Mumsnet reports data breach to the ICO

Mumsnet has turned itself into the Information Commissioner’s Office regarding a data breach that led to users accidentally accessing strangers’ accounts on the platform.

The glitch, which has been traced back to an inadequate software upgrade, resulted in a three-day period in which users accounts could be switched if two users tried to log onto the forum at the same time.

Consequently, each user could publish posts under the identity of the other, but more alarmingly the botch meant other users’ account details and private messages could also be accessed.

Mumsnet has said it is not yet aware of how many user accounts have been impacted by the issue. However, around 4,000 account holders logged onto the platform over the three days that the problem was active – from Tuesday afternoon to Thursday morning of this week.

Of those affected, 14 users have reported a problem, the Guardian reports.

Mumsnet founder, Justine Roberts, said:

“You’ve every right to expect your Mumsnet account to be secure and private. We are working urgently to discover exactly how this breach happened and to learn and improve our processes. We will also keep you informed about what is happening. We will of course be reporting this incident to the information commissioner.”

Mumsnet claims to have notified the UK regulator for data protection – the Information Commissioner’s Office – within 72 hours of an issue being discovered, as organisations are obliged to do under the GDPR.

According to Roberts, passwords were not compromised in the breach.

“You do not need to do anything. We have reversed the change that caused the problem. We are investigating which accounts have been affected – we don’t think it’s many and we will contact you if we think it is yours,” she told users.

The site also reported itself to the ICO last year, when a debate about trans rights led to a former worker uploading screenshots of posts that featured IP addresses of the user who put the posts together.

While the publication was accidental, the forum was prompt to treat the issue as a data breach and notified the regulator without delay.

Mumsnet also fell victim to the “Heartbleed” bug in 2014, which compromised an unknown number of the platform’s 1.5 million accounts. In response, Mumsnet reset account passwords.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.