Mumsnet Data Breach - FAQs

[JustineMumsnet]

As lots of the same queries re the data breach are reappearing we've made an FAQs page Do let us know if there's anything important we've left off. We'll keep updating this document as soon as we have further any further info. Thanks.

EDITED BY MNHQ AT 17.15 ON FEBRUARY 8: We're now as sure as we can be that the total number of accounts affected by this breach was 46. We will be contacting these users within the next hour or so.

I think Lily got shortstraw tonight!

Its difficult to answer misinformation queries. It really doesn't make any sense. Any of it.

I received an email at lunchtime regarding breach. It reads as though generic. Has everyone received one?

Still not received the generic email but also had no emails at all (daily update, threads I'm watching updates) from MN for the last couple of days. Are daily emails being put on hold until this is all sorted?

I only just got the email late this evening but there was no update on the situation

I can only log on using an incognito tab (chrome, on android). If I try on the mobile Web page I can put my email in, it takes me to the next page where I can put my password in but won't let me tap on sign in. Same webpage, but incognito, and I can log in no probs. Rather annoying.

Has everyone been sent an email? I got one but it seems very generic. Useful to know if the emails to the 46 accounts make it clear they are one of the 46 iyswim?

Everyone has been sent an email apparently many not actually received, I have still not.

Although to pp, I have been receiving the usual mentioned in a post emails

...yes, individual ones sent to those personally affected by the data breach

No email at all here yet AnneElliott - am assuming that means my account wasn't involved

I too have received an email about a hour ago but it is generic and I'd like to know is this a generic email to everyone or was my data breached

MNHQ made it clear that they would be contacting the people affected individually not via generic email. The generic emails are apparently just sent to registered email addresses for information.

Woh calm down everyone there's a little too much mass hysteria going on.
The poor people at Mumsnet are trying their hardest to rectify things.
In the grand scheme of things 46 accounts are not too drastic, considering that no one is able to see your password. Give them time to sort things out I'm sure they are trying their hardest.

Still haven't had the generic email.

Does this mean that someone now on here could have viewed someone else's threads and now can match to that users other change of usernames so basically their privacy has been breached ?

I found something was weird yesterday when I was unable to change my username and it kept saying I had no network connection. Not sure whether my account was involved

MNHQ posting again so this doesn't get lost. Can you comment with some insight into what @Zoflorabore has said in the other thread

I received an email to say that although I had accessed someone else's account, nobody had accessed mine.

How can their account not have been accessed if they have managed to access another account? I thought the point was the system had mixed up 2 users who logged in at the same time, switching them so they ended up in each others accounts, is this not the case?

This question remains unanswered from the other thread;

"@mnhq

During a previous security breach, it became clear that MN held on to previous email addresses even if a user changed to a new one.

"You undertook to delete completely all email addresses other than the one in current use.

"Can you confirm that all required deletions took place as you promised?"

Straightforward yes/no answer wouid be helpful.

Because this paragraph,

'We've had a big clear out post gdpr and deleted accounts that haven't opened mails for a bit, so not necessarily - only a proportion of those who've registered are on our email database. As said the email only contained the info in the OP here""

posted not MNHQ, does not answer that question about archived old addresses to when you were not sending emails anyhow.

Jesus Christ. I work in Cyber Security and thankfully my Mumsnet user name and password is unique so I have nothing to fear.

However, I am sick to death of major organisations being so lax with their security controls. It seems like over and over again this happens and ultimately it's up to the users to manage the fallout.

Not impressed Mumsnet. You've been around too long to give me the "we're just three mums in a Boden kitchen doing the best we can" argument.

In the grand scheme of things 46 accounts are not too drastic,

But is it 46? There are loads of us sharing the issues we've had. And none have received a MN email.

Nail on head, knotswrapper.

Like I said on the longer thread (which I see is now conveniently ‘buried’ in the Site Stuff area!) this needs to be recognised for what it is: incompetence by a large business which is happy to rake in the very substantial revenue. And this follows the last debacle where inadequate security was to blame.

It’s not acceptable that when this happens MNHQ revert to the “we’re just a group of mummies doing our best” which you describe, Knotswrapper. And it’s laughable and tragic in equal measure that some posters lap this image up, as if MNHQ is made up of personal friends who are just having a hard day juggling kids and running a little business from home.

This is BIG business and users deserve proper investment in their systems and security.

I havnt received an email either, generic or otherwise

Hello,
Hope we can clarify, now that we have more information about what happened.

This is what happened after the software release on Tuesday:
When two people log in at the same time, there is a very small delay between them (milliseconds), and the first person to login (user A) was sometimes given the account of the second user (user B).
User B logged into their own account as normal; they were not given user A’s account.
This happened on 46 occasions before we reversed the software and logged everyone out.
As soon as we identified all user Bs, we emailed them directly to explain that their account had been breached.
We have also emailed user As to let them know they were accidentally logged in to someone else's account.

On Thursday we also sent an email to ALL users to tell them about the issue. It is taking time to get this email delivered to all accounts as there are around a million.
We used wording like “last night” and “this morning” in the email — this was a mistake, as we expected the emails to go faster. We'll change it for the ones still to go out.

We will also put this information on the FAQs page and the original Data Breach thread.

I received an email. Very generic and not clear!
You say Apologies for any confusion here. We have emailed users who were accidentally logged into an account that wasn't their own.

Should the email be more clear? I would like it made clear. If I received the following email, was my account breached? As part of GDPR you should be more clear. So @JustineMumsnet @LilyMumsnet @NellMumsnet a simple 'yes or no' please!

Email I received...

We're very sorry to say that we've become aware of a data breach affecting some Mumsnet user accounts.
What happened?
There was a problem affecting Mumsnet user logins between 2pmm_ of Tuesday 5 February and 9am on Thursday 7 February. During this time, two users logging into their accounts at precisely the same time, might have had their account info switched.
Why has this happened?
We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.
How did Mumsnet find out this was happening?
Late last night, a Mumsnet user alerted us to the fact that they were able to log in to and view the details of another user's account.
What information could have been affected?
If someone other than you logs into your account, they can see:
your email address
your account details
your posting history
your personal messages
They would NOT have been able to see your password because that data is encrypted and they would not have been able to change your password because you need to input a password to do that.
How many people are affected?
At the moment, we don't know for sure but we are investigating the logs and hope to know definitively very soon. We do know that approximately 4000 user accounts were logged into in the period in question but we don't as yet know which of those were actually breached (ie also affected by a mismatched login), although we know for sure it wasn't every account. We have been made aware by users of 14 incidents when this occurred and have contacted the users we know were affected. We are working hard to establish if there were any more.
What have you done about it so far?
We've reversed the software change that was made on Tuesday pm, and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who inadvertently logged in as someone else will no longer be logged in to the wrong account.
Where can I get updates?
We're posting about the situation on this threadd_, and will update as and when we have further relevant info.
What happens next?
When we have any further substantial information affecting the security of Mumsnet user accounts we will send another email and post on the site.
We're very sorry.
You've every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We know some of you will be very worried by the possibility that your account has been breached - please mail us on [email protected]m_ if you'd like to discuss your individual account details. We will of course be reporting this incident to the Information Commissioner.

Thank you for explaining Nell, but you might want to change the FAQ as some parts are very confusing,

any two users logging into their accounts at precisely the same time may have had their account info switched.

Also would it be possible in the future to have a feature telling a user that their account had been logged into on another device?

That would have meant people were aware of the problem sooner. I know quite a few sites are able to do this now, for example when logging in for the fist time on a new phone / laptop they will email to check that you are aware of the new device.