The MS Society has today written to a proportion of its website users and visitors to alert them to a risk to the information we hold about them. We are very sorry for any concern this may cause.
We recently discovered malicious software on our website systems, suggesting an attempt has been made to gain unauthorised access. While the software has been removed and our website security systems have been upgraded, we are asking all forum users to change their passwords as soon as possible as a precaution.
The software we discovered may have compromised the security of the information we hold about members of the forum and people who have contacted us by email and through the ācontact usā form on our website, or those who have contacted us by email or phone. Donors and fundraisers can be assured this is completely unconnected to the system through which online donations are made. No financial information has been accessed.
Weāre conducting a full investigation into what has happened. This will include looking at why our existing security systems did not prevent this sophisticated, malicious attack. The security of the information we hold about you is of the utmost importance to us and we have taken immediate steps to improve our website systems. We can reassure you that we have since upgraded the levels of security on our website systems.
Passwords used to access the forum are encrypted and highly secure so we think it extremely unlikely that even a determined individual would be able to break the encryption. However, as a precaution we would advise you to change your passwords at the earliest opportunity. If you have the same passwords for other websites, you should change them on those services.
We understand this may be concerning news to you and we have set up a dedicated Information Security Freephone to answer enquiries about this matter. People can call this line on 0800 151 2391 or 0330 159 3820 between 9am and 8pm Monday to Friday and 9am and 6pm on Saturday and Sunday.
Calls to 0800 numbers are free from a BT Landline. Calls to 03 numbers cost no more than a national rate call to an 01 or 02 number and must count towards any inclusive minutes in mobile phone calling plans in the same way as 01 and 02 calls.
People can also call the Information Commissionerās Office Helpline on 0303 123 1113. We will also update our website as any more information about this incident becomes available at www.mssociety.org.uk/infosecurity.
Not having a go at you personally Stewart or Steph, but to say Iām disappointed is putting it mildly.
There has already been an earlier instance of security being compromised due to human error, when a ābugā enabled some usersā real names (not their screen names) to be visible on their profiles.
And now we have this!
I know I shouldnāt, but Iām sure Iām not alone in using the same password, or simple variations on it, in lots and lots of places. Those of us with MS often have problems with memory and concentration, so weāre probably slightly more likely than others to do this.
I canāt even remember all the places I might have used the same or a closely related password, let alone visit them all to change it.
I suppose Iāve been asking for trouble for a long time, and it was more a question of when, not if, but I really didnāt expect the Society to be the weakest link, of all the many sites I hold an account with.
Iāve got used to the forum being buggy, and lots of minor things not working, and then working again (or not, as the case may be). But user security is in a different league, and itās a vulnerable group of users too - all of us, or nearly all, being ill.
I assume if weāve got the email, weāve been identified as āaffectedā? Or has it gone out to all registered users, as a precaution?
Hi, Iāve had the email, what Iām wondering is who on earth would want to target the MS society unless itās unscrupulous health insurance providers or such like or even people going to offer us their āmiracle curesā. To be honest I donāt think I can remember what my password is for the ms society as Iām automatically signed in each time. Iāll have to guess what it is and hope to god itās not the same as my bank and financial ones as then I shall be worried. I hate having to change passwords as I have trouble remembering them and I donāt like writing them down. Will admin let us know if they find out anymore?
If youāve forgotten your password, there is a link on the login screen to re-set it, once you have done this you will receive a password reset email from us. If you have trouble finding it check your junk/spam email folder In case it has been sent there.
Thanks for the message, and weāre very sorry for what has happened. Weāre deeply shocked and have no idea why the MS Society was targeted. Please rest assured we are conducting a full investigation looking at why our existing security systems did not prevent this sophisticated, malicious attack.
Weāve contacted all registered users of the forum as a precaution. Your password is encrypted and highly secure so we think itās extremely unlikely that this would have been compromised. However we do advise you to change your password as soon as you can, plus any other sites you may use the same password on.
Iām not entirely sure it has anything to do with the subject matter of the forum. Crooks know that, in practise, people DO reuse the same password multiple times, because itās such a faff maintaining different ones for everything.
So they may have targeted literally dozens of sites, regardless of subject matter, looking for passwords to harvest. The weakest fortress falls. If they succeed in stealing, say, email/password combinations, they probably donāt intend to use them only on the compromised site - or at all. Theyāll start trying them out on other, potentially more interesting and lucrative sites. The obvious one is popular email providers, because if they can get into your email, they have access to many aspects of your life, which could be used for identity theft, or to work out which other sites you subscribe to - including banking/financial ones, and try those as well. Hence the advice to change your password anywhere youāve used the same one.
I donāt think itās particular to people with MS. They know people with MS have email accounts and bank accounts, and online shopping accounts, just like everybody else. Get access to one thing, you might be able to access more than one.
Iām not trying to scaremonger here. Itās getting the details that will be the goal, not posting on an MS forum, pretending to be you - which would just be an act of vandalism, and no doubt sow lots of confusion, but wouldnāt give the crooks any real benefit.
What a shame that the link to reset passwords does not work!
I clicked on it on Sunday evening - got a message to say that a new password would be mailed to me - and waited, and waited, and ā¦ ā¦ you get the picture.
