Botched Mumsnet update allowed users to see details of strangers’ accounts

Parenting site apologises for data breach.

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Botched Mumsnet update allowed users to see details of strangers' accounts

Mumsnet, the phenomenally popular British parenting website, has admitted that a software upgrade unintentionally allowed users to gain access to the accounts of other users who had logged in at the same time.

In an email sent to its members, Mumsnet said that the problem affected user logins between 2pm on Tuesday 5 February, and 9am on Thursday 7 February, and blamed the problem on a software bug rolled out across the site on Tuesday.

Mumsnet email

Sign up to our free newsletter.
Security news, advice, and tips.

The site only became aware there was a problem on the evening of Wednesday 6 February, when a concerned Mumsnet user raised the alarm that they were able to view the details of a stranger’s account – which included their email address, account details, posting history, and personal messages. Passwords were not accessible.

The following morning Mumsnet rolled back the software update, and says there have been no reports of unauthorised account access since.

In all, Mumsnet says that the number of affected users is 44 (with two accounts being breached twice, “bringing the total to 46”.)

For a site that claims to receive over 14 milion unique visitors per month, that’s hardly a catastrophic figure – but that, of course, is little cause for comfort those who were affected by the botched update.

Furthermore, it suggests that Mumsnet’s technical team did not thoroughly test the update before rolling it out across its live production site.

Maybe that’s a bit harsh of me. It must be hard to find a bug like this that is only affecting a tiny percentage of users in testing. I guess what would be good would be to build a QA process that attempts to replicate typical behaviour on a site like Mumsnet – including emulating lots of simultaneous logins to see if there are peculiar outcomes. Just as you would hopefully stress test the site to see how it behaves under high pressure.

The site is no stranger for hitting the headlines for all manner of reasons, some of which have been cybersecurity-related – such as when it was exploited via Heartbleed vulnerability, suffered a DDoS attack, was hacked, and its founder was targeted with a SWATting.

Mumsnet says that it is reporting the latest breach to the Information Commissioner’s Office (ICO).


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.