Mumsnet data breach - please read

[JustineMumsnet]

As some of you know, we're very sorry to say that we’ve become aware of a data breach which affected some Mumsnet user accounts

What happened?
There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February 2019. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.

Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.

How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user’s account.

What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages

They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.

How many people are affected?
At the moment, we don’t know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don’t as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn’t every account. We have been made aware by users of 14 incidents when this occurred and have contacted the individuals that we know were affected. We are working hard to establish if there were more.

What have you done about it so far?
We’ve reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account.

Where can I get updates?
We’re posting about the situation on this thread, and will update as and when we have further relevant info.

What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.

We’re very sorry.
You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected] if you’d like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thanks to all who brought this to our attention.

Justine

Yes we need reassurance that we're not going to have our usernames used & possibly abused by others.

I used to use my username to login but haven't been able to for years I think its been fb, !inked or whatever, or my email address. I wasn't aware any could still log in using their username!

I have never wanted to allow global logins, like fb or other white unstrusted info greedy grabbers.

But most of what google et al are doing now is from voice recordings and images taken by stealth and selling that for huge mark up.

I know many a user will argue thats simply not true but it absolutely is.

Is there a way to deactivate my account and will that delete everything I've posted and under name changes also?
I can't be on here anymore when it isn't safe.

WindowWAG I get your point but my main concern is for vulnerable users who've done nothing wrong. Who've posted on here for support regarding dv, health issues, surviving childhood abuse etc they certainly don't deserve for their lives to be made harder than they already are.

windowWAG it doesn’t matter what people post, MNHQ are obliged to protect user’s data as per GDPR law. Which they quite clearly haven’t done.

I don’t think people looking for advice and support are mugs tbh.

If you've sat behind your keyboard for years posting hatred and are now concerned others know who you are and where you live, perhaps it's time to reflect on the type of shit you post on a daily basis.

Or perhaps you’ve been seeking support for an abusive relationship, life limiting illness, or a problem with a child, and shared personal info over PM?

There are many reasons women want to stay anonymous.

Blanche you can do a SAR (subject access request) to MN, which will then show all of the data they hold on you. This then enables you to request deletion of everything. Just deactivating your account doesn’t delete posts etc.

They have 30 days to respond to your request. All info here: ico.org.uk/your-data-matters/your-right-of-access/

No, Blanche. You can de-register your account, but everything you've posted - under any names - will still be there. You'll need to email MNHQ directly to ask them to do it.

[email protected]

Oh well I couldn't log back in because I didn't know which email address I had used. So I have a new account, but have been around for a while.

How many times is this going to happen to MN? I suppose though that it is a target because it is mainly a website of women.

Or perhaps you’ve been seeking support for an abusive relationship, life limiting illness, or a problem with a child, and shared personal info over PM?

A public online forum that sells your details is not the place for that. It is simply marketed as such. It's time to wise up.

I can’t login in thru the app using Facebook but can on safari on my iPhone. Not terribly good result.

2254 last night mnhq responded on worralibertys thread about this.

This thread then not posted until midday today? I for one think that's an unacceptably long time to wait to alert users!

After previous breach I have a specific MN email account that's only used to sign in here!

Call me naive, but it honestly wouldn't have occurred to me to do this. We are after all anonymous on here, and while MNHQ have our personal names, emails, etc, I thought - wrongly, as it turns out - that they'd have sufficient security systems in place to keep those private

MN need to set up an urgent helpline for people (who are worried)

Possibly, but doesn't that again raise questions of whether they have the necessary staff to cope? As said earlier, I'd be fascinated to know just how the staffing, especially in IT, really is set up ... especially given they were using volunteers as out of hours moderators?

Also even with the ISO 27001 doesn't make them immune as all it is is a information security management system.

This is true, but it makes them a lot less vulnerable and it more difficult for a repeat like this to happen.

Given that this is the second issue in the last twelve months, I would consider getting the certification a minimum course of action to help user confidence.

In terms of not using your real information on MN, a similar problems have happened at banks and many of you would be horrified at how bad information security even at banks is. And don't get me started on the NHS.

The real issue is a lack of skills across the board on this subject. MN are not good, but the expectation should be that every user here is safe to use the PM system and have basic details. They should be subject to the same level of expectation as any other institution or company that handles data.

The law on this is going to get tougher, as there are more incidents, and it will cost MN in the long run not to invest in security properly.

Do I need to do anything, I knew there was an issue the other day as I suddenly was unable to log in and then had the reboot and enter my password.. very worrying

What I wish I'd raised before is the RIDICULOUS amount of spam I get to that account - now I'm thinking about it, given mn are the ONLY people I've EVER given this address to I'd like to know HOW these companies HAVE this address? Are you selling users email addresses? Or is your data security SO lax that it's easy for people to access users emails? Neither answer is particularly reassuring.

I don't have this issue. Are you sure you've looked at your account preferences?

Thank you teddy

I was one of the posters able to access anothers account. From what I have read this means I logged in at the same time as someone else so our account log-in's got switched? I haven't had an email from mumsnet though saying someone got into my account? I would appreciate some clarification.

Fwiw to the pp, I am not bothered by someone accessing my account because I post hatred(?!), it is because I once gave my address to someone on here to send me some old school uniform (back when we did a thread passing on our used childrens clothes to those who could use it) also I have posted for advice regarding a sensitive health problem under a different name change that even my own family don't know. I don't want a stranger reading all that and linking it to my name and address. Paranoid? Possibly. A lot of people suffer with anxiety and things like this happening can be really upsetting and traumatic.

As said earlier, I'd be fascinated to know just how the staffing, especially in IT, really is set up

Well judging by the functionality of the site and the lax attitude to security you could be fotgiven for thinking that IT is in the hands of a staff member’s sixteen year old geeky son.

Hi @MNHQ

Given the seriousness and potential impact of this breach please can you email all users with

A an explanation of what happened - and individual confirmation about whether the person's account / data was or was not affected

B how you are reviewing your procedures to ensure it can never happen again

C a commitment to tell us what the ICO say.

Thanks

After previous breach I have a specific MN email account that's only used to sign in here!

Me too. And it's delightfully spam free, which makes me realise how widely my every day email address has been spread around

for Justine and MNHQ