Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

Not sure how I can prove it though...

Justine - how about you post a photo of you right now? Given I'm on Dry February and wishing I could hit the at least in part because of this, we'll pretend not to notice you're attached to a intravenous drip.

@DeaflySilence

No email here, either specific or generic. I am definitely on your database, receive emails from MN regularly, and most recently at 20.10 this evening.

Perhaps, when you are checking where everyone else's are @JustineMumsnet, you could also check to see if I should have received a specific one, and why the generic one did not arrive (I have checked Spam).

Only about 50k emails have gone so far. There are still over 850k to go - they will continue to be sent overnight and all through tomorrow too most likely.

Why has it taken nearly 24 hours to send a generic email?

Its probably damn near impossible to send out 1 million emails all at once.

@BBInGinDrinking

Not sure how I can prove it though...

Justine - how about you post a photo of you right now? Given I'm on Dry February and wishing I could hit the at least in part because of this, we'll pretend not to notice you're attached to a intravenous drip.

If only I could find a picture of SoupytheBat...

MNers don't make the job any harder RTFT!

'Emails still being sent out, they've backtracked on the comments saying they've all gone out..'

I'm guessing that when you press send on 1000 000 emails there's a staggered delivery thing that goes on. The internet can be slow at the best of times let alone with that amount.

Easiest way to check if it's Justine or not is to ask how she felt about the result of the game last night.

So why, when someone has deregistered, can they not sign up again later using the same email address?

Really good question. The email address must at least be stored.

@MNHQ - No email here, apart from the one refusing to delete all my posts.

Someone above wanted to know how to do a subject access request:

ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/

Basically you just need to contact Mumsnet, however you like, and request your data: "The GDPR does not specify how to make a valid request. Therefore, an individual can make a subject access request to you verbally or in writing. It can also be made to any part of your organisation (including by social media) and does not have to be to a specific person or contact point. A request does not have to include the phrase 'subject access request' or Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data."

Given you can use social media, I would assume that posting here and requesting your data would be fine. Mumsnet then have one calendar month to respond to you.

Why are @MNHQ so quiet on this thread ?

Thanks @Smotheroffive

Nicknacky mass emails need to go in batches which they are, and takes time to get through hundreds of thousands

@probablyprocrastinating

Easiest way to check if it's Justine or not is to ask how she felt about the result of the game last night.

No good relying on the Toffees to do us a favour.

'No email here'

It's like cancel the cheque all over again

@JustineMumsnet sorry i know you must be having the worst day but you've replied to others. Csn you abswer ny question re pm for those you know are breached and a receipt mechanism given someone said they haven't had one. And 're name changing

That should put you all at your ease.

'No email here

'It's like cancel the cheque all over again 

smother I get that, the emails have only been sent tonight despite this issue being raised yesterday. And it tells us nothing else apart from the copy and paste from this thread which was posted this morning.

Why the delay?

God can't all those whinging about emails just check your emails tomorrow

I think it's been established emails are on the way. Perhaps if no one has received any same time tomorrow we can continue with the 'I haven't had an email' commentary

@EveSaidWhat when I posted about not receiving an email I hadn’t seen Justine’s post at 22:16 confirming that only about 50k emails have been sent. I got distracted by some real life stuff whilst typing my post, which I started before 22:16. Earlier in this thread Justine had said that as far as she knew all emails had been sent but she was checking.

@JustineMumsnet hope you have a or a

All three of my @ emails have arrived now

@kaytee87

So why, when someone has deregistered, can they not sign up again later using the same email address?

Really good question. The email address must at least be stored.

Pre GDPR when someone de-regged we used a hack of the ban process and emails stayed on the system. Post GDPR we updated our system so deregistering automatically removes someone's details. We keep emails for banned users on a database, however, so we can track trolls etc.

[quote whereisthepostman]@JustineMumsnet hope you have a or a [/quote]

I have did manage to sneak in a single as it happens. Popped out for a meeting in a bar and was stood up. But downed my g&t anyway... I now need to go and wrap my 13 year old tomorrow ds's gifts. I'll look in before I hit the sack. Thanks for all those assisting with the "They're going out in batches message" and apologies again for any confusion.