The Heartbleed security breed - and what to do

Message from Mumsnet Towers about the Heartbleed security breach and what you need to do. Amended 16/4/14 with revised dates on our response following an investigation of our logs.

 

Dear Mumsnet user,

On Friday 11 April, it became apparent that what is widely known as the 'Heartbleed bug' had been used to access data from Mumsnet users' accounts.

Heartbleed is a security hole that existed in OpenSSL, the security framework which most websites around the world use. There's a summary of Heartbleed and its effects here.

On Wednesday 9 April we at MNHQ became aware of the bug and immediately ran tests to see if the Mumsnet servers were vulnerable. As soon as it became apparent that we were, we applied the fix that same day to close the OpenSSL security hole (known as the Heartbleed patch). However, it seems that users' data was accessed prior to our applying this fix.

So, over the weekend, we decided we needed to ask all Mumsnet users to change their passwords. So, you will no longer be able to log in to Mumsnet with a password that you chose before 5.45pm on Saturday April 12, 2014. If you haven't changed your password yet, you can do so here.

Questions... 

  • You say they accessed Mumsnet users' data - did they access data from my personal account?

 

We have no way of knowing which Mumsnetters were affected by this. The worst case scenario is that the data of every Mumsnet user account was accessed. That's why we've required every user to reset their password.

 

  • What data did they see?

The bug allowed access to the information submitted via the login page. So that includes your username or email plus your password.

It is possible that this information could then have been used to log in as you and give access to your posting history, your personal messages and your personal profile, although we should say that we have seen no evidence of anyone's account being used for anything other than to flag up the security breach, thus far.

We know this has been an enormous pain in the rear end for some of you, and we're really sorry about that. We are aware that some reset emails aren't turning up quickly enough. We believe it's a problem with some email providers, who are struggling with the amount of automated mail that is being generated by lots of big sites requiring users to change passwords at this time. We've now made the reset links in the mails last for longer (48 hours) so that they don't expire before you've seen them. Please do, though, mail us at contactus@mumsnet.com if you need any help.
  • Now that I've changed my password, can you guarantee that my data is safe?

 

Unfortunately, no site can give you a cast-iron guarantee of this. We've installed the patch that fixes the known vulnerability in OpenSSL, and together with forcing a password reset, we think this makes MN users as safe as we can make them. But if there's one thing we've all learned from Heartbleed, it's that there may be security vulnerabilities out there that nobody knows about.

To be as safe as you can be, use different passwords for all your important online accounts, especially anything to do with your personal finances or banking. Here's an article identifying which of the major sites are affected.

You can also use highly secure password generators like Lastpass.com, which generates very complex passwords and also remembers them for you. But in the end, there is no such thing as complete safety and security on the internet.

  • What's the takeaway?

 

The internet is brilliant, but nobody can guarantee it's 100% safe and secure - EVER. Whenever you share anything on the web, either publicly (such as on a Mumsnet thread) or privately (such as the data you give to a website when signing up), have a think about how happy you would be for that information to get into the hands of a hacker. Make your passwords as secure as possible and change them every few months (‘passwords are like underwear; change them often'). Use different passwords for different accounts. Close redundant accounts that you no longer use.

We hope this has been helpful and answers some of your questions. And please do send any questions, observations, brickbats and/or virtual chocolate to contactus@mumsnet.com. Our inbox is a bit massive at the moment but we will get back to everyone as soon as we can.

Love,


Justine and the team at MNHQ

Last updated: 16-Apr-2014 at 9:06 AM