Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

Dear Lord. The previous nine hours were midnight until 9am.

Imagine a bank said this if there was a security breach with their own systems sorry guys, just having 9 hours off to have a sleep

There’s a real risk here that some people are side stepping the issue and minimising it as some unavoidable little mistake.

I wholeheartedly agree with this, just loo at the 2nd post on this thread

Thank you for being so open and transparent.

These things happen, no harm done.

Some people are really minimizing the severity of the data breach.

Also still no email here, and i'm wondering how many people are going to miss this thread as they ignore stickies. I still think MNHQ need to have a pop up which has a link to this thread, to make sure all users are aware of this issue.

Just look, obviously there was no need for me to bring the toilet into this

Thanks to the posters who replied on duplicate user names

IceRebel- yes that ‘these things happen, no harm done’ post!

Dear god. Like that poster had JustineMumsnet round for a cuppa and she’d accidentally spilt some on the carpet.

What world do some posters live in that they see MN like this?!

Bowlofbabelfish thank you for that, appreciate your advice.
I will be on to Mumsnet to see if I can get a direct answer, but actually seriously thinking of deactivitating my Mumsnet account.

@C8H10N4O2 Mumsnet have been in touch with me directly about the random usernames I have in my keychain, I assume they'll update when they've got some more info.

I think what is happened is far worse than a hack. Everyone knows that sophisticated hackers hack some sites. And that having great security does not always stop that.
This is different. This is internal incompetence.
If this was a forum where people really only do talk about recipes and tv that would not be a big deal. But there are a lot of people here seeking advice about incredibly sensitive situations.

I really don't think it is unreasonable for a site that has hundreds of thousands, if not millions, of users to have 24hr tech support! It's not some single parent running a little website from their kitchen table here - Mumsnet can afford to pay staff to work at night ffs. And you don't need to ask some poor soul to work a 24 hour shift to achieve this. You can just, you know, employ more staff? And ask some of them to work the night shift every day?

There can be serious issues with people's data if it gets into the wrong hands. Just because MN doesn't hold your credit card details doesn't mean someone's life couldn't be seriously fucked up if the wrong person accessed their private messaging details, namechange history etc. There was a poor girl and her mother on a TV documentary the other night who had to move areas again because her father pieced together which school she attended from a small piece of data posted online in error. Adoptive parents use the site - many of their children's details must stay confidential for their safety. People post about private medical issues on here that they wouldn't want linking to their email address and rl identity. I don't think you can say 'no harm done' here wth a straight face.

Mumsnet grosses around 5 million every month, and doesn't employ many people.

Their response to this is pathetic.

I hadn't thought about adoptive parents. You are right their information being breached is extremely serious. I have seen adoptive parents posting wanting support with their child's traumatised behaviour.

I also have 2 BoreOfWhabylons in my username history. There's a few other nicknames in there that I use occasionally - Christmas etc - but they aren't duplicated.

Haven't changed my password and won't do so (yet) as people seem to be getting locked out when they do.

No email as yet

And I agree with everything RedToothBrush has said

Sorry for reposting, but I wanted to tag MNHQ/Justine in this. @JustineMumsnet @MNHQ

Although the biggest issue on MN technologically is piling new shite and updates onto a framework that is slow, buggy, and outdated. MN would be best-served by building from the ground up. Sooner or later there will be issues with the current methodology. Nothing to do with site design either.

Why don't you re-build rather than the current approach which isn't working, and clearly causing problems, the latest engineered in this thread?

IT people have likely been working on this overnight. As a former IT Engineer we didn't have time to post anything, anywhere. It can be slow, long and laborious to identify, repair and resolve an issue.

Hello, we are compiling FAQs that we're hoping will address many of your questions. We're sorry that this is taking some time -- we want to be 100% sure on each answer.
We'll post those asap on here and on a separate page so that they can easily be found and linked to.
We're also going through this thread to tackle individual account questions and are mostly contacting you directly rather than replying on the thread. But we will add any answers that would be useful to other people to the FAQs.
Thank you so much for all the comments and details.

Even IT people need to sleep and if they have been working flat out since the breech it's a ridiculous thing to suggest they should work over a 24 hr shift!!!

