Mumsnet reveals how it fell victim to Heartbleed
The website discovered it was vulnerable when a hacker posted a message on one of its forums, posing as the site's CEO
Mumsnet has released a statement detailing how it discovered it was open to the Heartbleed OpenSSL vulnerability.
On 8 April, when the first sites were affected by the Heartbleed OpenSSL vulnerability, the company ran some tests to see if it was open to an attack and patched the holes it believed hackers would use to access systems on April 9.
However, on 11 April, a message was posted on one of the website's forums, purportedly from the site's CEO, Justine Roberts.
Despite the patch being successfully applied, the hackers used data scraped before its application to make the fraudulent post.
Passwords are like underwear; change them often
It made some odd statements about the site's users, claiming they were "unreasonable and petty."
The post went on to claim Roberts would be closing the site down or selling it, finishing with: "I'm putting this grothole up for sale and spending the money on dogecoin. Probably a more sensible thing to do than run this place any longer."
Mumsnet was very quick to announce this wasn't the company's CEO and hackers had taken advantage of the Heartbleed vulnerability, bypassing the patches the company had put in place.
Shortly after, other Mumsnet accounts were used to post messages writing out the string: "All your base are belong to us."
The Heartbleed vulnerability had allowed hackers to steal usernames, passwords and post messages on user accounts. Thirty usernames and passwords were then posted to the text sharing site Pastebin, prompting Mumsnet to change user passwords to prevent any more damage occurring.
The blog post on Mumsnet said, although nothing malicious happened, it seems the vulnerability was used to highlight the security risk with Heartbleed.
It advised its users: "The internet is brilliant, but nobody can guarantee it's 100 [per cent] safe and secure - EVER. Whenever you share anything on the web, either publicly (such as on a Mumsnet thread) or privately (such as the data you give to a website when signing up), have a think about how happy you would be for that information to get into the hands of a hacker.
"Make your passwords as secure as possible and change them every few months ('passwords are like underwear; change them often'). Use different passwords for different accounts. Close redundant accounts that you no longer use."
Yesterday, security experts warned the volume of companies trying to patch holes exposed by the vulnerability could severely slow down the internet.
Four cyber security essentials that your board of directors wants to know
The insights to help you deliver what they needDownload now
Data: A resource much too valuable to leave unprotected
Protect your data to protect your companyDownload now
Improving cyber security for remote working
13 recommendations for security from any locationDownload now
Why CEOS should care about the move to SAP S/4HANA
And how they can accelerate business valueDownload now