Poor password security at the British branch of Mensa?

Graham Cluley
@gcluley

The website of Mensa – the club for people who have scored highly in an IQ test but who feel their social lives would be improved by hanging out with other people who chose to join a club after scoring highly in an IQ test – is said to have suffered a cyber attack.

In an email to members, British Mensa said that “extensive investigations” by its hosting company and web developers have found “no evidence” that any data had been lost.

The discovery of an attack was swiftly followed by two of British Mensa’s board members quitting, citing concerns that the organisation is not properly protecting members’ data.

Sign up to our newsletter
Security news, advice, and tips.

Eugene Hopkinson, who until recently was the British Mensa board’s technology officer, has reportedly been trying to convince Mensa’s leadership team since 2018 that the organisation needs to stop storing passwords in plain text.

Hopkinson told the Financial Times that he believed the sensitive information being insecurely stored by Mensa includes:

  • the IQ scores of members and failed applicants
  • instant messaging conversations on Mensa’s website
  • payment card details from Mensa’s online shop
  • passwords
  • email addresses
  • home addresses

Since the resignations, British Mensa has shared limited details of other security incidents:

This week, a series of incidents have occurred which appear to be designed to discredit Mensa’s systems. One of these incidents did involve a breach of the private data of two members. The source of where that data was harvested is part of the investigation.

Throughout these incidents the society has been taking specialist data protection legal advice, and this incident has been reported by our solicitor to the Information Commissioner’s Office with a view to a criminal investigation. A significant amount of evidence has already been collected and should the ICO decide to pursue a criminal action, Mensa will support the decision fully.

According to a Forbes report, the Mensa site was accessed by someone using the login credentials of one of the organisation’s directors.

Whether the unauthorised access occurred because passwords were being stored without proper due care or security by Mensa, or because of carelessness by the director, or whether it is entirely unconnected to recent events is unclear.

But what is plain for anybody to see is that for the last couple of days, if you were to visit the British Mensa website at https://www.mensa.org.uk/, you would be greeted with an announcement that explains, not terribly attractively, that it is “currently undergoing maintenance.”

One imagines the organisation is reviewing its site security, and feels more comfortable inelegantly shutting down the site temporarily rather than risking further abuse.

If the claims made by Hopkinson are correct, it doesn’t sound like Mensa is being terribly smart about its data security.

Passwords, for instance, should never be stored in plain text. They should instead be salted and hashed.

It seems to me that hashing passwords is just common sense, rather than a question of intellect.

For further discussion, make sure to listen to this episode of the “Smashing Security” podcast:

Smashing Security #213: 'No security smarts at Mensa, long-term identity theft, and GameStop's share frenzy'

Your browser does not support this audio element. https://aphid.fireside.fm/d/1437767933/dd3252a8-95c3-41f8-a8a0-9d5d2f9e0bc6/65cb8a62-b682-43b2-9d4c-55741ce55289.mp3

Listen on Apple Podcasts | Google Podcasts | Pocket Casts | Spotify | Other... | RSS
More episodes...

Further reading: Private messages between Mensa forum members are leaked onto the internet

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.