Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

@CallMeSirShotsFired

I'm writing this on the app without any need to log back in.

Furthermore, I have just changed my password on desktop, so now I'm accessing my account on the app under an incorrect password.

I did actually try killing the app by swiping up to force a pw challenge - but it just happily opened up and here I am typing and submitting...

@JustineMumsnet @mnhq is this a gap in the process?

Hi CallMe, the app isn't affected by this breach. So no forced login required on that. (nb Passwords weren't able to be accessed anywhere either)

So an Intern named Emma did something similar, and warned people that they had others working at MNHQ who had similar sympathies.

How interesting a group knew ahead of time when there was going to be a good time to target the site and made a threat that has been carried out.

I recall the last time it was a Mumsnetter who first contacted the ICO, have you self reported?

Several posters (myself included) have told MN that we are/were able to log into the site without using a password, but that's been ignored so far.

Is this a criminal offence? If so have the police been contacted?

Hi CallMe, the app isn't affected by this breach. So no forced login required on that. (nb Passwords weren't able to be accessed anywhere either)

But CallMe changed their password. That absolutely SHOULD force logout/in on other devices.

Time to ask for all of my posting history to be deleted and to erase my account. I’m not convinced that my data is safe in MNHQ’s hands.

Expect lots of incoming Subject Access Requests, MNHQ, as MNers are likely to want to know exactly what you have in relation to them.

Did anyone else get a weird phone call from a number they didn't recognise?

I got one yesterday from a number that appears to have too many digits.

I'm.hoping its unrelated ?

Can you please confirm my account is/was safe

@AornisHades

Is it fair to say that if you were logged in before Tuesday and remained logged in until the forced logout this morning, you should have been safe from anyone accessing your account?

I don’t think being logged in would have a difference. On the other SiteStuff thread, someone logged into a different account posted a message, and the real user of the account then posted to confirm it wasn’t them. It’s like someone logging in on a different device while being logged in elsewhere, I think, but basically no, I don’t think it’s safe to say your account hasn’t been accessed.

I have just changed it again, to be sure. This time I have had to log in to both website and app.

I also recommend googling for "password generators" (I don't want to provide links as it might look suspicious) - they generate random strong pw.

Are you able to tell which accounts have been accessed?

Am I reading this right, you are only aware of the incidents that users have voluntarily reported to you, hence only those 14?

Has anyone contacted the ICO yet?

Hi CallMe, the app isn't affected by this breach. So no forced login required on that. (nb Passwords weren't able to be accessed anywhere either)

Is that both IoS and android app @JustineMumsnet ? So only desktop and mobile site?

@AornisHades

Is it fair to say that if you were logged in before Tuesday and remained logged in until the forced logout this morning, you should have been safe from anyone accessing your account?

Yes we're 99% certain this is the case Aornis. Investigations so far show that 5 out of 5 incidents on switched logins occurred when users logged in at exactly the same time as another user. We are checking every incidence of switched logins we know about to make sure that's how the problem occurred - we'll obviously update as soon as we're certain that's what happened.

@JustineMumsnet I know I was logged in over that time - can you please confirm that you absolutely will be letting me know if mine was breached? IE that your investigation has a goal outcome that includes ID'ing all and any affected accounts; ditto that every person affected will be informed?

I've been threatened on Twitter with doxxing simply for saying I absolutely support transwomen's rights but am concerned about self ID being abused by predators, IE a threat to actual transwomen as well as bio women and girls yet even just for THAT I got trolled and threatened. This is real life and real threats and you absolutely need to bottom this breach, ESPECIALLY given how many of us are overtly reporting to you threats of doxxing. IE is this a coincidence or a targeted hack?

Ahh sorry, just noticed that MNHQ will be contacting the ICO.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account

I have been posting this morning, no enforced logout here. Was this on the main site as well as the app?

It does sound as if some posters are not using special purpose emails and are using real names and addresses and possibly other info.

Irrespective of anything else PLEASE don't use your real details for any SM site inc MN and FB. If you have please deregister and re-register.

@bubblewire

Are you able to tell which accounts have been accessed?

We are working on it - as said there is a pattern that we've established which is pointing us to believe it's a case of a problem when there's synchronised login between 2 different accounts. That would mean that it's relatively rare and we should be able to systematically ascertain any other accounts where this occurred in the last few days and which user had access to them. Our team are working hard on this and we should have more definitive answers soon.

When I went on this morning o had been logged out.
First time ever happened
I didn’t log myself out
Does this have something to do with it?

MNHQ believe it's the software change, but don't know for sure?

Anyone else noticed how this is being hijacked by the anti-trans brigade?

Gosh, you should report those posts then. I can't see any so maybe you already did.

All I can see is a number of posts from users who are worried about their personal online security for several reasons; including the proven and very real instances of deliberate and targeted attacks on people with opposing viewpoints.

What's doxxing?