Parenting site Mumsnet hit by data breach

Parenting site Mumsnet has reported itself to the UK’s data protection watchdog after an upgrade let some people see details of other accounts.

In a message placed on the site, it said the problem occurred between 5 and 7 February.

Accounts got mixed up if two users logged in at exactly the same time, said Mumsnet founder Justine Roberts.

A total of 46 users were breached, the site said, but no passwords are said to have been exposed.

“You’ve every right to expect your Mumsnet account to be secure and private,” wrote Ms Roberts. “We are working urgently to discover exactly how this breach happened and to learn and improve our processes.”

Some of those affected sounded the alarm to Mumsnet early on 7 February that they could view other accounts.

Those affected would have been able to see information including:

  • email address
  • account details
  • posting history
  • personal messages

Mumsnet said it had now reversed the software update that caused the issue. It has also forced all users to log out so anyone still lurking in another user’s account would be removed from it.

The ICO said it had received the report from Mumsnet and would be looking into the incident.

Analysis by technology reporter Zoe Kleinman

Mumsnet tends to make the headlines for light-hearted reasons.

Often it is a result of some of the more bizarre issues raised by members of the parenting site on its chat forums (the “penis beaker” is the stuff of legend, look it up) and the head-scratching acronyms such as AIBU (am I being unreasonable), DC (darling children) and LTB (leave the… you can guess the rest).

However, it is also for some women the first platform they turn to for help and advice on a number of deeply personal issues: intimacy, abuse, domestic violence, miscarriage, adultery, loneliness, their children’s special needs.

They worry about being identifiable to fellow “mumsnetters” who may know them in real life, and even their partners stumbling across their posts. The trust they put in Mumsnet to protect their privacy – and perhaps as a result their safety – is considerable.

The idea of writing these posts or private messages while accidentally being logged on as someone else is genuinely concerning and while it’s a relief that it does not appear to have affected many people, the disclosure will be worrying for some.

Facebook Paid Teens $20 to Install ‘Research’ App That Collects Private Data

If you are thinking that Facebook is sitting quietly after being forced to remove its Onavo VPN app from Apple’s App Store, then you are mistaken.

It turns out that Facebook is paying teenagers around $20 a month to use its VPN app that aggressively monitors their smartphone and web activity and then sends it back to Facebook.

The social media giant was previously caught collecting some of this data through Onavo Protect, a Virtual Private Network (VPN) service that it acquired in 2013.

However, the company was forced to pull the app from the App Store in August 2018 after Apple found that Facebook was using the VPN service to track its user activity and data across multiple apps, which clearly violates its App Store guidelines on data collection.

Onavo Protect became a data collection tool for Facebook helping the company track smartphone users’ activities across multiple different apps to learn insights about how Facebook users use third-party apps.

Facebook’s Paid Market Research

Now according to a report published by TechCrunch, Facebook has been doing much more than just collecting some data on its users—this time in the name of an app called “Facebook Research” for iOS and Android since at least 2016.

In some documentation, this program has been referred to as “Project Atlas.” Facebook has also confirmed the existence of the app to the publication.

The report said the company has been paying people aged between 13 and 35 as much as $20 per month along with referral fees in exchange for installing Facebook Research on their iPhone or Android devices, saying it’s a “paid social media research study.”

Instead of downloading the app via any app store, Facebook has been using third-party beta testing services—Applause, BetaBound and uTest—that specifically runs ads on Instagram and Snapchat recruiting participants to install Facebook Research.

Facebook Research App Collects Troves of User Data

The app requires users to install a custom root enterprise certificate, which gives the social media giant the level of access that can allow it to see users’ private messages in social media apps, non-e2e chats from instant messaging apps, emails, web searches, web browsing activity, and ongoing location information.

Although it is not clear if Facebook is accessing this data, but if the company wants it could, according to security researcher Will Strafach, who was commissioned by the publication.
In some instances, the Facebook Research app also asked users to take screenshots of their Amazon order histories and send it back to Facebook.

Facebook Acknowledges the Existence of the Program

While acknowledging the existence of this program, Facebook said, “like many companies, we invite people to participate in research that helps us identify things we can be doing better.”

Since Facebook Research is aimed at “helping Facebook understand how people use their mobile devices, we have provided extensive information about the type of data we collect and how they can participate. We do not share this information with others, and people can stop participating at any time.”

Though Facebook’s spokesperson claimed that the app was in line with Apple’s Enterprise Certificate program, but since Apple requires developers to only use this certificate system for distributing internal corporate apps to their own employees, “recruiting testers and paying them a monthly fee appears to violate the spirit of that rule,” the report reads.

Apple is “aware” of the issue, but it is unclear if the iPhone maker might ban Facebook from using its Enterprise Developer Certificates or not.

In response to the report, Facebook said the company is planning to shut down the iOS version of its Research app. BetaBound, uTest, and Applause have not yet responded to the report.