Popular British parenting site, Mumsnet has suffered a data breach following a software upgrade. The problem arose when Mumsnet moved onto the cloud and as a result made some software changes. These changes meant that users could see the details of other users.
“There was a problem affecting Mumsnet user logins between 2pm of Tuesday 5 February and 9am on Thursday 7 February. During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched.”
Mumsnet has reported themselves to the UK data protection industry, however, they haven’t released many technical details about how this happened. Mumsnet is currently investigating the issue and will likely release the full details of the incident once the investigations are completed.
There has been some speculation among tech experts about how it happened.
Managed services Solutions Engineer, Naaman Hart from Digital Guardian said:
“It’s really pure speculation as to this incident happened, but it would likely have been caused by a mix up in the intermediary steps of the login process. Typically when logging in you validate yourself and you’re given an identity. That identity has access to your data. In a case where this process has a problem, it’s possible that the identity you’re given is someone else’s. This can happen if the service already has an answer in mind, cached/remembered, and it serves up that answer instead of doing the legwork to find the real answer.”since the user’s privacy was greatly compromised; users were able to see each other’s private messages as well as other account details.
Any company who experiences a data breach in the UK is required to report it to the relevant data authority. In this case, users were able to see personal information relating to other users, including private messages and account details.
Mumsnet has not said how many user accounts were affected, but have said that the bug was live for three days and 4000 users were logged in over this period, however, only 14 users reported the issue.
Justine Roberts, Mumsnet founder issued an apology, saying:
“You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We will of course be reporting this incident to the information commissioner.”
The change has been reversed by Mumsnet, and they have assured users that no further action is required. They have also stated that they will contact any users who have been affected as it is revealed during their investigations.
Mumsnet has reported themselves to the data commissioner once before, in 2018, when a former Mumsnet employee published screenshots containing a users IP address during an escalated argument over trans rights. This was considered accidental since the former employee didn’t post the screenshots with the intent of sharing the IP address, but rather to highlight the content in the user’s post.