Mumsnet has suffered a serious data leak affecting potentially thousands of users after a software glitch during an IT system migration to the cloud.
Justine Roberts, founder and CEO of the popular parenting forum, explained in a blog post late last week that the issue affected users for the best part of two days: from 2pm on February 5 to 9am on February 7.
“During this time, it appears that a user logging into their account at the same time as another user logged in, could have had their account info switched,” she said.
“We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue. We reversed that change this morning. Since then there have been no further incidents.”
The site admins also forced users to log-in again, ensuring they would be locked out of any accounts not their own.
Although passwords were encrypted and could not be changed by other users, the glitch meant that they would have been able to view other users’ email addresses, account details, posting history and personal messages.
The site was notified by users of 14 incidents as of last week, but Roberts claimed many more could have been affected: some 4000 Mumsnet user accounts were logged in at the time of the privacy snafu.
UPDATE: Mumsnet has confirmed to Infosecurity: "We’re now as confident as we can be that the total number of users affected is 44."
Max Heinemeyer, director of threat hunting at Darktrace, said the incident rings alarm bells over digital transformation projects.
“Organizations can outsource their IT processes, but they cannot outsource their security function altogether,” he argued.
“Cloud software is ultimately lines of code and one seemingly small mistake in that code can result in unintended risks emerging.”
Lamar Bailey, director of security research and development at Tripwire, added that poor planning is the enemy of seamless cloud migration.
"The best way to prevent these issues happening is to prepare thoroughly for cloud migration, taking into account that the process could potentially take time and resources,” he argued.
“Not rushing is paramount to maintaining the security of the enterprise, and sometimes it might be advisable to migrate services one by one, starting with the less critical, to ensure that the process is running smoothly. Organizations should also ensure that they have well trained and skilled personnel on the task.”