Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

My account lists my previous usernames with KataraJean twice. But I would surely not be able to use this name twice? Is that usual?

Mine has duplicated usernames too.

And no email, generic or otherwise.

My student sons would not say it was slopping English - they would say language changes. I regard an email as the email you write, just like a letter if the letter not your address. Other people use "your email" to mean your email address. I am probably the only person in England still calling something my mobile 'phone whereas most people say "their mobile". Anyway I am a bit off topic and MN's description of what might be at risk was certainly accurate.

Mine also has my current username twice, I changed it yesterday slightly when I changed my password.

Mumsnet have gone very quiet. It's over 9 hours since they have responded. Id like to think it's because they are busy fixing things but it feels more like they've discovered the issue is bigger than they thought?

The duplicate username thing has been on mine for ages. It wasn't caused by this fuck-up.

Yup I have duplicate username listed in my settings too

@MNHQ
I just checked my iCloud Keychain and have the same thing - three usernames stored that I've never used

Can we please have a response on this one? Now reported by multiple users.

Just skimming the overnight updates I have these points to add:

• I also still have no email 20 odd hrs after we were told we had already been mailed. Its not in spam - I run my own mail server, no external filtering.

• People are still confused as to who is being mailed. Can we please update the OP to clarify who is being emailed, when and why?

• Its a big mail shot to send out but frankly if it takes more than 36 hrs to send out that volume of mail MNHQ need to change their batch mail provider.

• Regarding not keeping addresses for contact about a breach - GDPR allows you to keep email addresses for contact on account issues even if you opt out of marketing. This is again, standard industry practice. I'm astonished that opting out of marketing also opts me out of being informed of a data breach! Or is seriously what happens?

• Agree with PP someone should have been on shift overnight to respond to questions - its pretty poor that you persist in volunteers for the night shift the day after major data issue which is still not even fully defined.

• There should be a Breach Response in the TOM which is communicated and understood by staff, ready to be invoked. It isn't like this is the first time there has been a major issue on data security here. Its pretty much an annual event.

Password reset issue

I reset my Mumsnet account password yesterday, between when mobile site users were force logged out, and app users were force logged out. I could then only log back into either the mobile site or iOS app using the old password though, despite getting a message onscreen that the password update was successful. Thought it might just be slow replicating the changes so tried it again now, but same outcome.

I've just reset the password again but can still only logon to the mobile site or iOS app with the old password. Quite concerned that the password change isn't being recognised.

Late similar for me too. I closed my MN account yesterday then created a new email address just for MN then registered again. All as normal with new posts yesterday.

This am I am able to post on mobile app but my IPAD app is asking me to log in. Not going to go anything with that for time being I think.

I've not had any emails to either new or old address but from what I'm reading I can't yet assume I'm not affected.

That's weird ... that last post on IPAD app is showing my username in purple but on my phone it's pink.

The plot thickens.

No need to just use the new email address for just MN, its also quite handy for anything that might be a bit spammy like when you have to put one in for prize draws etc, also some shopping websites insist on an email address to access them, or else you would need a separate email address for everything, just have about 3 or 4 for different situations.

Mumsnet have gone very quiet. It's over 9 hours since they have responded.

Dear Lord. The previous nine hours were midnight until 9am.

Even IT people need to sleep and if they have been working flat out since the breech it's a ridiculous thing to suggest they should work over a 24 hr shift!!! If nothing else because if you are that tired you are liable to make more silly mistakes. Thus making the cluster fuck worse not better.

As it is, the immediate problem was fixed by a reversal to a previous version of MN.

That means the ongoing issue is down to identifying where breeches occurred past tense. And whilst that is extremely important its not stay up all night important either.

I swear people sense of perspective and understanding of the real world and how things work is warped. People think that a magic wand can be waved and things happen and have no concept of human being being involved in the process.

Honestly I'm concerned about the lack if security knowledge that MN IT possess. Its below parr and MN need to do a lot better rather than acting like amateurs - because if they don't they'll end up with no business anyway.

But getting shirty because no one has replied between midnight and 9am???

Come on. Get a grip. Think about what you are saying and demanding. Its ridiculous.

@C8H10N4O2, did you see today's google doodle? Brightens a morning.

