Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

Another one here who had to log in again this morning, with the "offer" of doing it via Facebook, Google or MN

Does this mean mine was one of the accounts compromised, and if so what can I do about it?

Not on S&B either I don’t think.

Why is our data still so insecure on MN?

There have been an alarmingly high number of data issues in recent years. Mumsnet is a big business now, why isn’t the security better? It’s no longer good enough to have tech tinkering about twee-ly in his ‘shed’, sticking his finger in the dam of disaster. Invest properly in a security overhaul MNHQ. You can’t keep running on goodwill and IT Elastoplast.

Oh, is that why I was logged out this morning?

This isn't good enough, you need to email this out to ALL registered users. How many people are going to stumble across this thread randomly?

If I’m reading this right, this isn’t an attack like last time, this is a software error?

I've not had to log back in again today..? I'm on the app

These things happen, no harm done

How on earth can you have any idea if any harm has been done? You have no inkling what level of identifying details about individual posters were made available, or who they were available to.

if it is a software error it makes me wonder if that’s why MN is such a target for hackers, because they can’t even update their software without a massive security breach!

We have had threats of doxxing

We really need to know if our information was accessed.

Can you please email to let me know if my account was accessed?

I remained logged in until this morning.

Am I safe

SubscribeBelow I await the ban hammer with pleasure if they are so petty they cannot take criticism.

Mumsnet is big and needs to act like a large business with professional actions and policies.

Let's be realistic ... MN's a commercial enterprise and they'll hardly want to advertise this breach by plastering it all over every topic, even if that's the right thing to do

Not for the first time, I wonder who the "tech" people so often asked to "take a look" actually are. Do MN have the kind of permanent, full time I.T. staff who you'd expect to see for such a major site, or is it a case of someone just popping in occasionally?

Indeed, GoofyIsACow. It’s a weapons grade fuck up and they did it to themselves [facepalm]

Please can someone explain to me what a threat of doxxing is?

I had to log back in today, but i just assumed it was because i hadn't posted for a couple of hours?
May i ask what dox, doxxin and TRA is or means?

@BloodyHellBeryl

Doxxing: revealing users' real identities
TRA: trans right activist

I posted this on the app without logging back in, btw...

bloody

Tra is trans activists. They have threatened to dox ( reveal and post details on line ) of everyone on MN particularly those active on the feminism board.

Caroline farrow has already fallen victim to this and police arent interested

I'm writing this on the app without any need to log back in.

Furthermore, I have just changed my password on desktop, so now I'm accessing my account on the app under an incorrect password.

I did actually try killing the app by swiping up to force a pw challenge - but it just happily opened up and here I am typing and submitting...

@JustineMumsnet @mnhq is this a gap in the process?

...and here I am on the desktop app. Same account, same user, operating simultaneously.

@mnhq ??

Ok. So I've been trying to log in all morning.
Using an android phone. Impossible to sign in using Chrome. So tried using samsung internet on android which has signed me in WITHOUT NEEDING MY PASSWORD which I had already changed earlier today via email.
So how many random people are merrily signing into random accounts just using any username they fancy picking from the forums?

They have threatened to dox ( reveal and post details on line ) of everyone on MN particularly those active on the feminism board.

Yup, and as I posted on another thread, anyone who accessed my account may now have the means to see where I live and where my children go to school.
Not information I want mentally unstable people to have access to.

@mnhq ??

Gone AWOL by the looks of it .

So I was right to feel a bit weird about the whole logging in thing this morning.

Not happy about this at all.

These things happen, no harm done

Well let's hope so, shall we?