Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

Only the sensitive data needs to be encrypted.

I agree there's more at play here.

MN took years just to switch over to Https - such a simple change that only happened after they were hacked. It's always been quite amateur and not at the level you would expect for such a profitable site.

You'd be wrong in that lying. If you look properly you will also see that I have posted in support of MN and helped them, and been acknowledged for that, so frankly have no idea what youre on about with your made up drama!

Smother, I haven't read every post on this thread but days later your last one isn't in support or helpful to anybody, just casting more doubt when you don't know (none of us does). If not drama then just plain old stirring.

You're still free to post it though and so are others to respond.

Yes of course I am free to post and you are free to continually misconstrue my intent, don't need your statement telling us all we are free to post and reply, we all know this. You are, however, wrong about your nasty accusations of shit stirring. I am telling you you are wrong, and only I can know that, despite what you think. There is enough on this thread without any nastiness to derail.

does it really still warrant this constant reminding about an e-mail that won't inform anybody of anything they don't already know

But not everyone does know about it. Yes, anyone who has read this thread or the FAQ one does. And some people in the UK might have seen it in the news.

But others have no idea. Which means they cannot take protective steps in response - like setting up a burner email address or whatever(which I hadn't realised we are supposed to - I only found out in response to this).

That is why the email send-out is important - not for any of us, but for others.

On a positive note.. I have now received the email! So hopefully others now have too.

PS also smother I have appreciated your posts and those of others with insight into how it all works... so thanks to everyone who has taken the time to share insights.

QwertyLou, the e-mail though was only going out to those registered. Anybody who was signed in or would have tried to access Mumsnet would have been forced to sign in again because the system was re--set.

p.s. ALL data should have been encrypted not just passwords

Er so if someone sends me a pm with their email on, it should be encrypted. Just how do I read it then?

The same way you do now. Data is encrypted whether stored or in transit between points but as a user logged in through the authentication process you can read it.

This is standard practice and increasingly industry regulators are looking to encrypt all data not just sensitive data. There are a whole range of reasons for this, some legal, some technical but its perferctly possible to encrypt all data whilst making it available to users.

That is a seperate issue from whether it should be encrypted.

Yes I thought the email was sent to everyone registered with the site. I.e. anyone who has signed up with an email address and username. I understand it was sent to 1 million addresses. So LyinwitchInWardrobe I don’t think we are in disagreement?

There were 2 emails, not the email. Thanks qwerty

QwertyLou, I don't think we're disagreeing, no. My understanding was:

1. E-mail to everybody registered saying exactly what's in the first post;

and

1. Direct e-mail to anybody affected by the breach, ie. the 46 users.

I think the only mistake MNHQ really made was to promise the first (I haven't had one and really don't need one). The important contact, once the thread was posted, was with the users who were actually affected, ie. the 46.

We're not party to what's going on behind the scenes. Do we really need to be? I personally think not. I'd rather that MNHQ be busy 'pulling up the drawbridge' to prevent a recurrence than keep posting on the thread to keep users updated with the same status. Tell us all when it's done and everything's safeguarded, answer questions then if there are any.

I'm just very glad that it's not my job to look after it... we'd really be up shit creek!

Incorrect Lying as I said, two generic emails. One specific, and to what degree I am or not affected is irrelevant. Don't be shutting other users down, and no, its not 'the important^ thing, other users are suffering other issues, so again, don't be shutting down other users.

Smother, you do you and I'll do me. Don't tell me what I can and cant post. You're welcome to your opinion and I'm glad I made that point in my previous post to you because you're doing exactly that.

I don't want to get into any more debate with you, I have better things to do. Let's leave it there.

I think you have it wrong again! Stop telling ME what I can and can't do, i.e. shutting me down! Leave off and mind yer own business. You came on here and had a go at me, your post, it wasn't the other way around so don't try to make it so.

I never did get an email from MN over this. I thought one went out to all users?

I don't need one as such, but MN should be aware that however they mailed people it seems to have failed.

And nope nothing in my spam and I regularly get MN emails.

Zapped into cyberspace oblivion.

Samme here, RTB. They obviously have my email address as when someone mentions me in a post I get a MN email to that email address of mine. so perhaps something went wrong with the 1m emails going out. It doesn't matter to me as I read about it on here.

RedToothbrush, I'm the same, no e-mail. I mentioned it to them as I think these threads get so long that it's difficult to pick out ongoing issues.

@redtoothbrush have you not received either? There were two. Two different versions of the OP. The original one, which has never come through for many, and then the updated one arrived for many yesterday/sunday

I have not had any email from MN on this subject.

I was one of the posters affected by the breach. I had deregistered my account but I have registered again just to post.
Despite assurances from the poster who accessed my account that they logged straight out again I have been informed today that they accessed my inbox and clicked on and presumably read each and every message. Luckily they didn’t contain any private information but I just wanted to make other posters aware that Mumsnet can give you this information if you need it and even if you have had assurances that your personal info hasn’t been accessed it may not be the case.

What a shitty thing to do. Purposely doing that should result in a ban. You may be read one in error but no excuse to read a lot.

Myvelocity that feels really uncomfortable knowing someone clicked through and read each of your messages, how creepy, wouldn't that make most feel more than a bit weird seeing someone else's details, and want to immediately report it. At least MN know who that 'intrusive intruder' was. How creepy.

Very considerate of you to flag that up for others

I'm so sorry you've had your privacy violated like that. What a dick poster. Have MN said if they can ban the poster? Was it a known poster?

That's horrible MyVelocity

More and more just keeps coming out doesn't it?

I have to say MN, this is really disappointing