Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

Claire I don't see me blaming anyone, calm down! I simply asked was their number even there, and a poster replied nope it wasn't. Therefore it seems odd to be blaming MN on cold calling when MN didn't actually have their number? I feel there is a bit of hysteria here which is upsetting some posters, some rational thought is needed.

Each time it’s offhand sorry, gin and tea and won’t happen again. Until it does

If people shouldn’t trust this site they can put a big sticky saying we are not secure as this site does lead people to posting personal stuff

Not good enough, on multiple counts. I have only just now seen this thread.
I've received no email, so I would not have known otherwise. This kind of thing has happened too many times with Mumsnet now. This is such a serious matter.

Also, I'm not going to trawl through hundreds of posts for a full picture. Can you contact me to tell me if my account was affected.

What sort of security risk are we talking about?

Someone has just posted this on reddit. Is this true MN?

*I'm concerned that I've had an email from Mumsnet about this matter but not sent to the email that is registered with my Mumsnet account and to which Mumsnet have always sent emails before. They have sent an email to my hotmail account which I don't use for Mumsnet - what is happening here?

If you've never used that email in any comms with MN, the only explanation is data linking via one of the third party vendors they use.

If that’s what’s happened it’s a VERY big deal, and absolutely illegal. You need to follow up on that as a matter of urgency, because it’s capable of linking your account here to almost any other online presence you have.*

shiveringtimber People share personal info in DMs. I know posters like AnyFucker have supported abused women through DMs. Those DMs, alongside email addresses, are very personal information.

Not good enough, on multiple counts. I have only just now seen this thread. I've received no email, so I would not have known otherwise.

I posted about this earlier, this thread doesn't really stand out so is easily missed. There really does need to be another way to alert users, something much more in your face, such as a pop up, to make sure everyone is aware.

Also, people need to learn about helping themselves. If they HAVE given out personal info, then maybe this will prevent them doing it again. I was one of the people who had their passwords and email addresses published last time and it was a massive wake up call because numpty here used the same password for everything!!! So it was a massive breech for me. Obviously I learned a massive lesson from it and use unique and weird random passwords now for everything!

No I don’t think it’s on the users for this in any way

privatedoor I agree users need to know that they can not trust MN to keep their data safe. But I understand why users have trusted MN.

But it's common knowledge that anything posted on a public forum, or on the internet in general, is not secure. Surely everyone knows that?

It’s public but no you wouldn’t expect the security to be so bad what has happened happens

There’s a lot of people posting sensitive stuff on here

Ok make it obvious no one should

Shivering, does it not surprise you that someone could potentially have logged into your account? Do you think that is normal on the internet then? Would you be happy enough if someone could log on to your facebook, email, internet banking?

Whilst I think this thread has gone a bit far, it does seem odd to suggest that breaches like this are normal.

Like the previous breach, I did believe my log in details were secure, yes. I was very surprised to find my email address and password were published online for all to see. Would this not surprise you?

Any account, be it bank, health records, Facebook, MN, whatever that is on the Internet can potentially be hacked. There is no such thing as guaranteed privacy or security on the Internet.

Sounds like a get out clause for mn and substandard security

As far as I'm aware, no one pays to use MN. Why do they "owe" us anything? They do their best but there's always going to be a security risk. It's naïve to believe otherwise. You share your privacy at your own risk.

I don't think anyone is denying that things posted on an Internet forum isn't private.

What should be kept private is email addresses, full names, personal messages etc. No excuses.

'Someone has just posted this on reddit. Is this true MN?'

Maybe they'd be better off posting it here? It's a stretch to ask mnhq to answer queries from another site .

As far as I'm aware, no one pays to use MN. Why do they "owe" us anything? They do their best but there's always going to be a security risk. It's naïve to believe otherwise. You share your privacy at your own risk.

They 'owe' us because they have a legal responsibility to protect their users data. What has paying to use mumsnet got to do with anything? Do you think mumsnet run this website out of the kindness of their hearts? They're raking in money from advertisers and tabloids and the only reason they are able to make this money is due to their users.

Any account, be it bank, health records, Facebook, MN, whatever that is on the Internet can potentially be hacked. There is no such thing as guaranteed privacy or security on the Internet.

This.

Unfortunately.

I think we will see a massive healthcare data breech at some point. As it is many people have had their medical history 'sold' without their consent.

I do think there is a lack of awareness in data and what can be used, abused and leaked.

People need to take an on balance approach to data security. What do you get from MN is it worth it? For many vulnerable people if there is no where else to go for help, then yeah it's valuable.

I don't know. I'm angry about this, but far less concerned than a leak with malicious intent. My concern going forward relates more to MNs lack of understanding of security and it issues and how that leaves them exposed to future malicious leaks. They need to do better and take security more seriously.

Get real, kittykat! That's impossible to guarantee.

I doubt very much that Mumsnet is legally responsible for an accidental security breach.

Mnhq are woeful in this regard. Completely out of sync with good standards

It’d be a point if they actually got close to the things listed

As far as I'm aware, no one pays to use MN. Why do they "owe" us anything? They do their best but there's always going to be a security risk. It's naïve to believe otherwise. You share your privacy at your own risk.

Facebook is free too.
They all have a responsibility to protect our data.
Doing anything online carries a data-breach risk, but that doesn't absolve the provider from having the best security they can.

All of this has happened with the new log-in procedure when they fiddled with it earlier in the week.

There are often teccie issues with MN.

I assume it's because they are not willing to pay for the best software people out there.