Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

Justine, should it come up at the top of the list when I click on Active up there ^ It isn't on my page, if so.

Also, are you going to send out the OP as an email to all registered users?

@BeneathTheBoughs

I don't think your posts belong to you once they are on the site but to Mumsnet. Hence, the reason they can sell/allow other sites to use them as they want.

Mumsnet - please clarify - is this correct?

We have shared copyright on posts BeneaththeBoughs. You retain all your rights to use but effectively grant MN a license to publish it/ sell ads etc.

@Xenia. If the message can identify someone (eg some of my posts could be used to find out my real identity then even a supposedly anonymous post might become identifable personal data)

If it can identify you its personal data and in scope under the acts.

Similarly pieces of data stitched together to be identifiable can come into scope even if the individual items are not specific. Some of this is in the queue of test cases.

There are also some specific items which are always considered personal or sensitive but I suspect you know that category already

So a ‘change in software’ allowed the breach. Pretty poor show actually. There is a thread running at the moment about the technical shortcomings of the MN site and now this latest fiasco! MN, you seriously need to spend some of your considerable advertising income on state of the art IT and on IT specialists who are actually up to the job.

Thanks, Justine. It's just that, to my mind, AIBU and Chat must be the busiest topics. I don't actually use 'Active' at all - but I realise that's a personal preference! I also think there must be many people who (a) don't even know the Site Stuff topic exists (b) avoid AIBU like the plague (!) and (c) like me, don't look in Active.

It's a manual process to sticky all over the site so it took a little while.

Is that your official Breach Protocol in the TOM for privacy and security?

I would recommend you review your Breach Protocols as each time there is a breach the response and communication appears to be ad hoc and organised on the fly.

In particularly the communications need to be clear and scheduled even if the update is "still working on it, one new case reported in the last hour, ETA for fix anticipated at three hours". That serves the additional benefit of needing less staff time to manage and more time to focus on the issues.

I've not received a mail yet, is mail going out to all users?

www.telegraph.co.uk/money/consumer-affairs/tsb-banking-problems-expert-view-serious-breach/

You mean like this? Not an unique issue.

This is DH's professional opinion (and he is a web security specialist):
"Issues like this are fairly common, but they show a lack of understanding of managing software change. The correct process should be to fully cover all code with Unit Testing, this would have caught this issue and it's software development 101. The next stage is functional testing in a test environment, this might not have caught it. It's quite often that small development teams don't understand the implications of their changes, and I can guess the issue that was seen, but when dealing with what may be important data it really is a significant mistake. One would hope that Mumsnet make sure their website code is fully Unit Tested, with a peer review process and code analysis with an up to date SonarQube, as well as vetting of 3rd party dependencies via OWASP's Dependency Check. All of this running against EVERY change. I'm not suggesting the level of "Enterprise" Continuous Delivery with automated penetration testing, automated functional testing and ITIL process followed that I would implement, but a basic level of quality assurance is what I'd expect. If Mumsnet aren't getting visible reports on the quality of their software, they should be. I would also recommend looking at ISO27001:2013, and getting the certification."

Translation: This is pretty basic error.

Who is to say to someone didn't log into an admin account? And now has admin priviledges on their own account? Its a 10/10 level of seriousness of security breach for this reason. We would assume MN have no idea who or what data has been lost or compromised.

Not a good look.

Why isn’t the site letting me change my password?!

Good to see this in Chat now too - finally.

This breach allowed access to PM's though, there is personal information in those (in my case, anyway and not just my info, even if not on the MN website).

Has MN been hacked or is it a breach due to upgrading or whatever MN were doing?

Its a tech thing not a hack.

If its not sorted out properly its potentially exploitable in future by someone who knows what they are doing though.

On the back of this and another posters advice I've just deregistered, created a new email for MN and started fresh. Oh. My. Lord. The palava it was.
People who set up an account purely to come on and troll or post deliberately goady threads have far, far too much time on their hands.
Now I'm going to be one of the "new girls " again

Couldn't you have registered using your usual name but with maybe a slight variation of the spelling At4oclockthenormalworld?
I doubt anyone would have noticed a subtle change?

Still no email, can't log into my original account and my emails are not being answered. Can't deregister if I can't log in. So frustrating!

That did occur to me after I'd spent ages thinking of a new one

Just testing to see if I am me so to speak. My watching threads have gone funny!

Couldn't you have registered using your usual name but with maybe a slight variation of the spelling

What use would that have been? You’re still going to be the ‘new girl’, so unlinked to all previous posting history, if you amend even one letter of your user name.

Abit strange that it gave the option of facebook etc. I never use facebook to log into anything and the reason i dont use trip advisor now

And I appear to have time travelled! I have my OFRS back and the watch list is from last April.
Curiouser and curiouser said Alice... 😁

oh for Christs sake..........................AGAIN.

i managed to log in via MN but like with others i was also offered the option to log in via fb.

Kenne
*
Alexa* now I'm missing all my watched/on threads!

I should probably have all tech taken off me full stop.

That explains why is been logged out!
I was going to report that as odd as i hadn't logged myself out.

Thanks for clear explanation.

I posted on the original thread last night that I had access to someone else's profile. I haven't received an email but it must be possible that someone could have accessed my profile.

Bloody hell. Not again.