Parenting advice website Mumsnet has hit back at reports claiming “thousands” of its users may have had their accounts compromised by a data breach that blighted the site earlier this week.
The Mumsnet founder, Justine Roberts, went public with details of the breach in a website post on 8 February 2019, where she claimed a software glitch had made it possible for site users to access each other’s account details if they had logged in at the same time.
As a result, this means they may have been able to access the other person’s email address, account details and any private messages they may have sent to another user, between 2pm on Tuesday 5 February and 9am on Thursday 7 February.
“We believe a software change, as part of moving our services to the cloud, that was put in place on Tuesday evening was the cause of this issue,” said Roberts.
“We reversed that change this morning. Since then, there have been no further incidents.”
She goes on to say, while it is known that around 4,000 user accounts were logged in during the specified time period, that does not necessarily mean they were all affected by the breach.
“We know for sure it wasn’t every account,” she said. “We have been made aware by users of 14 incidents when this occurred and have contacted the individuals we know were affected. We are working hard to establish if there were more.”
The company has since updated this figure to confirm that 46 accounts were breached in total over the course of the incident.
Since the post went live, the Mumsnet Twitter account has reiterated that far fewer users are likely to have been affected by the breach than the 4,000 accounts it knew were online at the time, in response to media reports claiming “thousands” have been caught up in the incident.
“Contrary to some headlines, we do not think thousands of Mumsnet users are affected. We’re working on positively identifying those affected now, but we think it will be much lower than headlines suggest,” the company stated in a tweet.
“But any user affected is one user too many and we sincerely apologise to our users. We’re reviewing our systems and processes and will make sure we learn lessons from this.”
The Information Commissioner Office (ICO) confirmed in a statement to Computer Weekly it has been “made aware of an incident,” and “will be considering the detail.”
Thomas Owen, head of security and business services at UK-based cloud hosting provider Memset, said the incident suggests there may be some shortcomings in Mumsnet’s IT operations and change management processes, but its handling of the incident is commendable.
“They have demonstrated great incident management so far in this situation. Mumsnet appears to have discovered the error, rapidly fixed it, reported it to the regulator and then gone public with a frank and detailed explanation. It’s handy that best practice in incident management is now also legally enforced under the Data Protection Act 2018,” said Owen.