Mumsnet data breach allowed users to log into each other's accounts

News by Rene Millman

Parenting website reports itself to ICO after botched cloud migration resulted in users being logged into each other's accounts, able to see personal data and private posts.


4000 users logged into the site during the vulnerable period (Pic: Maartje van Caspel/Getty Images)

Parenting website Mumsnet has been forced to report itself to the Information Commissioner's Office (ICO) after a failed cloud migration resulted in users being able to log into other people’s accounts.

The forum said it believed the breach had occurred when it was migrating its services to the cloud Tuesday afternoon. The issues continued from 2pm Tuesday to 9am Thursday when the changes were undone.

During that time, users logging into their accounts at the same time as another user would see their account info switched. A concerned user notified Mumsnet on Wednesday night, reporting that they had been able to login and view someone else’s account.

"We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday PM (5 February) was the cause of this issue. We reversed the change this morning. Since then there have been no further incidents," said Justine Roberts, founder and CEO at Mumsnet, in a statement.

The incident resulted in users being able to view another user’s email address, account details, posting history and personal messages. Passwords were encrypted, the CEO said.

Roberts said that the website had now reversed the changes. "This morning we forced a log out, requiring users to log in again before they can post. This ensures that anyone who had inadvertently logged in as someone else will no longer be logged in to the wrong account," she added.

It is not yet known the extent of the problem, but Roberts said that approximately 4,000 user accounts were logged into in the period in question. Around 46 users reported incidents, said Mumsnet.

"You've every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes," Roberts said.

Mumsnet has now reported itself to the Information Commissioner's Office, as it is legally required to do in the event of a data breach. SC Media UK has contacted Mumsnet for further details.

Suid Adeyanju, managing director at RiverSafe, told SC Media UK that he has found that a lot of organisations overcomplicate the process of moving to a cloud environment.

"A big reason for this is a lack of planning as businesses and their security teams attempt to re-use existing processes (ITIL and others) in a cloud environment when it was never made to work in one. Doing this brings with it many security risks to the organisation that security teams will not be prepared to defend from," he said.

Steve Armstrong, regional director for UK and Ireland at Bitglass, told SC that the indications are that this issue was fixed with a rollback. 

"This likely suggests an underlying database configuration issue. It’s very unlikely to be a caching issue browser side – so this suggests a server-based issued.  This in turn would speak to a misconfiguration either in the database platform or potentially on the infrastructure the database was hosted. There are generally security models built into most platforms, but they only solve part of the problem – security in depth is always a better approach," he said.

 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event