Mumsnet user details stolen by hackers following DDoS attack
Mumsnet founder Justine Roberts also subjected to 'swatting' attack by same culprit
Mumsnet's 7.7 million users have been urged to immediately change their passwords after the parenting website temporarily shut down in a DDoS attack by hackers as part of a wider campaign against it.
The attack against Mumsnet formed part of a wider campaign against the website by cyber vandals which included a hoax call sending armed police officers to the homes of founder Justine Roberts.
A now suspended Twitter user using the handle @DadSecurity is thought to be behind the DDoS on Mumsnet after making posts such as ‘RIP Mumsnet'.
The user is also suspected to be the culprit behind ‘swatting' attack - the practice of providing police with fake information about violence taking place at the victim's address - against Roberts, after calling 999 and claiming a gunman had been seen in the area of her home. Other users who engaged with DadSecurity were also the victim's of swatting.
Mumsnet was targeted by the DDoS attack on August 11 and restored on August 12. However, it was soon discovered that the DDoS incident served as cover for a more sophisticated hack which has resulted in hackers being able to take control of user accounts after breaching the forum's administrative systems.
It's believed that the hacker accessed passwords via a phishing technique which created a fake Mumsnet login page. The culprit was then able to see user passwords as they were typed in plain text and use the information to take over accounts.
There's evidence that 11 accounts have been hacked in this way, but in an email to Mumsnet users, Roberts suggested that all users change their passwords in order to protect against their accounts being hijacked.
"We take great care to protect the information you give us and not to ask for or store any more information than we need to run the site, but though we can't know how many accounts have been affected, there have been enough breaches for us to ask all Mumsnet users to change their passwords," said Roberts.
Kane Hardy VP, EMEA at Hexis Cyber Solutions warned that the Mumsnet is "is unlikely to be the last" DDoS attack against an organisation and that companies should prepare for when they're inevitably targeted.
"What's important is that organisations are able to minimise the amount of time between detection and removal to limit the damage that a breach can do," he said, arguing that publically disclosing that a breach has occurred is good practice.
"Organisations from across all industries should take a page from Mumsnet's book: recognising that an attack has been successfully and publicly disclosing the details of the incident is the first step in adequately handling the aftermath of a breach," Hardy explained.
"The next step should include an in-depth analysis of how the attackers were able to execute the breach on hand and collect the necessary information to make efficient decisions on prevention of future similar incidences," he continued.
"By being able to understand what is happening on the endpoint and what it happening within the network, organisations can respond to potential threats at machine-speed and quickly prevent damage," Kane concluded.
Ross Brewer, vice president and managing director of international markets at LogRhythm, said the incident demonstrates how organisations need to be smart when it comes to observing radically altered login information users, as it might suggest a hack.
"Businesses need to be savvy to users' ‘normal' behaviour - if someone logs in from Reading at 10am, and then again from Moscow at 11am, the chances are it isn't the same person," he explained.
"All organisations, whether they're protecting their own data or their users' data, need to monitor their networks continuously and have systems in place to alert them as soon as something outside of the norm occurs," Brewer continued, warning "Every business will, at some point, be breached."
The solution, he suggested "is identifying and remediating the situation as soon as possible".
"The longer a hacker is able to roam free, the more information they can get and, in order to limit the damage both on and offline, getting them out as soon as possible is imperative," Brewer added.