Change in format of response to report emails

[Hobnobswantshernameback]

i reported a thread earlier
I thought the email back looked weird and when I looked at it properly I realised that on the link to the post I reported was a direct link to the email address of the poster that I had reported.
out of curiosity I googled the name
it led me to a person that was instantly identifiable
now I won't be doing anything with that information but MNHQ when did the email format change and how widely are peoples details being accessed?
surely this is a significant issue which I only spotted today due to the email back looking weird

No it wasn't an intentional error

Given that we know exactly how and why this happened, who was affected and are clear that it wasn't malicious it would be disproportionate to alarm all users. Our priority is to make sure the 20 or so users who's emails and usernames were breached are aware of that (which we have done) and to action any changes to their accounts that they deem necessary (which we are doing).

@JustineMumsnet

I reported a thread at 6.04pm on Sunday 5th June, and received a response at 21.57 that same evening.

In that response email, I can clearly see the email address of the OP of the thread I reported.

Can you clarify if there are any circumstances under which this should happen? Especially considering it was outwith the time period you've already mentioned.

Thanks

Hi, we've checked this response and the only email included is yours, because you reported the post.

Just checking. Yes, it was my post, sorry 😂😂

There is another thread going just now where a few people are mentioning being affected. Are you able to tell us exactly how many people were doxxed, and was it everyone who was subject of a reported thread within that time period, or just some?

Well, you clearly don't have good enough checks in place because this shouldn't even be possible.

User data like email addresses should be stored on a separate database to comments and posts. There shouldn't even be a remote possibility of someone's personal information being accessed in this way. If human error can mean this kind of catastrophic outcome, then you prevent human error.

I am going to report MN myself. This is not remotely acceptable. You clearly haven't the fucking foggiest idea about websites, best practice, and your legal responsibilities.

So explain how it happened.

Post it here. A detailed explanation of how exactly someone's email address ended up being emailed to a poster who reported them.

There is no way it was only 20 posters in the timescale given. No way. How many posts get reported on MN? I'm guessing hundreds an hour.

A 'glitch' would affect every single reported poster until the 'glitch' was fixed. So either it wasn't a glitch and some posters were deliberately doxxed or they're lying about the scale of it.

Also, 20 is a suspiciously nice round number. 17 or 23 might have been slightly more believable.

Is there an MNHQ staff name on the reports? Perhaps affected users could compare and see if they are the same? Or if it was a mistake with the generic ‘Thanks, MNHQ’ emails.

@pixie5121 No, the "glitch" would affect every reported post that was RESPONDED TO in the timeframe. Not every reported post.

Your posts addressing @JustineMumsnet are unnecessarily hectoring and unpleasant, imo.

IIRC I read someone say that they now have an MNHQ moderator's email address?

Message altered by MNHQ at request of the poster

Oh please don't try to single out an individual staff member in this way!

I’m not singling anyone out. I don’t want to know if there is a name in common. The people affected might want to know, however, in the absence of any further explanation from MNHQ. Or it might be that the generic reply had a glitch that wasn’t sorted out, hence ‘human error’.

Very concerning.

There were big problems on the site late last night - DDoS? No word from MNHQ on that.
www.mumsnet.com/talk/site_stuff/4562956-pages-taking-an-age-to-load-anyone-else

I do but I wouldn't dream of sharing.

I am very uncomfortable with how it has been able to happen, especially after the PM that returned from the dead.

I think I understand, no I had several reports from different admins

Also, 20 is a suspiciously nice round number. 17 or 23 might have been slightly more believable.

Justine says '20 or so' in a pp.

And you think that's only 20?

Hectoring and unpleasant? I've had my fucking email address sent to a random stranger! Because despite a very widely publicised security breach in 2018, MN still haven't got their shit together.

You cannot be serious.

I'm a DV survivor I've posted in the past about my experience using various different NNs. For those who have done similar, and whose ex partners are dangerous, this is deeply worrying. Of course I've done everything I can to make myself anonymous, but you never know whether there's a turn of phrase or something which slips through and will be recognised. For anyone who does put two and two together, a quick report and hey presto, confirmation of my name and email.

I've been on MN since 2007 (de-regged a few times but always came back). I don't use any other social media and am pretty untraceable online - the idea that this could happen is genuinely terrifying and I don't think I can take that risk.

You have to really try in order to fuck up this badly.

Confirmation that I need to deregister. There are too many of these "glitches" on here.

Tell you what Boreof read the post almost directly above about the impact this sort of thing can have on someone who has experienced domestic violence
and then do one with policing how people are responding
perhaps if mumsnet hq weren't so dismissive, sneery and patronising in their responses and actually answered honestly and promptly to peoples concerns people wouldn't get so rightly angry

Apparently I'm being goady to ask how exactly it happened.

It isn't goady. It's the least they can do. I'm a developer myself and I agree that you really have to try to fuck up this badly.

Between this and interngate and how fucking awful and glitchy the site is, I'm assuming their entire 'dev' team are newbies and interns working on the cheap. How much money does MN generate for its founder? How can they justify repeatedly putting users at risk to save a few bob?

You can pull statutory accounts to see staff numbers, directors salaries etc etc. For instance you can there were 69 staff in the year to 31/12/20 compared to 95 in the year to 31/12/19.

I haven't used the term 'goady' LaS

And I fully appreciate how serious this is. I'm sure JustineMN does too.

Mumsnet is a revenue earning site and can pay for specialist staff. It's very frustrating that they don't seem to have any kind of change control or proper UAT in place to verify updates before they deploy them, they just wheel out the 'oops, silly us, tech team didn't have their coffee today' apologies after the fact. The recent site migration was a mess - why didn't they use actual software testers and have proper test plans to verify the changes (on all platforms, operating systems and browsers) rather than asking site users to go and play with it and report back? And they don't seem to have learnt anything from that based on this latest issue.