[BreachExchange] Mumsnet reports itself to regulator over data breach

Destry Winant destry at riskbasedsecurity.com
Mon Feb 11 08:50:22 EST 2019 

https://www.theguardian.com/uk-news/2019/feb/07/mumsnet-reports-itself-to-regulator-over-data-breach

Mumsnet has reported itself to the information commissioner after a
data breach resulted in users accidentally logging into the accounts
of strangers.

A botched upgrade to the software the forum runs on meant that for
three days, if two users tried to log in at the same time, there was
the possibility that their accounts would be switched. Each user was
able to post as the other, see their account details, and read private
messages.

The company doesn’t know how many user accounts were affected, but
says that over the three days the bug was live, from Tuesday afternoon
to Thursday morning, about 4,000 users logged in. Of that, only 14
users have reported an issue.

Mumsnet founder Justine Roberts apologised to users in a post, saying:
“You’ve every right to expect your Mumsnet account to be secure and
private. We are working urgently to discover exactly how this breach
happened and to learn and improve our processes. We will also keep you
informed about what is happening. We will of course be reporting this
incident to the information commissioner.”

Mumsnet confirmed to the Guardian that it has now self-referred to the
Information Commissioners Office, as it is legally required to do in
the event of a data breach.

Roberts emphasised that passwords were not exposed in the breach, and
reassured concerned users: “You do not need to do anything. We have
reversed the change that caused the problem. We are investigating
which accounts have been affected – we don’t think it’s many and we
will contact you if we think it is yours.”

The site last had to report itself to the information commissioner in
2018, after a row about trans rights on the forum escalated when a
former employee published screenshots of posts that contained the IP
addresses of the user who wrote them. Despite the fact that the
publication was accidental on the part of the ex-employee, Mumsnet
treated it as a data breach, and passed the details on to the ICO.

More seriously, in 2014, the site discovered that an attacker was
using a widespread bug known as “Heartbleed” to compromise an unknown
number of its 1.5 million user accounts. Mumsnet reset user passwords
in response to the attack.

More information about the BreachExchange mailing list