Which no one suggested.

What there should be is someone who can respond to questions with stock information, rather than unpaid volunteers.

The people investigating the problem and trying to fix it are not going to be the same people who are managing comms (or shouldn't be).

That said I have absolutely done 24,36,48 hr shifts and longer in a crisis, most IT people will have done at some point (note I'm not suggesting this should be done here, just that it isn't quite the bizarre notion implied). 24*7 support for a commercial site which contains large amounts of data in this class should be in place.

This is basic breach protocol, not rocket science, especially for a site which hold a significant amount of both personal and sensitive data.

There have been numerous additional questions and concerns raised during this period as people access the site at different times of day. Many of the questions have been triggered by unclear answers earlier in the process - again weak breach protocol. The requirement for a clear and tested breach protocol is there to cover exactly this situation.

@PetuliaBlavatsky

Glad to hear they have been in touch, hopefully they have also contacted the other reporters and will publish something about it quickly so that all iCloud keychain users can check their situation. Even if its just a warning being published.

Imagine a bank said this if there was a security breach with their own systems

a) The initial source of the breech was stopped
b) Are you really comparing a bank with thousands of paid employees and contractors to MN who will have a small IT team and will probably have to get in security specialists for this crisis because they don't have them contracted to them on a day to day basis?

If you are then I'm afraid you really do not understand the situation.

Banks have more security issues than you realise. They are just better at a) responding to them because they have dedicated teams for it b) have multiple highly skilled people on call able to do something about it faster.

Honestly it's like comparing apples and pears. People do need to realise what a company the size of MN has immediate physical ability to deal with. Yes they make a lot of money and yes they need to employ some one who does have this knowledge but I don't think it viable to have whole teams on standby because they be sat there twiddling their thumbs 99% of the time.

It's something MN probably needs to outsource for, and that comes with it's own complications.

Good security specialists are hard enough to find as it is. Too few and too much demand. Plus there has been an increasing skill set shortage since 2016.

Plus many IT specialists blag and exaggerate their ability and if you aren't knowledgeable yourself when you hire someone, it's easy to not realise the knowledge limitations of that hire. Smaller companies have a distinct disadvantage here because they don't have staff at the interview stage to be able to test the range of knowledge until you have a major incident.

MN have my sympathy on this level and I understand the limitations they have compared to a bank or other social media companies.

It still should not have happened and it still should have been handled far better and its no less serious, but I'm realistic and pragmatic about it too.

@GerryblewuptheER I've had 8 cold calls since yesterday morning but also haven't received an email stating that my account was one of the ones affected

@NellMumsnet

We're also going through this thread to tackle individual account questions and are mostly contacting you directly rather than replying on the thread. But we will add any answers that would be useful to other people to the FAQs

That is reasonable but please ensure all answers get published unless they involve personal information. Some of these issues will very likely affect multiple users and they will need to know to check eg the iCloud keychain issue

The numbers mad

Anything strange about them?

People concerned about phone calls - did you really have your phone number on your profile?

If you are then I'm afraid you really do not understand the situation

I do this for a living. So do many others on this site.

I know exactly how reasonable my expectations are - they are that a large commercial site with a massive userbase and significant banks of sensitive information test their bloody software and have a proper Breach Protocol and security support model in place.

MN I know before when you are suspicious about someone you send them an email. You have said that you find trolls tend to use email accounts that they do not use for anything else.
But I and others who did use personal email accounts are now deregistering and setting up an email account purely for MN, because of the data breach.
So I suspect a lot more genuine posters will be wrongly banned if they post for support about something genuine, but that might sound like a troll. So for example someone posting distressed because their babies poo nappy has exploded, may now seem like the poo troll. Whereas before you would have looked and seen that they have been posting for 6 years about their 3 kids, so seems totally genuine.

No I didn't

But its awfully coincidental ... especially as these numbers are different from the usual cold calls.

If they accessed my email it's possible somewhere I'm not sure. I post from my phone

PrivateDoor MN attracts people who may not post on any other forum. MN is a large site, not a kitchen sink type site. So yes some people will have given very personal information as they trusted that MN would protect that information. I know they were wrong, but don't blame users for trusting MN.