Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

[quote Almostthere15]@JustineMumsnet sorry i know you must be having the worst day but you've replied to others. Csn you abswer ny question re pm for those you know are breached and a receipt mechanism given someone said they haven't had one. And 're name changing[/quote]

Yes, sorry, we've only sent mails to those accounts we know for sure were breached. Not to those who were able to log in as someone else yet. It's on our list to do first thing. Name changes shouldn't effect this.

I'm just waiting for the lights to go out at MNHQ as usual, leaving the Night Watch volunteers to take over and sort it all out.

If they request it, you will delete all posts from a user whose security has been breached?

Nickynack oh sorry! Misconstrued what you meant, but as I posted earlier, I am glad it was not posted as a sticky until more was known, as i, for one, would not have been happy at MN announcing a data breach that was still potentially wide open for further breach and abuse. If malicious and malign forces became aware, and as soon as they do, that's their window to take full advantage where at all possible.

Ffs not again.
The casual indifference with which MN regards user data is shocking. Come on MN, you’re a big business raking in the revenue. Sort your technology out.

TopBitchoftheWitches Thu 07-Feb-19 22:45:26
Why are @MNHQ so quiet on this thread ?

I hardly think MNHQ have been quiet - surely though it doesn't take anyone with an ounce of common sense to realise they have more pressing issues right now?

And if I see another post saying 'haven't had an email' - is it any wonder Justine doesn't reply?? Jesusss

This has actually really shaken and worried me.

Updating the users of the site would have taken minutes and should be a priority.

That’s who it is affecting.

*Thanks for reminder re checking recent activity on mail client. Haven't looked for ages, but having just checked the email account I use for this site.

Whilst results are unlikely to be connected to this current event (except perhaps the entry on TuesdY 5th?), it was a sharp reminder to check it more frequently, as it reported several, thankfully blocked, attempts at accessing my mail account.*

I saw the original post about this last night and was logged out earlier. I sent an e.mail to MN from my e.mail account, when I went back I could no longer access my e.mail account. This is suspicious to me. I will not know if I have had an e.mail because I can no longer check it, and have actually been locked out of my e.mail account due to this palaver.

It was a software glitch and yes it shouldn't have happened. There is absolutely no evidence that anyone's personal details have been compromised and the hysteria of some doesn't help.

Mumsnet have posted that they've sent a generic email - with over a million users we aren't going to receive them all at the same time.

We even have one poster claiming Justine is a troll and not really her? Reaally??? Give your head a wobble fgs

You won't receive an email unless you have ticked the box asking 'Do you consent to receiving emails from Mumsnet'.

HTH @MNHQ

I haven't. So I won't know then if my data has been breached?

How or why or who hasn't realised why we're not getting emails shows how idiotic their IT team (or is it a one man band) is.
If you tick the box, I don't want to receive anything from MN, the IT behind it, will not allow your email to be sent messages.
Jesus Christ.

@marymarkle as far as I know, you won't receive the email. If you don't tick the box, they can't use your email address, so they effectively can't email you.

*Nicknacky Thu 07-Feb-19 23:23:55
Updating the users of the site would have taken minutes and should be a priority.

That’s who it is affecting.*

Which Justine and Munsnet have tried to do? Admittedly the emails are slow coming for some - Justine has posted every update on AIBU - I haven't read the other boards so not sure.

You seem to have a personal grudge against mumsnet? Not sure if that's valid or not but stop dramatising when MN are doing their best - the only people 'worrying' others are drama queens like you

non Personal detail HAVE been compromised. Why would you think they haven’t?

Christ sake! So I will never know if my data has been breached or not. This is a fucking mess.

non Personal grudge? Not at all and I’m far from a drama queen, I don’t generally give a fuck about GPDR, but this isn’t acceptable.

They aren’t doing their best. If they took security seriously (which previous events show they don’t) then no ones personal data would be affected.

I didn't tick the box allowing them to email me, so I don't know whether I've been breached either if it's any consolation.
I don't understand how Justine's IT genius hasn't told her why either.

Nicknakcy that actually was my point precisely, if you didn't get that, which you seem to be saying you don't, unless your answer wasn't to me.

smother You just pickled my brain😂

Cmon @JustineMumsnet
Admit it. You've 1 dude employed in IT and 1 apprentice. Am I right?
For an entirely online forum, you should probably have a team of 10.
Might reduce you from Chardonnay to mere Sauvignon Blanc eh?

You're fucking with people's' lives here. People are not always internet savvy and you are processing a lot of peoples' data. You have a responsibility to handle that responsibly. Which you're not doing.

You're a holy show. And I genuinely hope nobody suffers as a result of this breach.