I'm concerned that I've had an email from Mumsnet about this matter but not sent to the email that is registered with my Mumsnet account and to which Mumsnet have always sent emails before. They have sent an email to my hotmail account which I don't use for Mumsnet - what is happening here?

I also have two listings of my current username in my nickname history @MNHQ.

All this pearl-clutching! Do calm yourselves, dearies.

Ok I've had another call from a number Google doesn't recognise with too many digits.

Can I have an email to let me know if my account was breached or not please

Re the password change, it seemed not be saving it for me - I checked my emails and you had to click on a link to confirm it, then it changed.

If MNHQ confirm it was a system error allowing MNers to see other accounts that is bad, but IMO nowhere near as bad as it being hacked by a third party with malicious intent (especially given the recent threats to doxx MN and other generally menacing threats).

What I have taken from this is to clear my inbox/sent items every time I send/receive a message, and change my associated email to one that doesn't have my RL name in it. On reflection, this is my fault for not doing this previously.

I was going to delete my account but having been here over a decade there would be so many deleted posts, especially if we all did it. We all know how annoying it is reading a classics thread for example, with half of it missing!

I myself have been a bit naive but the reason my inbox had messages is that I have (for example) swapped items and supportive PMs with MNers I have known a very long time. I also used to post a lot in the SN section and would like my posts to remain in case anyone in a similar position finds them useful (not bigging myself up, it's a niche condition!) I also post in FWR (under NCs) and think it's important women continue to speak out and MN is a more liberal platform than the majority.

So on balance, if I reduce my own risks and am sensible, I prefer to keep using MN than not plus what would I do all day and RL people are sick of talking about cats

Headline from The Register.

"Mumsnet data leak: Moaning parents could see other users' privates after cloud migration"

Not sure I want to see anyone's privates! Or them see mine!

I'm concerned that I've had an email from Mumsnet about this matter but not sent to the email that is registered with my Mumsnet account and to which Mumsnet have always sent emails before. They have sent an email to my hotmail account which I don't use for Mumsnet - what is happening here?

If you've never used that email in any comms with MN, the only explanation is data linking via one of the third party vendors they use.

If that’s what’s happened it’s a VERY big deal, and absolutely illegal. You need to follow up on that as a matter of urgency, because it’s capable of linking your account here to almost any other online presence you have.

Apologies for Atting you @iwantedtobeemmapeel but this is potentially serious and needs follow up

But there is no need to be so fucking patronising shivering feel free to delete your account if you feel so patronising and superior to other MNers.

Agree with PP someone should have been on shift overnight to respond to questions - its pretty poor that you persist in volunteers for the night shift the day after major data issue which is still not even fully defined.

Disagree with this. Its a complex issue that should be dealt with by someone senior who knows what they are talking about.

Otherwise you get into the situation of conflicting info going out, people getting more confused than they are and getting upset at that.

There should have been a better explanation yesterday and a FAQ put together for the overnight club with a message to say that someone would be back at X time to deal with queries. I'm sure that wouldn't satisfy many but I do think it reasonable.

It's better to have senior people on board for the initial incident and then let them rest and be back in during working hours to deal with on going fall out then.

MN isn't a large company. It's a medium sized one, and people need to take this on board even if they don't like it. I think they need to sharpen up, but I think some stuff said is unrealistic and many people should be a lot more worried about what goes on at multi national huge corporations with their data as people are getting away with a whole lot more without scrutiny.

The whole data industry needs a kick up the arse and people need better training. But without the law being properly enforced it's small fry like MN who get hung out to dry over these issues and not people who are abusing it on an epic scale.

I might put a photo of mine on my profile to scare away anyone who tries to hack my account.

Floofy- don’t blame yourself for MN’s incompetence.

Like I said, I created a new email account after the last debacle, and use it only for MN, but I wouldn’t blame anyone else or say they were being naive if they’re using an email address with their name, or one which they use for other purposes.

There’s a real risk here that some people are side stepping the issue and minimising it as some unavoidable little mistake. This is seriously crap, and after the last massive data breach you’d think MN would take their responsibilies seriously.

The matey jokes about having a gin etc suggest that some users do really fit that stereotype- that MNers are all a bunch of middle class middle aged women with too much time on their hands who treat the forum like ‘JustineMumsnet’ is their bezzie and oh dearie me it’s all a bit of a palaver.

Fuck sake, there are vulnerable users on here who have bared their soul and deserve better.