Skip To Content

    Hackers Accessed Mumsnet Users' Data Via Heartbleed Bug

    Popular parenting site says the worst case scenario is that all its 1.5 million users' personal data was compromised by the Heartbleed bug.

    Mumsnet has become the first high profile British website to admit its users' personal data was accessed by hackers via the Heartbleed bug sweeping across the internet.

    Hackers may have been able to see usernames, passwords and email addresses.

    The site says: "It is possible that this information could then have been used to log in as you and give access to your posting history, your personal messages and your personal profile, although we should say that we have seen no evidence of anyone's account being used for anything other than to flag up the security breach, thus far."

    Mumsnet also points out that despite its best efforts - like everyone else - it cannot give any cast-iron guarantees that its users' data are now safe, adding: "If there's one thing we've all learned from Heartbleed, it's that there may be security vulnerabilities out there that nobody knows about."

    Heartbleed is caused by a flaw in OpenSSL, one of the ways users' data is scrambled as it's passed between online services. In short, the Heartbleed bug unscrambles the data, allowing hackers to see it in full.

    We're reassuring users that Mumsnet is as secure as any other site on the web - considerably more so in fact than some that have no doubt been scraped and haven't required users to update their passwords. We're just unusual in that we've been completely transparent with our members about the effects of the Heartbleed bug. The security of our users' data is of paramount importance to us; we collect very little of it, and we never pass or sell it on to without people's explicit consent. Heartbleed has shown that nobody can offer a 100% guarantee of online security, but we'll continue to do our best to protect and educate our users as much as we can, and be transparent about any breaches we find.

    At the same time, Canada's tax agency has also had to admit a data breach due to Heartbleed.

    The Canada Revenue Agency acted swiftly, putting a SSL patch to fix the bug last Tueesday, but it apparently came too late.

    A message on its homepage reads: "The CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period.

    "Based on our analysis to date, social insurance numbers of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability."

    Anyone affected will get credit protection services "at no cost".

    Some 500,000 sites are thought to be at direct risk from Heartbleed.

    The bug allows attackers to "eavesdrop on communications, steal data directly from the services and users and to impersonate services and users", and the digital media industry appears to have been caught off guard in a big way.