Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

Oh god, another one

I think that Mumsnet are working on the issue, and just to let everyone know they don't have to report it to the ICO just yet they have 72 hours to report a breach! As Mumsnet have stated above, the logged users out of the app as an extra safety measure. Also even with the ISO 27001 doesn't make them immune as all it is is a information security management system. More to the point they should have a DPO data protection officer and SIRO a senior information risk owner... They are working on it, it's happened... Just wait for an update.

Of course their working on the issue, this site makes millions a month. But it seems like their very very amateur running caused it in the first place..

Google Chrome is my browser of choice and I haven't been able to login that way. I am here courtesy of Safari (which I hate). Is there a reason why Chrome won't work? Is anyone else experiencing this? (once I enter my password it won't load).

This isnt just a case of some mners logging in could see another's account details. This is a major security breach. Which ITer was responsible for this. Its clear from all the threats particularly at the moment, that this is highly likely to happen, so why are processes so flimsy as to have not robustly protected this as a very likely eventuality?!

There are very vulnerable users on MN, who are victims of targeted attacks, as well as the 'usual suspects'. What can you tell us about how safe our data is, and I don't mean platitudes like 'safety of data is important to MN' etc. but cast iron measures explicitly expressed to stop the publication of data to unfriendly intruders!! Prevention of yet further breaches?

Is there any way to blanket delete all pms? It's very painstaking going having to individually delete

I think out of courtesy, MN should have been sending all users an email to let them know of a possible issue. If we didn’t login today, we wouldn’t necessarily have even seen this thread which is very poor indeed

I don’t know if i had an email. No idea what my password was for it!

But i always use an email which is new as my “proper” and important addresses are never liked to sites like this.

So ive created a new one again.

Wendy I do the same. After previous breach I have a specific MN email account that's only used to sign in here!

@olderthan40 so the issue hasn’t been fixed yet?! What’s going on?!

Thanks

MN need to set up an urgent helpline for people. Lots are worried and need to speak to someone

Olderthan40 are you sure?

Because you don't have any posting history at all.

Oh thats bloody bad.

Ive checked my e mails No recent ones from MN.

I was shut out of my account about a week ago so started again. I recently received an e.mail regarding a security breach on Houzz which was discovered in December and wondered if there was a connection.

This is not a surprise to me and is the third time there has been a problem since I have been on MN, which is not a long time compared to many others, maybe 3 years or so.

From experience there always seems to be more than one site affected by these breaches.

It surprises me that people sign up on here with their own personal details.

I still can’t change my password either. wanted to do it as matter of security but it just refreshes or sends me to the Mumsnet homepage.

I'd like to know which Company mumsnet paid to do this migration. They have properly ballsed up.

Started typing at 1549

I actually noticed a problem with password not being asked for AND REPORTED IT a few days ago - I've still not had a response to that.

When were you first made aware of the issue? Given its now late Thursday afternoon and you say the problem has been since Tuesday and we're only just being told?

Due to an issue I had on another site I use an email address I only use for this site. Fake name too. Thank god for that!

What I wish I'd raised before is the RIDICULOUS amount of spam I get to that account - now I'm thinking about it, given mn are the ONLY people I've EVER given this address to I'd like to know HOW these companies HAVE this address? Are you selling users email addresses? Or is your data security SO lax that it's easy for people to access users emails? Neither answer is particularly reassuring.

I've been using the app for last few hours with NO notification of this nor was I required to log in!

I only came to the site because a post I was trying to put on a thread wasn't working (on the app longer posts or ones with lots of punctuation often refuse to post).

I've been using the app for months BECAUSE the site is an absolute nightmare to use on safari AND HAS BEEN FOR MONTHS!

Very occasionally it works for one post but the longer I use it the slower and more gobbledegook it gets!

I'm a relatively new user but I've seen posts and read up on the previous issues mn has had with security etc and I must admit it's concerning that you seem to have such a blasé attitude.

I believe also as a business mn is quite successful in terms of profit? but yet you don't seem to be able to find IT contractors that can effectively manage that side including the security? Bit worrying for users.

I'm lucky enough this doesn't apply to me but it must be of particular concern to those mners with abusive, even violent exes who's private information could be used to create real life problems for them. What are mn doing to address this possibility? That's in addition to those being threatened by TRA's by the way.

"Hi CallMe, the app isn't affected by this breach. So no forced login required on that. (nb Passwords weren't able to be accessed anywhere either)" I find that response even MORE worrying! Has this just been assumed or has it been RIGOROUSLY checked? And even if it's been checked surely it would be better to err on the side of caution and force log out everyone on the app too - if for no other reason than to alert them to the fact there's been a problem! As I say I've been using app last few HOURS jumping between I'm on and active and this thread didn't show at all. I had NO IDEA there was a problem.

"Given today’s issues, we are going to forcibly log out all app users in the next 30 minutes." Really? I used the app since that point without having to log in.

"but you shouldn't be able to load the list of threads I'm watching. Apologies for the lack of clarity." That doesn't make sense. Most users will float between I'm on, active and topics. Certainly I rarely use I'm watching because it lists every thread you've even glanced at!

This thread is now showing on the app in active but that's only been in last 10 mins (time of typing 1627).

"Couldn't you have registered using your usual name but with maybe a slight variation of the spelling At4oclockthenormalworld?
I doubt anyone would have noticed a subtle change?" Equally someone could "steal" their username this way, no way for other users to know if it were the "genuine" person who'd been using the original username. Surely that's the heart of the problem - that others could post under someone else's username! Could say all sorts of offensive shit that could get them banned or even prosecuted!

" Surely that's the heart of the problem - that others could post under someone else's username! Could say all sorts of offensive shit that could get them banned or even prosecuted"

This is what im very worried about too.