Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

What about WW1 then since you mentioned TWO world wars?
That happened before WW2 so you would be positively ancient in that case.

I asked this on the other thread

From @JustineMNHQ - Yes, sorry, we've only sent mails to those accounts we know for sure were breached. Not to those who were able to log in as someone else yet. It's on our list to do first thing. Name changes shouldn't effect this

Ithought the breach was that you were able to log into someone else's account and those individuals had been emailed/PM'd?

Surely you must understand the switched accounts are also breached.

The above post is contradictory and therefore many users are confused. I understand investigations are proceeding, however surely you can see the confusion here?

They have then went on to say 46 accounts have been breached! So are those 46 including those who were able to access other accounts...

I've no idea what's going on with my account. I stay logged in on iPad and phone. I've had to log in again every time today. I have no watched threads because I'm not logged in but have I'm on threads, because I'm logged in,

When I scroll down any topic, the top maybe twenty threads just keep appearing over and over again.

I posted the above at 7.06am this morning and still no one has replied

Reports of my death have been greatly exaggerated.

BB you have your own personal army ready for WW3

I received an email to say that although I had accessed someone else's account, nobody had accessed mine.

That makes no sense though.

@HaudYerWheeshtYaWeeBellend

Yes, sorry, we've only sent mails to those accounts we know for sure were breached. Not to those who were able to log in as someone else yet. It's on our list to do first thing. Name changes shouldn't effect this

@JustineMNHQ I thought the breach was that you were able to log into someone else's account and those individuals had been emailed/PM'd?
I'm confused

Thank you for the updates, I haven't also received an email, however not concerned with that. I hope your child has a Happy Birthday today.

Hello,

Apologies for any confusion here. We have emailed users who were accidentally logged into an account that wasn't their own.

@HankNPat
Yes, and I appreciate that. However, not everyone logs on every day, and some of us are in different time zones. People could easily scroll past a bland-looking “FAQ” thinking it was just another admin note. Whereas a “please read” thread with 700 replies will get clicked on.

People need to know so they can protect themselves in the future (by setting up a throwaway email address or whatever).

But I haven’t received an email, so I assume others haven’t either. It’s okay for me, I happened to look at AIBU yesterday and saw this thread. Others may be completely in the dark though.

I didn’t mean my earlier comment in a snarky way, I know it’s a stressful situation for MN and that people are working hard to resolve it.

Your reply doesn’t answer my concerns MNHQ

Replied to the either thread,

@rowanmumsnet @lilymumsnet @nellmumsnet

With apologies for tagging all of you, but it's a bit difficult to work out who is actually handling which aspect of this.

We've had a big clear out post gdpr and deleted accounts that haven't opened mails for a bit, so not necessarily - only a proportion of those who've registered are on our email database. As said the email only contained the info in the OP here

I asked earlier in the thread about whether the promised deletions of old email addresses had taken place. Could you give a simple yes/no answer to that please?

(Background: in one of the previous security breaches, it became clear that MN was keeping old email info, even when members updated their details. MNHQ undertook to delete all past addresses and keep only the up to date one. Has that taken place?)

"I bet if those posters had their personal data compromised through some balls up with a bank, a school, some big retail store or whatever, they’d be posting on MN in shock and anger about it!"

I know of two housing associations with very similar problems but no one gives a shit cos its only tenants affected.

In theory altuough I don't want to add to MN's work, users can make access requests to ask what data is held about them under DPA 2018/GDPR and that would probably give them their old email addresses if held or confirm they are not held. Some organisations to save the work of that have a user log in to see what data is held but that isn't necessarily always the best way to do it.

Following up on others comments about their name change lists having duplicates. I just checked mine, its gone bonkers. Never had a duplicate before, so the system clearly hasn't been rest to before the upgrade started. I have quadruple or more instances ...

None of the MNHQ answers seem to be actually really true!

Xenia the process has already been posted a few times now

going forward is it possible to make it so email addresses would not be visible. star it out * apart from like 1 or 2 letters ?

Aww poop, I was logged out under my old username and don’t remember my password. Have had to create new name #stormsoffinahuff

And yes, this isn’t very good. Not sure what ‘dox’ Is though.

Hello,
Hope we can clarify, now that we have more information about what happened.

This is what happened after the software release on Tuesday:
When two people log in at the same time, there is a very small delay between them (milliseconds), and the first person to login (user A) was sometimes given the account of the second user (user B).
User B logged into their own account as normal; they were not given user A’s account.
This happened on 46 occasions before we reversed the software and logged everyone out.

As soon as we identified all user Bs, we emailed them directly to explain that their account had been breached.
We have also emailed user As to let them know they were accidentally logged in to someone else's account.

On Thursday we also sent an email to ALL users to tell them about the issue. It is taking time to get this email delivered to all accounts as there are around a million.
We used wording like “last night” and “this morning” in the email — this was a mistake, as we expected the emails to go faster. We'll change it for the ones still to go out.

We will put this information on the FAQs page.

Thank you for all the effort you have put in, and for this very clear explanation of what happened.

For what it is worth, I got an email from you today, datestamped Sat, 9 Feb 2019 13:44:13 +0000 (UTC), in which dates and days of the week are given. It seems entirely clear, non-alarmist and reasonable to me.... But then, so did the original post in this thread.

Dox comes from the file format of word documents .doc and .dox its used to portray the way that online documents/data is taken and spread to a wider audience, often to discover and reveal to the world who an online user really is, so revealing their personal data from info taken from online dox.

Does that make sense? Its malicious data breaching to out people/info

@MNHQ

deleting my account now.

p.s. ALL data should have been encrypted not just passwords.

entire family have worked in Systems Analysis for years. No excuse.

Something a lot more gone on than being stated here, specifically wrt all the other unanswered issues also being encountered and ignored.

Not least that something's s a simple email has failed so abysmally. Still not received the promised email from two (or was it three) days ago now. The updated email blat clearly has worked. Its just not as simple as what it s being portrayed as.

p.s. ALL data should have been encrypted not just passwords.

Er so if someone sends me a pm with their email on, it should be encrypted. Just how do I read it then?

Or if I'm reading my own profile it should be encrypted to prevent the issue incase someone else is accidentally logged into my account.

Your entire family might work in system analytics for years, but I think you might have missed a bit of the issue here.

You know about users being able to use MN.

I thought user functionality was a pretty important feature of the Internet in addition to security. But my mistake.

Smother, were you personally affected? Actually had the issue that Worra did? Or something else that actually happened to your account?

Why do you keep on about having this generic e-mail when it's already been stated that it will contain only what's already in the very first post of this thread? Is it just so that you can say that you've had it? I haven't had one, wasn't affected, assume that as it hasn't arrived that the sheer volume has caused a blockage and truly don't see the point.

As long as those 46 account holders - and anybody else who was actually affected - have been contacted by MNHQ then does it really still warrant this constant reminding about an e-mail that won't inform anybody of anything they don't already know.

If you really feel aggrieved then why not get in touch with MN directly instead of repetitively posting this very petty gripe here? It's starting to smack of rabble-rousing rather than anything genuine. You can't sensibly say that "Something a lot more gone on than being stated here", because you don't know that. It's speculating, nothing more. If you really believed what you're saying - and were concerned, you'd get in touch with MNHQ.

I absolutely think that for some posters, this is the most exciting thing to have happened for them since the last time when the sky didn't fall in.