Mumsnet and Heartbleed as it happened

heartbleedNo, it's not this year's Pantone colour, Heartbleed is in fact a rather nasty security hole that existed in OpenSSL, the security framework which around 60% of websites around the world use to protect user data in transit

Here's the Beeb's explanation:

"The bug exists in a piece of open source software called OpenSSL which is designed to encrypt communications between a user's computer and a web server, a sort of secret handshake at the beginning of a secure conversation.

It was dubbed Heartbleed because it affects an extension to SSL (Secure Sockets Layer) which engineers dubbed Heartbeat."

 

We became aware of the security hole late on Tuesday April 8th, ran some tests to see if the Mumsnet servers were vulnerable and when it became apparent they were, applied a patch on Wednesday April 9th.

 

So how did it affect Mumsnet?

We first realised something was amiss on Friday April 11th when someone posted from our CEO's account as follows:

'Am I Being Unreasonable to think that the vast majority of you are clearly insane?'

Justine

 

Mumsnetters were, let's say, taken aback...

WTAF

 

Thankfully we were swiftly able to confirm that JustineMumsnet had not in fact called the site a "grothole"...

Rebecca message

 

But we only suspected things were Heartbleed-related when a Mumsnetter's account was used to post the following: 

"It was not her phone or personal computer being left logged in anywhere, it was the heartbleed exploit bleeding users login/password combinations in plain text to whoever sent the right query to the server.

While the tech staff were relatively fast to patch it, like so many others out there they thought 'the chances of this affecting us before the patch are miniscule'.

I hope the actions of hijacking Justine's account help draw attention to how big a deal this is. I suspect a lot of people would not have taken it seriously otherwise. Be thankful that the person who got access to the server information was kind enough to let you all know (and at least try and be funny with it) instead of simply sitting on the information."

 

Moments later several other user accounts were hijacked to write a message: 'All your base are belong to us' [sic] - a nod to this internet meme  

all your bases


And things got scarier when a list of around 30 Mumsnetters' usernames and passwords was published on another website, Pastebin. (This list has since been deleted.) 

 

So, we decided we needed to change all our our registered users' passwords and mailed on Saturday April 12th them to let them know...

Dear Mumsnet user,

Following the recent security breach related to Heartbleed
we have removed the passwords of all users on www.mumsnet.com

To use the site you'll need to reset your password.  You'll find
instructions and a link on the login page on how to do this.

Most importantly, if you use the same password on Mumsnet as elsewhere,
we strongly recommend you change your password on the other sites too.

Thanks,

Justine & the MNHQ team

 

But don't panic...

dont panic

 

We have seen no evidence of anyone’s account being used for anything other than to flag up the security breach.
 

But do take care and change your passwords elsewhere...

underpantsThe internet is brilliant, but nobody can guarantee it's 100% safe and secure - EVER. Whenever you share anything on the web, either publicly (such as on a Mumsnet thread) or privately (such as the data you give to a website when signing up), have a think about how happy you would be for that information to get into the hands of a hacker. Make your passwords as secure as possible and change them every few months ('passwords are like underwear; change them often’). Use different passwords for different accounts. Close redundant accounts that you no longer use.


 

And here is Justine talking about events on BBC Radio 5 Live: 

 5 live

 

 

NB: When we mailed users on 14th April to give more detail on the Heartbleed security breach we said we'd patched the SSL hole on Thursday 10th April. Subsequent investigation of our logs revealed that in fact we patched the hole on the afternoon of Wednesday 9th April.  

Last updated: 16-Apr-2014 at 3:25 PM