Botched Mumsnet update allowed users to see details of strangers’ accounts

Mumsnet, the phenomenally popular British parenting website, has admitted that a software upgrade unintentionally allowed users to gain access to the accounts of other users who had logged in at the same time.

In an email sent to its members, Mumsnet said that the problem affected user logins between 2pm on Tuesday 5 February, and 9am on Thursday 7 February, and blamed the problem on a software bug rolled out across the site on Tuesday.

Sign up to our newsletter
Security news, advice, and tips.

The site only became aware there was a problem on the evening of Wednesday 6 February, when a concerned Mumsnet user raised the alarm that they were able to view the details of a stranger’s account – which included their email address, account details, posting history, and personal messages. Passwords were not accessible.

The following morning Mumsnet rolled back the software update, and says there have been no reports of unauthorised account access since.

In all, Mumsnet says that the number of affected users is 44 (with two accounts being breached twice, “bringing the total to 46”.)

For a site that claims to receive over 14 milion unique visitors per month, that’s hardly a catastrophic figure – but that, of course, is little cause for comfort those who were affected by the botched update.

Furthermore, it suggests that Mumsnet’s technical team did not thoroughly test the update before rolling it out across its live production site.

Maybe that’s a bit harsh of me. It must be hard to find a bug like this that is only affecting a tiny percentage of users in testing. I guess what would be good would be to build a QA process that attempts to replicate typical behaviour on a site like Mumsnet – including emulating lots of simultaneous logins to see if there are peculiar outcomes. Just as you would hopefully stress test the site to see how it behaves under high pressure.

The site is no stranger for hitting the headlines for all manner of reasons, some of which have been cybersecurity-related – such as when it was exploited via Heartbleed vulnerability, suffered a DDoS attack, was hacked, and its founder was targeted with a SWATting.

Mumsnet says that it is reporting the latest breach to the Information Commissioner’s Office (ICO).

Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.

Graham Cluley •   @gcluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an email.