Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

As previously mentioned, I log in via the mobile site and email/gmail.

We need more information from MNHQ on the password issues because several posters, including me, have posted about problems with this.

Why was I able to log in without a password - the site had remembered it?

Why, when because of that I then changed my password, (confirmed as a successful change on Settings), could I then not log in with the new one, only the old?

I was logged out and then got back in once I hunted down the password which is a sensible precaution.

I am not sure moving to cloud storage is a great idea though. I deilberately avoid it. More hackable than data on your own servers, although I know there is a huge move amongst compaines to the cloud.

@WhatTheNightBrings Can you address the poster who changed their password on their PC but is still logged in and able to post on the app? A change of password should force logout on all devices.

Do you mean me? I changed pw on desktop; but was still able to post on app using previous pw.

But to be sure I then changed it again; and that forced me out of the app and I had to re-login. So that could be a cache glitch or something?

mmm...I am also confused. I had to log in a few times. I had no idea about this data breach. I did think it was a bit weird.

I think this is appalling and really worrying. I’m not one to get upset about possible data breaches but this isn’t the first time something like this has happened on MN.

There have been an alarmingly high number of data issues in recent years. Mumsnet is a big business now, why isn’t the security better? It’s no longer good enough to have tech tinkering about twee-ly in his ‘shed’, sticking his finger in the dam of disaster. Invest properly in a security overhaul MNHQ. You can’t keep running on goodwill and IT Elastoplast.

^This. Time to get someone who knows what they are doing.

I haven't been logged out on all devices

Presumably if it was TRAs, they'll soon be boasting all over Twitter so it'll be easy for them to be identified and reported to the police.

You’ve misunderstood. This privacy fuck-up was a failing on the part of MNHQ’s tech upgrade. No one has suggested it was an attack by TRAs. However, the fact of being able to view other poster’s personal details and PMs means that identifying information was available to persons with a nefarious interest in doxxing, with TRAs having been explicit in their intent to attempt doxxing of MNers in the past. Hence, this privacy gap could have proven very useful to someone with an intention to doxx.

It may be a coincidence but I have just reviewed recent activity on the email account I use to log in and there have multiple attempts to access my email account from outside the UK.

@subscribeBelow Thu 07-Feb-19 13:35:04

'Anyone else noticed how this is being hijacked by the anti-trans brigade?'

WTAF?? @subscibebelow Give ONE example - literally copy and paste it and post it - of any post which could legitimately be referred to as the 'anti-trans brigade?

I expressed concerns re direct threats that I - as someone who has received threats for expressing concerns not just for myself but for transwomen ALSO at risk via others abusing self ID'ing - have received. Would you include that/me as 'the anti-trans brigade?'^ If so you are fucking deluded. But yeah, please do link directly to any single post that is anti-trans. But you won't will you? As they're aren't any. FFS

Run

How do you do that?

I've also had to log in today-

will changing password help or is that shutting barn door after horse has bolted.

very annoying actually

the app isn't affected by this breach. So no forced login required on that. (nb Passwords weren't able to be accessed anywhere either)

It is standard security industry practice and guidelines to suspect login in the event of a breach and force logout across all platforms.

You really should also force a password change. Passwords may be encrypted but:

• any sql injection style attack can extract encrypted passwords and use them in that encrypted form
• people being people often keep a reminder of the passwords in private notes/messages. They shouldn't but on the scale of sins its a small one compared to exposing a membership known to be targets of a number of hostile groups.

Just how confident are you given the track record on security and testing that you have no risk of injection attacks?

Its a small inconvenience to each individual member to have to reset a password and log in. Personally I would have put a message on the login page whilst forcing logout.

Gerry

It depends which email you use. Just google "check recent activity on" and the name of your email provider to find out how to do it.

I see someone else in the thread has had their email hacked today

Hi, there have been worries about not being asked for a password when you log back in after having been forcibly logged out.

If you use Google or Facebook to log in to Mumsnet, and you are already logged into those accounts, then you will NOT be asked for a password when you go to log in to Mumsnet. This is how it should work.

If you are logged in to the app, you are still able to use the app until you log out, even if you have changed your password on the site. Given today’s issues, we are going to forcibly log out all app users in the next 30 minutes. You should then be asked for your password if you try to load a thread or create a post.

It’s also worth knowing that if you are already logged in when you go to the sign in page, it will just accept your email and take you back to the home page. A password isn’t requested as you are already logged in (we appreciate this is an unusual case).

In other cases, a password should be required, so if you think you’ve seen something different, please send details to [email protected]. It is helpful to know whether you are using the site or the app, what browser you are using, and what device (e.g. iPhone).

Thanks so much for your help on this.

Every time I’ve gone away from here for an hour or two I’ve had to log back in again and I’m usually always logged in. Four times so far today. Also with the Facebook/Google/email log in options

I’m trying to email HQ on [email protected] but it keeps getting bounced back as spam.

I’m just using the mobile website (not app) on iPod touch and Samsung Galaxy, one using Safari, one Chrome

Just to clarify my message above, on the app you can view threads without being logged in, but you shouldn't be able to load the list of threads I'm watching. Apologies for the lack of clarity.

This does mean that you may not know that you have been logged out. Hitting "reply" or clicking the menu at the top right will help you check your status.

There have been a number of social media accounts getting hacked over the past year. Just 2 months ago, my Quora account was also potentially hacked (it took the powers that be 4 days to tell us) as well.

MNHQ believe it's the software change, but don't know for sure?
We're pretty certain of this, yes (and as said there have been no problems since we reversed the change). We should be able to confirm it unequivocally in due course, but we do think we should rule out every possible other explanation and leave no possible stone unturned before we say we're 100% sure

So you have gone live with a software update, that has affected data indexing, without any testing of the software whatsoever? Even a cursory basic test of the software update, prior to going live with it, should have thrown up issues with data indexing.
I personally have no concerns about who may have seen my data but that clearly puts me in a tiny minority of users of this site. Yet again a breach and yet again the breezy ‘ooh, whoops, silly us! ‘ attitude. Who runs your IT department, Roy and Moss?

This sounds awfully like you are examining some kind of manual records to see who was logged in at the same time rather than just having a ready report of the login clashes. It's not comforting tbh.