Mumsnet has disclosed a data breach that occurred during a software update between 5-7 February. A technical error meant that users who logged on simultaneously were directed to someone else’s account.
The site’s founder, Justine Roberts, said that up to 4,000 users logged in while the vulnerability (which sounds like a caching glitch) was effective, but only 14 users have confirmed that they were affected.
Those who were logged into other users’ accounts would have been able to see:
- Email addresses;
- Account details;
- Posting history; and
- Personal messages.
Roberts confirmed that passwords weren’t affected, because the information is encrypted and isn’t listed on users’ account details.
Patching and testing
Information security professionals always tell organisations to apply patches and software updates as soon as they’re released. The updates often contain fixes to known vulnerabilities, which must be applied to prevent crooks exploiting them.
However, patching alone isn’t enough, as Mumsnet has learned. Once the patch is applied, organisations should perform a vulnerability scan to make sure the patch hasn’t created any new problems.
Organisations can use a variety of tools to conduct vulnerability scans, but they all work in a similar way. A series of if-then scenarios are run, which are designed to identify system settings or actions that contain known vulnerabilities. A completed scan will provide a logged summary of alerts for the organisation to act on.
Mumsnet is far from the only organisation to have fallen foul to vulnerabilities introduced in software updates. It’s a common mistake that can have serious data protection implications.