Active discussions

Meet the Other Phone. Child-safe in minutes.

Meet the Other Phone.
Child-safe in minutes.

Buy now

Please or to access all these features

Talk
Site stuff

Join our Innovation Panel to try new features early and help make Mumsnet better.

See all MNHQ comments on this thread

MNHQ

Mumsnet data breach - please read

868 replies

JustineMumsnet · 07/02/2019 12:40

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

OP posts:
Thread gallery
5
TheTitOfTheIceberg · 08/02/2019 11:46

I think the underlying issue is that MN does not have the IT support that a business with a million users and a turnover of around £8m should have. Thorough software testing is vital but is often seen as an area where savings can be made because cutting corners on certain areas of testing is a low risk/high impact scenario. Unfortunately this is one of those times that the unlikely outcome did happen and now we have thousands of users feeling the impact, even if the majority is lost confidence rather than actual harm.

If MN is to keep its greatest asset - its membership - then it needs to start investing in a proper IT service; one run on ITIL principles, with the knowledge and skill to both manage risk and communicate with users appropriately; adequately staffed to provide 24/7 cover when serious incidents occur; and basically shit hot at their job and their knowledge of emerging technologies. Otherwise, we're simply going to leave in droves because we don't feel safe here.

Yes, it's good practice to register for websites with one-time-only email addresses (something I already do), yes, breaches can happen anywhere because hacking is big business and yes, I have sympathy for stress caused to the humans involved in having to fix this as much as those affected. But this wasn't a hack - this was a failure of software management. And every time a problem occurs here, it's dealt with amateurishly: half-understood information passed on then backtracked, gaps in communication, conflicting messages etc etc. It's not good enough really, is it?

kaytee87 · 08/02/2019 11:46

I doubt very much that Mumsnet is legally responsible for an accidental security breach

I said they have a legal responsibility to protect our data. They also may be fined for this breach. The ICO will decide on how negligent they think mumsnet have been. Companies can't just say 'oopsy it was a mistake'.

BoreOfWhabylon · 08/02/2019 11:47

Someone has just posted this on reddit. Is this true MN?'

It was posted on this thread actually.

loobyloo1234 · 08/02/2019 11:50

If you are then I'm afraid you really do not understand the situation.

@RedToothBrush - maybe it is YOU that does not understand the situation. My point was to excuse MN from doing any replying to individual concerns for 9 hours (just because that is when most people are asleep) is not acceptable. I am not one of those affected. I do however have sympathy with anyone who is now worrying about their personal information being compromised

Xenia · 08/02/2019 11:51

Anyone interested in their privacy rights by the way may want to do what I did recent which is opt out of the new NHS database. I had to do it by post as they did not have a mobile number or email address for me on record and I was not happy to give them one digital.nhs.uk/services/national-data-opt-out-programme

SparklyUnicornShite · 08/02/2019 11:52

@MNHQ
I still not have received an email from you.
Please Can you tell me if my data has been breached?
Thanks.

RedToothBrush · 08/02/2019 11:52

What tit said.

shiveringtimber · 08/02/2019 11:55

Okay, yes. Mumsnet should have a legal responsibility to keep our personal information private. But as to what we choose to post in public, even under an assumed name, that should be our responsibility. Either we take an informed risk or we don't post at all. That's always been my understanding, anyway.

MNHQ
JustineMumsnet · 08/02/2019 11:59

We've made an FAQs page which covers lots of the questions that are coming up multiple times and started a new thread if you think we've missed anything. Thanks

OP posts:
UnderMajorDomoMinor · 08/02/2019 12:03

I think this has been handled relatively well. Quick action was taken, we’ve been kept up to date, it’s not malicious.

When you think how long it takes email providers yahoo to notify you if they ever do this response seems proportional.

Dewysungoddess · 08/02/2019 12:04

Ive just logged in on the app and then changed my password on the desktop version and gone back in via the app and haven't been asked to rekey my password. As other PP have said shouldn't this have triggered a relogin page?

Puzzledandpissedoff · 08/02/2019 12:06

As far as I'm aware, no one pays to use MN

Not directly, no - although I suspect we'll be asked to, if this current mess means employing better IT staff

As PPs have said, though, users are in effect the product. They keep the site busy enough to enable MN to sell advertising, entire threads and whatever else, so it's their very use of the site that enables the company's profits

C8H10N4O2 · 08/02/2019 12:09

I doubt very much that Mumsnet is legally responsible for an accidental security breach.

Are we giving out Darwin Awards this week?

As far as I'm aware, no one pays to use MN

Of course you do. Not in cash terms but by posting and engaging here you are the product.

SinisterBumFacedCat · 08/02/2019 12:11

I notice that a poster on here is trying to prove their point about internet security by posting details about another poster (who disagreed with them) Mumsnet history. Is this now acceptable?

BoreOfWhabylon · 08/02/2019 12:19

Sinister I reported those posts. Suggest you do as well. Not on, imo

BeneathTheBoughs · 08/02/2019 12:22

I doubt very much that Mumsnet is legally responsible for an accidental security breach Of course they are. It's called negligence. GDPR has strengthened consumer protection and compensation is payable where loss occurs. The ICO can fine etc but individuals can also pursue their own claims.

DecumusScotti · 08/02/2019 12:23

I think this has been handled relatively well. Quick action was taken, we’ve been kept up to date, it’s not malicious.

The issue was first flagged up in Site Stuff on Wednesday evening, and Mumsnet didn’t start actually addressing it until the following morning, so it took them about 9 hours, and in the meantime the problem was presumably continuing. That’s not quick.

AlphaNumericalSequence · 08/02/2019 12:25

Agree with UnderMajorDomoMinor: They have handled this well in terms of keeping users informed and they seem very on the ball (as of course they should be!) about their data protection responsibilities, and about the GDPR procedures that must be followed when there is a data breach.

I don't know how avoidable the tech failure was, but I felt quite reassured by the info on the new FAQ page about increased spending on tech and development, and the modernisation of the platform.

AlphaNumericalSequence · 08/02/2019 12:28

Wow! According to that article, only 4,000 users logged in over the affected three days. I had no idea the posting community was so tiny!

Xenia · 08/02/2019 12:33

(The Guardian article is not quite right - it is not every data breach which has to be reported under DPA 2018/GDPR)

OlennasWimple · 08/02/2019 12:36

Alpha - I tend to stay logged in on my laptop, so presumably I wouldn't count as a new user log in over those three days even though I was active during the period?

AlphaNumericalSequence · 08/02/2019 12:38

Ah, yes - i hadn't thought of that.

RedToothBrush · 08/02/2019 12:47

All personal information that a company holds about you or on your behalf must be protected according to law.

MN having a data leak of this nature IS in breech of the law.

As such I think MN, only having certain senior people address concerns rather than more junior members of staff or volunteers overnight is the legally savvy approach.

If you think you are getting something for free in return for personal information (name, address, email etc) then you are very much mistaken. You have sold your data in exchange for whatever it is, which may indeed have a financial cost to you in future though the ways in which your data is used. What may seem free is paid for. The fact you are not aware of it, is irrelevant.

HaudYerWheeshtYaWeeBellend · 08/02/2019 12:54

I doubt very much that Mumsnet is legally responsible for an accidental security breach

[Hmm of course they are, hence why they are required by law to report themselves of the IO!

They are legally responsible.