Mumsnet data breach

[PronounssheRa]

Reposting this from site stuff and chat as here is where a lot of reporting of posts happens

www.mumsnet.com/talk/site_stuff/4564026-change-in-format-of-response-to-report-emails

www.mumsnet.com/talk/_chat/4564131-another-mumsnet-data-breach

We had a temporary glitch with 'Report this post' for a short time today which meant the email of the person reported was included in the report and in a few cases in responses to those reports. This applies to a very small number of users and we'll be contacting them shortly to let them know. Our DPO has been informed and on his advice we'll report it the ICO if appropriate. Please be assured the issue is now fixed. We will of course be examining how it happened to ensure it never happens again. We're really sorry for any concern caused.

Oh for fucks sake. When did this problem start please?

I use a burner email for this reason. The only problem is I quickly forget my login details so never see any emails sent there...

Thanks @Ereshkigalangcleg I've deleted it but this is very worrying. Somewhat casual response by MN to this, I must say.

@nicerucksack did your email of thanks for the report come with a 'how did we do' option?

.

I saw a similar comment on another thread.

What response do you expect from MN?

They are notifying the people whose data they have breached.
They have rectified the fault.
They have made their data protection person aware and will notify the relevant office as needed.

Advertising it far and wide surely just makes it more likely that breeched data will be collected and used?

Isn't it it better to take the steady steps to minimise harm, and only then make more general announcements?
Do you want Justine to appear on BBC News at 10 wearing sackcloth and ashes?

@drinkingwineoutofamug yes it did.

As ever with MNHQ data breaches, it doesn’t help to be left hanging not knowing whether one has been personally affected or not - and by precisely what and how.

Really poor.

People were obviously going to find out about it, though, weren't they. They have asked questions which haven't been answered about the time period in question.

Obviously people have concerns, particularly due to the reporting levels on this board, and some are not happy with how other data protection issues were dealt with in the past. I don't think the "let's hope no one notices this serious data breach" approach is a particularly good one, personally.

What I would like is more of an indication that they are taking these breaches seriously. This isn't the first time something like this has happened. One single response, hidden in the middle of a thread started by a poster, is not enough.

Yes, I do understand that. I just don't think calling it 'casual' is fair.

Surely the first priority is notifying the actual people effected, understanding the scope etc, not to broadcast details across the whole of MN?

A thread like this on this board is positively asking for monitors to check their report post emails to see what data they can glean? Especially as they often don't otherwise use MN?

I'm not saying this isn't serious, far from it. But if a Bank has a giant hole in it, you fix the hole first before going out of your way to advertise the hole to all the criminals in the area. (not a great analogy)

Once it's been discovered, transparency and clear information is needed. You can't put the genie back in the bottle, people are obviously going to want to talk about it and the less information they have the more they will want to do so, and the more concerned they will be. As I said, expecting people not to talk about it and want to see their own email reports is unrealistic.

The whizzy new site on its new platform racks up another success. Lovely to know it's such an improvement on the old one.

And I thought I was possibly being over cautious using a burner email address for here and other platforms! Glad I did now.

I've name changed and ditched my previous account and email. The TRAs will have harvested as much as they could and that information will now be being shared in their telegram and discord servers.

It doesn't help that MNHQ don't let a poster know that their post has been reported, a function that is badly needed here.

Thanks Mumsnet.

Yep, always use a burner mail for Mumsnet. proton Mail is a good one.

What MN should have done is test any area or functions of the site where changes have been made before going live. They don't appear to have done that with the report function.

What they should do now is clarify the time period this breach occurred so posters can work out if they were impacted.

I'm not going to apologise for flagging the breach up here.

I'm not saying this isn't serious, far from it. But if a Bank has a giant hole in it, you fix the hole first before going out of your way to advertise the hole

They have fixed the hole, sadly not before data was leaked. That particular genie can not be put back in the bottle.

Well exactly.

MNHQ/Justine said last night they’d fixed the breach.

Now we’re trying to understand who got robbed, and how bad it is for the individuals who will need to act.

How do we KNOW everyone affected has been contacted?

I think the Helen Joyce video has ramped up the vitriol, I've name-changed too. Be wary we could be in for a few bumpy weeks.

This is awful. I use an email address for MN that I don’t use for anything else. I won’t be reporting any more posts either.

Good idea, I think it's better to let them stand

#the site's still glitching#

Good idea, it's probably better to let them stand anyway - I think some posts are created by TRAS looking for them to be deleted so they can screenshot for twitter.

Yes I use proton mail only for Mumsnet too. Not a sign of confidence really is it?🤨

I checked and my most recent report email was from 16 May and only includes my email and full name (which now I think about it is a bit weird??) not the person reported.

From what I've read, the problem isn't with you reporting posts, it's with your posts being reported, possibly vexatiously, and the reporter getting your email address. Fun times.