Hackers behind British Mensa breach publish private messages of forum members on dark web

Some messages include email addresses and contact numbers of Mensa forum members

Hackers who breached the website of British Mensa last month have reportedly leaked private conversations between some of the forum members onto the internet.

According to independent cyber security analyst Graham Cluley, the cyber actors have posted around 35MB of files containing over 700 private messages between members of the Mensa UK forum on the dark web.

Some of these messages contain personally identifiable information of the forum members, including their contact numbers and email addresses.

"From my examination of them, some contain strongly-held opinions about other Mensa members that I suspect the senders would not appreciate being made public," Cluley said in a blog post.

He claimed that Chris Leek, chairman of Mensa UK, is among the individuals whose private messages have been exposed by the hackers.

Cluley posted a screenshot of a leaked message in his post, although the names of the sender and the recipient were redacted.

Mensa is a club open only to those people who score in the 98th percentile or higher in a standardised IQ test. The non-profit organisation was founded nearly 75 years ago and boasts about 18,000 members from the UK alone.

Mensa UK disclosed last month that it had fallen victim to a cyber attack.

The website of British Mensa is still offline, and shows the message "site under maintenance" when a visitor tries to access the site.

In a report published last week, Forbes claimed that the attackers used the credentials of one of the organisation's directors to access the site.

The revelation came after two directors quit their roles over concerns that the organisation was not taking appropriate measures to protect the data of its members.

Eugene Hopkinson, who served as a director and technology officer at British Mensa's board, resigned from his post last month. He accused Mensa of adopting substandard cyber security practices, potentially exposing the sensitive data of its 18,000 members.

Hopkinson told the FT that the passwords of Mensa members are not hashed or scrambled, potentially allowing attackers easy access to user accounts.

He also stated that Mensa holds lots of sensitive information on its website, including users' email IDs, passwords and home addresses, IQ scores of members/failed applicants, payment card details, and instant messaging conversations.

Following Hopkinson's resignation, Emily Shovlar, a member of British Mensa director's board, also said that she was quitting the board.

Shovlar stated that she had "no confidence that the Mensa administration will investigate this breach thoroughly" or will learn any lessons from this experience.

In an email sent to the members of Mensa UK last week, Chairman Chris Leek apologised to users for the inconvenience due to website being offline.

Leek confirmed that the breach did not occur during a brute force attack on the 20th January, but did admit that there had been two separate incidents, which led to a leak of "limited personal data of a few members and officers of Mensa" for a short period of time.

"Details of these incidents have been passed to the Information Commissioner's Office and we are continuing to liaise with them," he added.

Update 9/2/21: A previous version of this article incorrectly stated that Mensa Chairman Chris Leek told members that the breach occured during the brute force attack.