Mumsnet data leak: Moaning parents could see other users' privates after cloud migration

Change reversed while forum probes how many affected

26 Reg comments Got Tips?

Parent gabfest platform Mumsnet has reported a data security breach that it claimed happened amid a "software change" en route to migrating services to the cloud.

Justine Roberts, founder and CEO at Mumsnet, today told users: "We're very sorry to say that we've become aware of a data breach which affected some Mumsnet user accounts."

A user sounded the alarm yesterday evening that they were able to log into and view details of another user's account. This security screw-up, likely some kind of caching blunder, happened between 2pm GMT on 5 February and 9am GMT on 7 February.

"During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched," Roberts added.

"We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday PM (5 February) was the cause of this issue. We reversed the change this morning. Since then there have been no further incidents."

By logging into someone else's account, data on show could have included a user's email address, account details, posting history, and personal messages. Passwords were encrypted, the CEO said.

"We've reversed the software change... and this morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account."

Roberts said it is not yet certain how many Mumsnet members were caught up in this mess but is "investigating the logs" and "hope to know definitively very soon".

"We do know that approximately 4,000 user accounts were logged into in the period in question but we don't as yet know which of those were actually breached (i.e. also affected by mismatched login), although we know for sure it wasn't every account."

She said users reported 14 "incidents" and Mumsnet is trying to ascertain if there were more.

"You've every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes," Roberts added.

The breach has been reported to the Information Commisioner's Office.

This isn't the first time the platform for snarky parents has suffered a security wobble: it was hit by the Heartbleed OpenSSL vulnerability in 2014; and it was hacked in 2015.

Updated - 12 Feburary 2019

Mumset has contacted us to say that according to its own assesments, 46 user accounts were breached. ®


Biting the hand that feeds IT © 1998–2020