Mumsnet admits users' emails and passwords accessed via Heartbleed bug

Mumsnet has admitted the 'Heartbleed bug' had been used to access data from its users' accounts in an attack that has exposed members' usernames, emails and passwords.

Heartbleed: affects Mumsnet members
Heartbleed: affects Mumsnet members

The Heartbleed bug affects websites running SSL encryption. It exposes the private information entered by users into websites, applications, web email and instant messages.

A patch for the bug was announced on Monday 9 April and Mumsnet has admitted it became certain it had fallen victim to a hack when someone used the username of founder Justine Roberts to post on the site on Friday (11 April).

Mumsnet claims it became "aware of the bug" on Thursday and ran tests to detect whether its servers were vulnerable. It then "applied the fix to close the OpenSSL security hole".

Roberts points out that the hacker could have accessed the site's data before the patch for the bug was released, but believes it is most likely they would have accessed the data between Monday and Wednesday.

However, it emerged that users’ data was accessed before the fix was complete and as a result the site asked all its users to change their passwords over the weekend. The old passwords will no longer work.

In an email, Mumsnet addressed some users' concerns. It said: "You say they accessed Mumsnet users’ data: did they access data from my personal account?

"We have no way of knowing which Mumsnetters were affected by this. The worst case scenario is that the data of every Mumsnet user account was accessed. That’s why we’ve required every user to reset their password.

"What data did they see? The bug allowed access to the information submitted via the login page. So that includes your username or email plus your password.

"It is possible that this information could then have been used to log in as you and give access to your posting history, your personal messages and your personal profile, although we should say that we have seen no evidence of anyone’s account being used for anything other than to flag up the security breach, thus far."

Subscribe to Campaign from just £57 per quarter

Includes the weekly magazine and quarterly Campaign IQ, plus unrestricted online access.


Looking for a new job?

Get the latest creative jobs in advertising, media, marketing and digital delivered directly to your inbox each day.

Create an Alert Now

Just published