Mumsnet Data Breach - FAQs

[JustineMumsnet]

As lots of the same queries re the data breach are reappearing we've made an FAQs page Do let us know if there's anything important we've left off. We'll keep updating this document as soon as we have further any further info. Thanks.

EDITED BY MNHQ AT 17.15 ON FEBRUARY 8: We're now as sure as we can be that the total number of accounts affected by this breach was 46. We will be contacting these users within the next hour or so.

I've managed to log back in via Safari, but can't do so using Google Chrome.

I’m new to all this. How can I start a chat about something? Thanks

Can you explain why you ever thought sending one million emails would happen simultaneously?

I have to say I was surprised when Justine was insistent that all (generic) emails had gone out, as I distinctly remember when a previous breach (2014/2015?) happened MNHQ had to explain (over and over again, like on here...) that the emails had to go out in batches due the the numbers involved.

MrsSchadenfreude same here! I'm actually logged in on the app, I hate the bloody app , there's no way I'll keep using it long term.

Any update as to how long it'll take to fix the chrome login?

I can't log on at all on iPad but can on mobile. But mobile is my old account I set up and forgot about. The account I actually use I can't log in at all

And to add insult to injury, error 2: it's changed the emotions from angry to gin between the iPad app and the Android one.

They haven't gone out though, its a huge balls up. They don't take that long, they go overnight, there's other stuff going on that broke!

I'm fed up of saying the same thing and being ignored

They'll undoubtedly still be going out in batches. I got mine late this afternoon. It said what was said at the top of this thread. The people whose accounts were affected have been notified and it's been reported to the ICO.
Why is it necessary to keep posting about the generic emails not having arrived yet? If you know what happened and you're posting here why are the generic emails important?

Also tired of reading the same old questions that are answered in the OP!!!

it's lost me completely!! According to this, I haven't posted on anything since 2016??!!

There is a load more going on as a result than has been posted and talked about

Just found out that if you search a username it brings up all previous usernames, so name changing is pointless.
Was this always the case?

I think I was mistaken, apologies.

Right you need to explain yourself after your scaremongering! What did you find out exactly?! What did you do to find that out, that now isn't true?!

Have I missed the answer to why password changes haven't been working, MNHQ? Change password, Settings says successfully, but then only the old password works to log in? I mentioned this a while ago on the data breach threads, and I see others have too.

Also, why isn't the Preview button working? Again, others have posted about this.

I have noticed too that threads I have read, which would previously have been highlighted as read, are now sometimes not.

And overnight I kept being repeatedly knocked off the site, (not logged out though), as if MN kept crashing or something. Odd.

Answers on a postcard - or a message in a - to all that please?

Just to add, because this is usually asked - on the mobile site, on an android phone.

@JustineMumsnet Have you considered the possibility that someone in your IT team might be sabotaging the system from the inside?

The frequency and frankly shocking level of IT "mistakes" that have happened on here over the years makes me doubt the prevailing assumption that the incompetence of your technical staff is to blame, especially if you really have "12 full time developers" and spend "around £1m per annum on our Tech, product and data teams combined".

I often get an email telling me that someone has mentioned me on a thread, but when I go there it isn't me. I thought it was a weird quirk but I am thinking it might not be now

Mine too

Also I haven't used this username for yonks

Can I have my account wiped from the face of the earth please? If I do decide to re-register I don't want a load of 'we already have a user with this email address' fuckaboutery

I also think your IT team are so crap that it is suspicious, and I'm used to crap IT. I work in the NHS

Your previous usernames will no longer be associated with your email address once you deregister

@JustineMumsnet
@YetAnotherBeckyMumsnet

Does this mean if I deregister my user names will be up for grabs?

Honestly, this is so crap, after 11 years I'm not sure I want to be registered any more. I need to know the answer to the above question.

@MrsSchadenfreude

I've managed to log back in via Safari, but can't do so using Google Chrome.

Hello, we're aware of an issue with chrome at the moment - we're doing our best to resolve it. Apologies for any inconvenience!

[quote CoteDAzur]@JustineMumsnet Have you considered the possibility that someone in your IT team might be sabotaging the system from the inside?

The frequency and frankly shocking level of IT "mistakes" that have happened on here over the years makes me doubt the prevailing assumption that the incompetence of your technical staff is to blame, especially if you really have "12 full time developers" and spend "around £1m per annum on our Tech, product and data teams combined".[/quote]

Hi CoteD,
I'm completely sure no one is sabotaging us from the inside, yes. We have for sure had several nasty IT incidents over the last few years but I'd argue they are quite distinct and unrelated.

