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

This can't be Justine, having such a laid back attitude to users personal details etc.

It would be more reassuring if that was a troll that had hacked her account, sadly I think it is her

@Tooldemont

This can't be Justine, having such a laid back attitude to users personal details etc.

It would be more reassuring if that was a troll that had hacked her account, sadly I think it is her

I'm sorry but I don't get that?

@JustineMumsnet I've had no email and nothing in my spam. I'm logged in and access MN daily. Please check where my email has disappeared to.

[quote ChristmasHumper]@JustineMumsnet I've had no email and nothing in my spam. I'm logged in and access MN daily. Please check where my email has disappeared to.[/quote]

Given the number of you who've said that on this thread I imagine it's a batch issue - we have about a million emails to send so would take a while to go. But I'm checking for sure and will revert.

It probably would have been better to be clear

A few people will get a generic email

People affected will get a specific email

Etc

And no hth

Not sure why it’s so muddled all the time

No email here. And I received an email from you two days ago which I replied to and got a reply from. I'm 100% certain I'm on your database.

I also registered under a new email today as I couldn't log in to or reset my old account. And wanted a less personal email and wipe my old account. No email on that one either.

Marsha Your post is my exact point. It would have taken a few minutes to post an update.

Only about 50k emails have gone so far. There are still over 850k to go - they will continue to be sent overnight and all through tomorrow too most likely.

Have all the specific emails- as in those where a breach has def occurred been sent though as they are most important?

Thanks Justine , I thought that was the case if there were loads of emails to send out.

@MarshaBradyo

It probably would have been better to be clear

A few people will get a generic email

People affected will get a specific email

Etc

And no hth

Not sure why it’s so muddled all the time

Yes my mistake - I didn't realise it took so long to send them. Sorry about that.

@Almostthere15

Have all the specific emails- as in those where a breach has def occurred been sent though as they are most important?

All the ones we know for sure about yes - there's still a bit of cross checking being done.

Ok that sounds more like it.

Hopefully they go though, although should have checked that before telling people all emails had already been sent and check your spam folder

Thank you. And if we name change will ypu still be able to identify which accounts have been breached? Or will that confuse things?

@JustineMumsnet how much cross checking has still to be done?

This is really worrying. My email address would make it very easy to figure out who I am. And I have sent and received DMs sharing personal info.
MN have you reported this to the ICO?

@Tooldemont

Ok that sounds more like it.

Hopefully they go though, although should have checked that before telling people all emails had already been sent and check your spam folder

Yep sorry, my mistake.

As said this email only contains the info that is posted in the OP of this thread.

@JustineMumsnet - if someone deactivates an account, how long does it take for you to delete all data you have for them?

Third time lucky?

And no email here.

@marymarkle

This is really worrying. My email address would make it very easy to figure out who I am. And I have sent and received DMs sharing personal info. MN have you reported this to the ICO?

yes.

I haven’t had an email either and am definitely in your database because you emailed me about a PM I reported.

As said this email only contains the info that is posted in the OP of this thread.

That's really not the point though. Lots of users won't see this post. We're also looking for clarification that the IT people in mumsnet towers actually know what the fuck they're doing. So it is even more worrying when we're told we should all have an email and we don't. Obviously it being sent in batches makes sense but why is no one communicating that to you properly so you're able to keep your users informed?

I do not believe this is Justine posting. She wouldn't post hth for a start. The posts do not read like her.
@mnhq are very quiet as well.

@WhatTheNightBrings I don't think they do delete it.

'haven’t had an email either and am definitely in your database because you emailed me about a PM I reported.'

I think it's been established emails are on the way. Perhaps if no one has received any same time tomorrow we can continue with the 'I haven't had an email' commentary.

@TopBitchoftheWitches tbf she's probably experiencing inordinate stress atm