Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

@TopBitchoftheWitches

I do not believe this is Justine posting. She wouldn't post hth for a start. The posts do not read like her. *@mnhq* are very quiet as well.

Well it's been a long day but it's me, alright. Not sure how I can prove though...

@okokokok

No email for me even though I was a poster who logged in and it opened someone elses account! An email, generic or otherwise, would have been appreciated! It said at one point the accounts were switched so I still don't know if someone got into mine

^ that's a bit worrying

Yeah, I'm beginning to think that to kaytee - but surely Justine is going to confirm...

I do not believe this is Justine posting

Ha ha, we could all be Justine!

Hi @JustineMumsnet. I'm afraid I haven't received an email either and I'm pretty sure I'm on the database.

Actually though, I haven't had email notifications when I'm '@' in a post lately, although I do still get emails for PMs

Could some kind poster @ me please to check?

@WhatTheNightBrings I'm going to do a SAR to find out what data is held on me and possibly ask for it all to be deleted.

@BoreOfWhabylon

@BoreOfWhabylon

@BoreOfWhabylon

Also not received an email, and I think its more for me about that being indicative of an issue, and definitely not for the information contained in it, as that's in the OP.

Its not doing your credibility any favours @justinemumsnet, at a time when the message we all need to know is that our personal data is safe, if even the simple things are mismanaged

[quote WhatTheNightBrings]@JustineMumsnet - if someone deactivates an account, how long does it take for you to delete all data you have for them?

Third time lucky?

And no email here.[/quote]

When someone deregisters all their personal info is removed straight away.

Read Justine's replies people, the emails are on the way, it takes time to send nearly 1 million messages, no need to keep posting that you haven't had one

Justine, instead of getting snarky with posters, could you please answer the very simple question I've been asking you for an hour?

And if you could find the time to send over the information I asked you for, and you said you'd send me ASAP, that'd be appreciated.

@JustineMumsnet

'Alright'

🤷‍♀️🤷‍♀️

When someone deregisters all their personal info is removed straight away.

Thank you!

So why, when someone has deregistered, can they not sign up again later using the same email address?

JustineMumsnet it sounds as if some who were personally affected haven't received an email. Can you confirm they ahbe all had a pm, or is there a wwy of you being able to ask them to confirm receipt so you know they know.

Can you also answer 're name changes, will this make it harder for you to identify or does it make no difference?

No email here either!!! 🤔 🤔 🤔

No email here. Am I not on your database?

JustineMumsnet (MNHQ) Thu 07-Feb-19 22:16:25
Only about 50k emails have gone so far. There are still over 850k to go - they will continue to be sent overnight and all through tomorrow too most likely.

Thank you MrLovebucket yours got through

Still waiting for Kaytee and Jane's but thank you both

Emails still being sent out, they've backtracked on the comments saying they've all gone out..

'No email here. Am I not on your database?'

They're on their way she's already said about ten times. 50000 sent, another 850000 to go .

No email here, either specific or generic. I am definitely on your database, receive emails from MN regularly, and most recently at 20.10 this evening.

Perhaps, when you are checking where everyone else's are @JustineMumsnet, you could also check to see if I should have received a specific one, and why the generic one did not arrive (I have checked Spam).

...and also, why others have stated on here that their old email address has been recognised by MN after the date it was confirmed that all precious email addresses had in fact been deleted? Though clearly not?

Kaytee the process for SAR is further upthread maybe around pages 13/14?