The first major issue was around the Heartbleed bug in a widely used piece of software. Many many organisations used this software and were vulnerable because of it - the difference was we went public and forced a password update while others kept schtum.

Then there was the "Jeffrey hack" - which included multiple denial of service attacks when our servers were swamped, a phishing attack to gain access to people's passwords as well as the swatting and bomb threat stuff. This was organised on a board frequented by misogynists who wanted to teach Mumsnet/Mumsnetters a lesson. Our firewall and internal systems definitely weren't as good as they could be (and led to us to invest more heavily in security for sure) but the point is we do tend to attract more than our "fair share" of attacks (we are subject to denial of service attacks most weeks) in my view because we're a female dominated platform.

Then there was the pro-trans intern who inadvertently copied a user IP address and published it when was she was highlighting what she felt were anti-trans voices on Mumsnet. Again our procedures weren't perfect and we've looked carefully at how to improve them but they were far from unusual and the ICO were satisfied that we hadn't been negligent here and no fine was imposed. Unlike many organisations we've never shied away from hosting controversial debates and contrary opinions - it would of course be much easier (and more profitable) to shut those conversations down as many others have done and we'd court far fewer angry responses but we believe passionately in free speech and the power of discourse to help people see other points of view.

This most recent incident was, without doubt, our technical error. We released code that had a flaw and we need to do better. What I would say is that concurrence is one of the things that is hardest to test for, which is why it didn't manifest in our systems testing, but there's no denying we messed up. We should have triple and quadruple checked the code for such an important service upgrade and not relied on testing to pick up a problem. We will most definitely learn from that.

It's also true that the Mumsnet platform isn't as good overall as it could be and we could have made some of these upgrades and invested a bit more in team and infrastructure a few years back when we started to turn a profit. That's my fault to be honest - I was a bit burned by all those early years of struggling to make any revenue from the site and seeing lots of other websites in our space overstretch themselves on costs and go under/ make layoffs - so in retrospect I was slower to invest than I should have been, which has meant quite a few niggles particularly when we've made any updates over the years. And I can only apologise to users for that.

We're absolutely committed to changing that going forward and to becoming a best in class community platform for our users but we're on a journey and it will take a bit of time.

I know this might all sound a bit defensive but I wanted to try to add a bit of an alternative perspective because, well, I think sometimes our tech team are a bit unfairly criticised. I'm not in any way though suggesting we haven't made errors which have understandably led to concern and for which I am very sorry.

@BBInGinDrinking

Have I missed the answer to why password changes haven't been working, MNHQ? Change password, Settings says successfully, but then only the old password works to log in? I mentioned this a while ago on the data breach threads, and I see others have too.

Also, why isn't the Preview button working? Again, others have posted about this.

I have noticed too that threads I have read, which would previously have been highlighted as read, are now sometimes not.

And overnight I kept being repeatedly knocked off the site, (not logged out though), as if MN kept crashing or something. Odd.

Answers on a postcard - or a message in a - to all that please?

Hello!

We're doing our best to investigate the technical issues (sorry for the lack of answers thus far) - can you report your post to us so that we can take a look?

@MNHQ You wrote the following in relation to the issue of current usernames being duplicated in users' lists:

If you have ever gone back to a nickname after using another nickname, it may appear twice in your list of usernames.

With respect, this is incorrect, at least for me. I've been back and forth between some of my nicknames, which I use for particular topics or forums, and then back to my regular one a number of times before moving on to a new one altogether, and so on. All of my previous names are listed once only in alphabetical order. My current one is additionally listed a second time, out of order.

This obviously isn't the most urgent issue, but it seems to affect a lot of people, and seems to date from the data breach or at least the software update that caused it, the reversal, or some other related action. The fact that you don't understand why it's happening may be more important than the thing itself. It would be good if someone could look into it, if only to restore confidence that you have a handle on what your software is doing.

Based on what you've said, mine isn't a breached account btw, and I'm using Firefox on a laptop PC. HTH.

Woooah, and in the time it took me to type that, the list has changed again to reflect all of the changes (and changes back) I've ever made, with no duplication of the current one, and now listed in chronological order.

Like I say, not do or die, but people are naturally concerned that you're not aware of all the changes the software is (still) making. Can you shed any light?