Someone out there doesn’t like Mumsnet, arguably the most popular independent web brand ever set up in the UK. According to the company’s founder Justine Roberts, the tools of this displeasure were a large DDoS attack against the site last week and an intimidating hoax that saw armed police sent to her family home early one morning.
In a twist to the story the attacker or attackers, who issued threats using the Twitter handle ‘@DadSecurity’, have also this week leaked 3,000 Mumsnet user passwords.
In the US, hoaxing special police units into visiting someone’s home is called ‘swatting’, and despite the glib way the press throws this term around they are still thankfully rare. A recent example of the form was last year’s revelation by security blogger Brian Krebs that he had been 'swatted', which also came after a similar DDoS of his website.
What is more concerning is the password leak. There is no evidence of a site breach which leads the company to believe that the passwords were probably culled from a phishing attack on a portion of its database.
How did the attackers know who to target? A random attack is incredibly unlikely which suggests that the major breach at Mumsnet in 2014 is the explanation. During that incident, caused by the infamous Heartbleed flaw that many websites scrambled to fix, up to 1.5 million Mumsnet user accounts were compromised. Passwords were changed pretty rapidly but the attackers would still have had the email addresses needed to fuel future phishing attacks.
Being on the receiving end of all this is a lot for any firm to deal with and yet Mumsnet is still blazing a trail. Most firms experiencing security incidents send a weak email to their users – they are required to under data protection legislation – telling them what has happened before spouting platitudes about the importance of user security. Insultingly, most imply that a breach of user data is not terribly serious because financial data was not taken.
But what about the customer’s name, address and date of birth? In the mindset of most large companies it’s as if this data is of no consequence as long as the number on a piece of plastic remains secure.
Mumsnet’s long explanation covering on last week’s attack, authored by Justine Roberts herself, is by comparison a model of clarity, setting out what she believes happened in some detail, offering advice as well as empty apology.
This is precisely how sites that value their users should react to a serious incident such as a breach, not just in the weeks after an incident but in the years after an incident. To many sites it’s as if ‘users’ are just logins, abstractions. But users are also human beings. Human beings are supposed to be valued as an end in itself. Too often in Britain they remain shadows.