Forum

Important statement about our website security

The MS Society has today written to a proportion of its website users and visitors to alert them to a risk to the information we hold about them. We are very sorry for any concern this may cause.

We recently discovered malicious software on our website systems, suggesting an attempt has been made to gain unauthorised access. While the software has been removed and our website security systems have been upgraded, we are asking all forum users to change their passwords as soon as possible as a precaution.

The software we discovered may have compromised the security of the information we hold about members of the forum and people who have contacted us by email and through the ‘contact us’ form on our website, or those who have contacted us by email or phone. Donors and fundraisers can be assured this is completely unconnected to the system through which online donations are made. No financial information has been accessed.

We’re conducting a full investigation into what has happened. This will include looking at why our existing security systems did not prevent this sophisticated, malicious attack. The security of the information we hold about you is of the utmost importance to us and we have taken immediate steps to improve our website systems. We can reassure you that we have since upgraded the levels of security on our website systems.

Passwords used to access the forum are encrypted and highly secure so we think it extremely unlikely that even a determined individual would be able to break the encryption. However, as a precaution we would advise you to change your passwords at the earliest opportunity. If you have the same passwords for other websites, you should change them on those services.

We understand this may be concerning news to you and we have set up a dedicated Information Security Freephone to answer enquiries about this matter. People can call this line on 0800 151 2391 or 0330 159 3820 between 9am and 8pm Monday to Friday and 9am and 6pm on Saturday and Sunday.

Calls to 0800 numbers are free from a BT Landline. Calls to 03 numbers cost no more than a national rate call to an 01 or 02 number and must count towards any inclusive minutes in mobile phone calling plans in the same way as 01 and 02 calls.

Alternatively, people can email informationsecurity@mssociety.org.uk.

People can also call the Information Commissioner’s Office Helpline on 0303 123 1113. We will also update our website as any more information about this incident becomes available at www.mssociety.org.uk/infosecurity.

Thanks Stewart & Steph (admin)

Not having a go at you personally Stewart or Steph, but to say I’m disappointed is putting it mildly.

There has already been an earlier instance of security being compromised due to human error, when a “bug” enabled some users’ real names (not their screen names) to be visible on their profiles.

And now we have this!

I know I shouldn’t, but I’m sure I’m not alone in using the same password, or simple variations on it, in lots and lots of places. Those of us with MS often have problems with memory and concentration, so we’re probably slightly more likely than others to do this.

I can’t even remember all the places I might have used the same or a closely related password, let alone visit them all to change it.

I suppose I’ve been asking for trouble for a long time, and it was more a question of when, not if, but I really didn’t expect the Society to be the weakest link, of all the many sites I hold an account with.

I’ve got used to the forum being buggy, and lots of minor things not working, and then working again (or not, as the case may be). But user security is in a different league, and it’s a vulnerable group of users too - all of us, or nearly all, being ill.

I assume if we’ve got the email, we’ve been identified as “affected”? Or has it gone out to all registered users, as a precaution?

Tina

1 Like

Hi, I’ve had the email, what I’m wondering is who on earth would want to target the MS society unless it’s unscrupulous health insurance providers or such like or even people going to offer us their “miracle cures”. To be honest I don’t think I can remember what my password is for the ms society as I’m automatically signed in each time. I’ll have to guess what it is and hope to god it’s not the same as my bank and financial ones as then I shall be worried. I hate having to change passwords as I have trouble remembering them and I don’t like writing them down. Will admin let us know if they find out anymore?

1 Like

Hi Fudgey37,

If you’ve forgotten your password, there is a link on the login screen to re-set it, once you have done this you will receive a password reset email from us. If you have trouble finding it check your junk/spam email folder In case it has been sent there.

If you experience any problems changing your password please email webteam@mssociety.org.uk.

If you’re concerned you can speak to our support team on Freephone 0800 151 2391 or 0330 159 3820 or email informationsecurity@mssociety.org.uk

We will update you if and when we find out any more…

Stewart (admin)

Hi Tina,

Thanks for the message, and we’re very sorry for what has happened. We’re deeply shocked and have no idea why the MS Society was targeted. Please rest assured we are conducting a full investigation looking at why our existing security systems did not prevent this sophisticated, malicious attack.

We’ve contacted all registered users of the forum as a precaution. Your password is encrypted and highly secure so we think it’s extremely unlikely that this would have been compromised. However we do advise you to change your password as soon as you can, plus any other sites you may use the same password on.

If you need any help changing your password you can email us at webteam@mssociety.org.uk.

Best wishes,

Stewart

1 Like

I’m not entirely sure it has anything to do with the subject matter of the forum. Crooks know that, in practise, people DO reuse the same password multiple times, because it’s such a faff maintaining different ones for everything.

So they may have targeted literally dozens of sites, regardless of subject matter, looking for passwords to harvest. The weakest fortress falls. If they succeed in stealing, say, email/password combinations, they probably don’t intend to use them only on the compromised site - or at all. They’ll start trying them out on other, potentially more interesting and lucrative sites. The obvious one is popular email providers, because if they can get into your email, they have access to many aspects of your life, which could be used for identity theft, or to work out which other sites you subscribe to - including banking/financial ones, and try those as well. Hence the advice to change your password anywhere you’ve used the same one. :frowning:

I don’t think it’s particular to people with MS. They know people with MS have email accounts and bank accounts, and online shopping accounts, just like everybody else. Get access to one thing, you might be able to access more than one.

I’m not trying to scaremonger here. It’s getting the details that will be the goal, not posting on an MS forum, pretending to be you - which would just be an act of vandalism, and no doubt sow lots of confusion, but wouldn’t give the crooks any real benefit.

Tina

x

What a shame that the link to reset passwords does not work!

I clicked on it on Sunday evening - got a message to say that a new password would be mailed to me - and waited, and waited, and … … you get the picture.

Geoff

Hi Geoff,

Apologies for the frustration. Please drop an an email to webteam@mssociety.org.uk.

They’ll be able to help you out…

Stewart (admin)

I went to “my preferences” on the homepage and it allows you to change the password.

@ Stewart: that address does not work - you have to remove the final dot from the end.

@whammel: the “preferences” route only works if you can remember your old password. I had already changed mine, and then forgotten it.

Geoff

I thought it was a bit obvious, but you never know. Glad you worked it out in the end.

Hi Geoff, my colleague tells me you’re sorted. Apologies for the dot-at-the-end mishap.

Stewart (admin)

1 Like

And, I have to say it: the webteam (once I had solved the dot-at-the-end problem) sorted me out with a new password in just over half an hour.

So I logged on, reset my password to one I can remember, sorted!

Geoff

2 Likes