Please or to access all these features

Add post

Watch this thread

Save thread

Start a new thread

Flip thread

Hide thread

My feed

Active Unanswered threads

Getting started FAQ's

Unanswered threads Acronyms Talk guidelines

Hide shortcut buttons

Talk

Site stuff

Join our Innovation Panel to try new features early and help make Mumsnet better.

See all MNHQ comments on this thread

Flip

1 2 ··· 30 31 32 33 34 35

MNHQ

Mumsnet data breach - please read

868 replies

JustineMumsnet · 07/02/2019 12:40

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

OP posts:

Thread gallery

SophiaLovesSummer · 08/02/2019 15:59

FFS - talk about proving how shite I am w tech anything!

@MNHQ I just checked my iCloud Keychain and have the same thing - three usernames stored that I've never used

^^^^ is what I want to check please but have zero clue how go about finding it out

BoreOfWhabylon · 08/02/2019 16:00

Sophia What do you want to check?

BoreOfWhabylon · 08/02/2019 16:03

Ah, sorry Sopia, cross-posted. MNHQ are working their way down the thread and answering individual queries by email and then updating FAQs if it's more than an isolated occurrence.

Donmesswime · 08/02/2019 16:05

I don't even know what an iCloud keychain is lol

WhentheDealGoesDown1 · 08/02/2019 16:14

iCloud key chain is on your iPhone and iPad and it is in settings and called Passwords and Accounts and has a picture of a key. on the next screen it is called Web and App passwords, If you save your passwords etc this is where they go so go into this, you will either need your Apple ID or fingerprint to view this, and check that you recognise everything on the list. It may be empty if you have never used it. It is also on Safari on a Mac in preferences - passwords.

WhentheDealGoesDown1 · 08/02/2019 16:19

This is far more succinct than my blatherings:

How to access passwords in iCloud Keychain on iPhone and iPad
Launch the Settings app on your iPhone or iPad.
Tap Accounts & Passwords.
Tap App & Website Passwords.
Use Touch ID if prompted to sign in to see your passwords.
Tap the login details for the website for which you want the password.

BBInGinDrinking · 08/02/2019 16:21

?! Did a few pps mention ?!

Ah, I forgot, according to some we are not allowed to mention or - God forbid - recognise our common humanity especially with anyone at MNHQ on these threads, are we?

We're mainly British on this site. Of course we're going to mention needing when in dire straits. It's partly what helped to get us through two World Wars, and not forgetting our sense of humour and . They tend to come out in a crisis of small or epic proportions.

And I say this as someone who has reason to be extremely concerned about this data breach.

WhatTheNightBrings · 08/02/2019 16:24

Well, I don't think it's particular wise to discuss anyone drinking any alcohol when they are working; in particular when they are dealing with sensitive information.

Graphista · 08/02/2019 16:26

"How, if we are registered users would our e-mail not be on your database?" I'd like to know this too. And if not why not?

I'm an active user and I've had the generic email now but took a while.

I do find it...odd...that a business that is entirely dependent on IT doesn't seem to have a good quality of IT support & security in place? I'm no expert but going off replies on this thread and also I've read elsewhere about when you've had other IT issues, surely that's where most of your investment should be? If for no other reason than to protect your business?

"b) Are you really comparing a bank with thousands of paid employees and contractors to MN who will have a small IT team and will probably have to get in security specialists for this crisis because they don't have them contracted to them on a day to day basis?" If they are clearing £5m a month I am! Hell even if it's £5m a year! I'm not expecting them to have the same set up but to have an equivalent in relation to size yes!

In a business operated entirely online I do expect them to have enough properly skilled IT employees to run the site as securely as possible, including at least a few on night shifts.

"I don't know why a few people keep harping on about the overnight volunteers (The Night Watch). They have no powers to comment on tech related stuff - they are only there to try to deal with overnight trolls and spammers and they have extremely limited 'powers'." People aren't criticising the volunteers they're criticising mnhq (rightly imo as trolls & spammers often post late at night & weekends when it's just the volunteers on) for not having appropriate paid staff covering those hours - not even a skeleton staff!

To the IT experts posting I'm shocked they have only 12 full time developers is this in line with industry standards given the size of the operation? I've worked with far smaller client bases and we had more IT people in terms of ratios and that was "real life" businesses.

Daddylonglegs1965 · 08/02/2019 16:28

OMG I can’t trawl through 32 pages!!! 😔 blooming heck how will I know if I have been affected please? I have been contacted by mumsnet via email what do I need to do how to know whether or not my data has been breached please in simple terms.

HankNPat · 08/02/2019 16:35

Graphista, I made the comment about harping on about the Night Watch. And I absolutely and totally agree with you that MNHQ needs to have a fully 24 hour, paid-for staff.

I just felt a bit sorry for the NWers who seemed to be coming in for a bit of stick from people who don't even realise what they do and were complaining that they hadn't commented on any of the threads overnight.

chubacca · 08/02/2019 16:36

Thank you for letting us know and please keep us informed.

I was reading the messages and thinking “I just clicked on the link in the email and went straight in without signing in”.
I clicked to write this and then got a login page as mentioned in previous posts asking if I want to login through Facebook etc.

I’ll keep my fingers crossed that it was just a glitch and the info is safe.

Tooldemont · 08/02/2019 17:12

Christ at some of the comments, handled well, it's free and MN aren't responsible for breaches in their data must be gf!

JaneJeffer · 08/02/2019 17:20

It's partly what helped to get us through two World Wars, You must be very old.

LyingWitchInTheWardrobe2726 · 08/02/2019 17:25

... or educated.

Smotheroffive · 08/02/2019 17:36

No email here still. I know there's a link somewhere to the updates of info as they happen, but its truly worrying that something as sim ple as an email blat isn't working, and now, this late in the day, absolutely no excuse unless problems are still ongoing and big.

The faith is draining, it would be the simplest thing for mn to edit their OP with the links, it just doesn't feel very clever, or reassuring. Its not that I need an email, but that the email blat needs to have worked.

It come across as an absolute insult with such large takings that users don't feel prioritised.

Smotheroffive · 08/02/2019 17:38

Good comeback Witchin to rude and unnecessary ageism.

MNHQ

LilyMumsnet · 08/02/2019 18:02

@Daddylonglegs1965

If a user has been breached we will send an email to inform them of this (not the general email that has been sent out).

MNHQ

RowanMumsnet · 08/02/2019 18:06

Hello

We've now determined that the total number of accounts affected by this breach was 46. We will be contacting those users that we haven't already advised within the next hour.

Sorry that there are some unanswered questions on here. To anyone with an outstanding query: if you could please come over to this thread and post it on there it would help the team to answer more quickly.

Thanks
MNHQ

Smotheroffive · 08/02/2019 18:07

Thanks for update, any particular reason the team can't pick up last queries outstanding already posted once, twice, on here?

Smotheroffive · 08/02/2019 18:10

There doesn't seem to be any reason for user to have to refund and repost? How would it be quicker even? I am sorry, but this whole situation should be more user focussed not less.

BBInGinDrinking · 08/02/2019 19:05

The general 'send to all' emails are still on their way and arriving at this point.

Donmesswime · 08/02/2019 19:21

So are you saying that 23 pairs of users logged in at the exact same time over the three day period? Because that's not believable honey.

Donmesswime · 08/02/2019 19:23

You still don't know what happened.

MrMeSeeks · 08/02/2019 19:40

RowanMumsnet
So if we weren’t emailed in that hour ( and only received the standard email) we weren’t affected?

Flip

1 2 ··· 30 31 32 33 34 35

Swipe left for the next trending thread