back to top

Hackers Accessed Mumsnet Users' Data Via Heartbleed Bug

Popular parenting site says the worst case scenario is that all its 1.5 million users' personal data was compromised by the Heartbleed bug.

Posted on

Mumsnet has become the first high profile British website to admit its users' personal data was accessed by hackers via the Heartbleed bug sweeping across the internet.

In a statement tonight, Mumsnet founder Justine Roberts said that the site learned it was affected by the bug last Thursday, 10 April, and quickly closed the security loophole.

But by then, "it seems that users' data was accessed prior to our applying this fix," she said. "We have no way of knowing which Mumsnetters were affected by this. The worst case scenario is that the data of every Mumsnet user account was accessed."

All Mumsnet registered users now have to change their passwords to continue to contribute to its lively discussion boards.

Hackers may have been able to see usernames, passwords and email addresses.

The site says: "It is possible that this information could then have been used to log in as you and give access to your posting history, your personal messages and your personal profile, although we should say that we have seen no evidence of anyone's account being used for anything other than to flag up the security breach, thus far."

Mumsnet also points out that despite its best efforts - like everyone else - it cannot give any cast-iron guarantees that its users' data are now safe, adding: "If there's one thing we've all learned from Heartbleed, it's that there may be security vulnerabilities out there that nobody knows about."

Heartbleed is caused by a flaw in OpenSSL, one of the ways users' data is scrambled as it's passed between online services. In short, the Heartbleed bug unscrambles the data, allowing hackers to see it in full.

We're reassuring users that Mumsnet is as secure as any other site on the web - considerably more so in fact than some that have no doubt been scraped and haven't required users to update their passwords. We're just unusual in that we've been completely transparent with our members about the effects of the Heartbleed bug. The security of our users' data is of paramount importance to us; we collect very little of it, and we never pass or sell it on to without people's explicit consent. Heartbleed has shown that nobody can offer a 100% guarantee of online security, but we'll continue to do our best to protect and educate our users as much as we can, and be transparent about any breaches we find.

At the same time, Canada's tax agency has also had to admit a data breach due to Heartbleed.

The Canada Revenue Agency acted swiftly, putting a SSL patch to fix the bug last Tueesday, but it apparently came too late.

A message on its homepage reads: "The CRA has been notified by the Government of Canada's lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period.

"Based on our analysis to date, social insurance numbers of approximately 900 taxpayers were removed from CRA systems by someone exploiting the Heartbleed vulnerability."

Anyone affected will get credit protection services "at no cost".

Some 500,000 sites are thought to be at direct risk from Heartbleed.

The bug allows attackers to "eavesdrop on communications, steal data directly from the services and users and to impersonate services and users", and the digital media industry appears to have been caught off guard in a big way.