Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

smother is clearly drunk or being an idiot. I wouldn’t get involved.

Whaaat! Where's the joke?! Mary I actually have no idea what you are on about. You picked apart my last posts for reasons that seem to mean you didn't even read it.

I get that you're are extremely distressed about this, but don't take it out on me. And , what?! Teddy no don't bother....

Is anyone up?

Okay I am deleting my account. This is worrying me too much. Being able to chat on here is not worth the worry of sensitive personal info being accessed by others (I am talking about my email address and DMs.

Make up a new rubbish email address that is only linked to your mn account and doesn't have your name or anyndeets connected to it Mary

How is it different from any chat forum, except its primarily women, and therefore more targeted as a result. I think that's a reason to stand up, not sit down.

Here here @Smother!

Not a fucking clue what's going on. But I'm with you!

@Donmesswime you assume I'm an idiot, yet I'm the one with a separate email address for logging in purposes, the one who doesn't share personal information via DMs and keeps information on forums like this completely separate to other things.

I'm not saying that this situation reflects well in MNHQ, just that people need to be very careful about the information they use to log in to any forum and the information they give out in one, regardless of how secure they think it is. Websites can and arrested hacked and internet safety and anonymity should be assumed to be the responsibility of the individual using a service as services (such as Mumsnet) cannot be trusted.

Honey, short of giving me your name and address you are very identifiable.

I note that some users have thanked you for being transparent about advising on the breach although this is is a legal requirement anyway.

Have MN referred yourselves to the Information Commissioner?

Starlight it says in the OP that they will be referring themselves to the information commissioner.

As I posted this week on another thread, rather good timing with what's happened.

Although the biggest issue on MN technologically is piling new shite and updates onto a framework that is slow, buggy, and outdated. MN would be best-served by building from the ground up. Sooner or later there will be issues with the current methodology. Nothing to do with site design either.

@JustineMumsnet I have just been logged out of my account, wanted to make you aware as situation still mustn't be rectified.

Yup, appear to be affected too. All platforms signed out of and asked to put details through Googlemail (which I don't use for this) and various other attempts to get me to enter passwords. Not happy. Hope this is resolved.

When I tried to pull up my password with the iCloud Keychain, for some bizarre reason two usernames were in there that aren't mine and don't have anything to do with me.

A quick search shows they're real but not recently active posters - I'm talking several years since the last post.

The passwords associated with the entries in the iCloud are ones I have used before.

Again, the usernames aren't mine and there is no reason for them to be in my keychain thingy.

What the hell?

@JustineMumsnet I had to log back in to the app yesterday afternoon around 2.30pm. I was trying to post and it told me to log back in which I did. I only use the app.

I was asked to log back in, using Facebook.

I don't recognise a post apparently made by me on one thread. I think I posted it on a different thread. Very odd.

Yes, sorry, we've only sent mails to those accounts we know for sure were breached. Not to those who were able to log in as someone else yet. It's on our list to do first thing. Name changes shouldn't effect this

@JustineMNHQ I thought the breach was that you were able to log into someone else's account and those individuals had been emailed/PM'd?
I'm confused

Thank you for the updates, I haven't also received an email, however not concerned with that. I hope your child has a Happy Birthday today.

flippity I just checked my iCloud Keychain and have the same thing - three usernames stored that I've never used. Can't say about the passwords because I always use generated, strong ones.

Yes, sorry, we've only sent mails to those accounts we know for sure were breached. Not to those who were able to log in as someone else yet. It's on our list to do first thing.

As Haud says this makes no sense as the breach was being able to log in as someone else

@okokokok have you received a message yet as you were able to log in as someone else.

I received a generic email this morning, I assume just the same as the one everyone else got.

This is an absolute shitshow.

As for the (admittedly small) number of posters who are defending MN to the hilt, accusing those of us who are angry of being ‘hysterical’, and acting as though MN is some cosy little local community with Justine just up the road .... get real. This is yet another utter balls up that’s a result of lack of investment in decent security and competence. MN is massive.... it feels like the level of investment in security hasn’t been scaled up to match that.

And stop harping on about ‘even banks get security issues’ FFS this is a cock up, MN hasnt been hacked (this time, though of course that happened previously and I remember at the time it fast became apparent that their security was shite.)

Those who seem to find this all funny (again admittedly a small number) are being idiotic. MN is a massive money spinner and users have a right to a level of competence and respect for their data which is clearly not there.

Get this for irony: a few posters are cosying up to ‘Justinemumsnet’ as though she’s a personal mate who’s just having a hard day juggling being a mum and running a business. I bet if those posters had their personal data compromised through some balls up with a bank, a school, some big retail store or whatever, they’d be posting on MN in shock and anger about it!!