MumsNet hit by hack, DDoS attack and SWAT

Mumsnet, the phenomenally popular British parenting website, has suffered an attack from hackers which has seen users’ accounts breached, and passwords stolen.

In addition, online criminals have launched a distributed denial-of-service (DDoS) attack against the site, and targeted co-founder Justine Roberts with a ‘swatting’ attack that saw an armed police unit being called to her home.

According to a post on the Mumsnet website, the problems started on August 11, when the site was bombarded with internet traffic, making it difficult for legitimate users to reach it.

Access to the site was restored by the following morning, but a group calling itself DadSecurity claimed responsibility on Twitter for the denial-of-service and threatened further attacks.

But by now it had become apparent that the hackers were not limiting themselves to simple DDoS attacks.

An unauthorised party managed to log into the MumsNet servers with administrator privileges, redirecting the site to point to DadSecurity’s Twitter account (which has since been suspended), as well as edit users’ posts.

Someone claiming to be the hacker also posted on the thread on which users were discussing the site outage. We immediately locked down all access to our admin functions and reported the attack to the police. We were confident that users’ passwords had not been accessed, because MNHQ doesn’t hold them as plain text; they’re all encrypted, so that no one – not even us – can see them.

And then the ‘swatting’ attack happened.

To add to the ‘fun’, it seems @DadSecurity also resorted to Swatting attacks. Swatting is a criminal practice in which someone makes an emergency call to the police claiming that a crime is taking place at the house of the intended victim, in order to get them to send a swat team to the address.

An armed response team turned up at my house last week in the middle of the night, after reports of a gunman prowling around. A Mumsnet user who engaged with @DadSecurity on Twitter was warned to “prepare to be swatted by the best” in a tweet that included a picture of a swat team, after which police arrived at her house late at night following a report of gunshots. Needless to say, she and her young family were pretty shaken up. It’s worth saying that we don’t believe these addresses were gained directly from any Mumsnet hack, as we don’t collect addresses. The police are investigating both instances.

Two things are very clear: MumsNet has suffered a serious security breach, and someone really really doesn’t like MumsNet.

MumsNet has responded well, telling users to reset their passwords, warning about the dangers of phishing and keeping members informed about what is going on via email.

MumsNet email

I don’t know what backend systems MumsNet is using, but it’s obviously essential to keep software and servers up to date with the latest security patches – as hackers love nothing better than to exploit vulnerabilities to creep deep into systems and steal data.

But my hunch is that the hacker might have gained access to MumsNet staff accounts either because weak easy to guess/easy to crack/non-unique passwords were in use, or because they were the victims of a phishing attack.

Obviously staff training and policy can help here, but I recommend that companies go a step further (2FA) on staff systems. That’s the same kind of system that online banks have, where they require you to enter a random number sent to your mobile or generated on a key fob.

Even if a hacker steals a password, it won’t be any use to them because they won’t have access to the mobile phone or key fob which generates the random number also required for access.

It’s worth bearing in mind that potentially the hackers could have access to the email addresses of MumsNet users – so there’s an obvious danger that members might be spammed, or may be on the receiving end of phishing attacks.

Clearly, as well as potentially exposed users, MumsNet is the victim of a series of criminal acts. One has to hope that whoever is responsible for the hack, DDoS and swatting attack is identified and brought to justice soon.

Last year, Mumsnet’s website was found to be vulnerable to the Heartbleed bug, through which hackers were able to access personal information of members.

If you are a member of MumsNet, be sure to visit the website for further advice.

And, obviously, change your password.

Author Graham Cluley, We Live Security

Follow us

Copyright © 2016 ESET, All Rights Reserved.