Mumsnet, the phenomenally popular British parenting website, has admitted that a software upgrade unintentionally allowed users to gain access to the accounts of other users who had logged in at the same time.
In an email sent to its members, Mumsnet said that the problem affected user logins between 2pm on Tuesday 5 February, and 9am on Thursday 7 February, and blamed the problem on a software bug rolled out across the site on Tuesday.
The site only became aware there was a problem on the evening of Wednesday 6 February, when a concerned Mumsnet user raised the alarm that they were able to view the details of a stranger’s account – which included their email address, account details, posting history, and personal messages. Passwords were not accessible.
The following morning Mumsnet rolled back the software update, and says there have been no reports of unauthorised account access since.
In all, Mumsnet says that the number of affected users is 44 (with two accounts being breached twice, “bringing the total to 46”.)
For a site that claims to receive over 14 milion unique visitors per month, that’s hardly a catastrophic figure – but that, of course, is little cause for comfort those who were affected by the botched update.
Furthermore, it suggests that Mumsnet’s technical team did not thoroughly test the update before rolling it out across its live production site.
Maybe that’s a bit harsh of me. It must be hard to find a bug like this that is only affecting a tiny percentage of users in testing. I guess what would be good would be to build a QA process that attempts to replicate typical behaviour on a site like Mumsnet – including emulating lots of simultaneous logins to see if there are peculiar outcomes. Just as you would hopefully stress test the site to see how it behaves under high pressure.
The site is no stranger for hitting the headlines for all manner of reasons, some of which have been cybersecurity-related – such as when it was exploited via Heartbleed vulnerability, suffered a DDoS attack, was hacked, and its founder was targeted with a SWATting.
Mumsnet says that it is reporting the latest breach to the Information Commissioner’s Office (ICO).
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.