|Information about how we have responded to a vulnerability on our website forum.
Our discussion forums operate using a third party software called phpBB. A vulnerability was discovered in this software that could have allowed a malicious attacker to exploit the forum software, and retrieve part of the configuration for this software. This could have included an encrypted copy of the password details we hold for customer website accounts.
We use MD5 encryption for password protection, which unfortunately is not infallible, and in cases where customers have relatively weak passwords, it could be possible for someone to use brute force tactics in order to 'guess' the correct password for that username.
For customers who use our forums, this page explains what actions to take to ensure that security risks are minimised. Although we have no evidence that a malicious attack has occurred, we can confirm that one of our customers proved this vulnerability, and subsequently raised the alarm with us. We would like to publicly thank that individual, and we have had assurances that any data obtained has now been destroyed.
We believe that there is a moderate risk to the security of your password until it is changed. While we are confident that details such as your billing information could not have been exposed, it is possible that a malicious attacker could have made use of this exploit in order to access your Member Centre area and other account services. We should re-iterate that we have no evidence that this has occurred, and should that situation change we will write to you again.
Changing your forum password
We strongly recommend that passwords are periodically changed. This can be done by going to our member centre at http://portal.metronet.co.uk and doing the following:
- Choose My Account from the left hand menu.
- Choose 'Change Password'for any of your child accounts.
- Enter your current and new password in the form and press Submit.
- The password change will be immediate for our portal website, but will take between 15 and 30 minutes to take affect on some services such as email.
- You will need to change the password in your router or modem settings.
- You also need to change your password in your email client and anywhere else where this is used (FTP software etc).
- The password change does not affect passwords for any individual mailboxes you have set up.
What actions have we now taken?
Within four hours of becoming aware of the issue we applied a security patch which resolved the vulnerability. We have also now upgraded our phpBB forum software to reduce the likelihood of any future attacks. Additionally, as we already announced, we are planning to move away from the use of phpBB as part of our new community Support Site. Part of this work will involve allowing people to use authentication details which are not the same as their Metronet username. Part of the reason for that is to mitigate the risk we are exposed to through the use of third party software like phpBB on our website.
How safe is your personal data?
We take customers' data security extremely seriously and any remedy required is dealt with the utmost priority by us. We do regular intrusion testing which is designed to expose any potential issues.
Since we take any incident of this nature extremely seriously, we have informed the Information Commissioner's Office and we will work with them as well as following our own standard procedures for dealing with a matter like this.
However, this type of issue is not uncommon in the online world and no system can ever be 100%. It's always good practice to make sure you change your password on a regular basis. Take a look at the advice on in our security support for more information about how you can improve your online security.
Forum Security FAQ
- What does this breach mean?
- What risks does this pose to me?
- Do I have to inform my bank?
- Have I been compromised?
- Was the vulnerability fixed as soon as possible?
- What compensation are you offering?
- I notice irregularities with my account. What are you doing to resolve this and recompense me?
- If someone has my details what can they do with them?
- I have private emails, could someone have accessed them?
- How did this happen?
- I don't access the forums, does this affect me?
- Does this breach my contract and any nullify my contract to you?
- Has the DPA been informed?
- How do I contact you with an enquiry about this?
1. What does this breach mean?
This should be nothing for you to worry about. We have identified a security flaw in our forum software, which we have since fixed.
2. What risks does this pose to me?
Again, this shouldn't be a direct concern, but you changing your password on a regular basis is a good practice.
3. Do I have to inform my bank?
No, there will be no need to do this.
4. Have I been compromised?
We have no evidence to suggest that this will have happened. Following hours of intense investigations, we have only identified two accounts which have been compromised, both of which were accounts belonging to members of staff.
5. Was the vulnerability fixed as soon as possible?
We always run various security tests on our software. Once this flaw became apparent we acted as quickly as possible to ensure that this weakness in our software was removed.
6. What compensation are you offering?
Because there have been no accounts compromised other than the two mentioned earlier, there will be no compensation.
7. I notice irregularities with my account. What are you doing to resolve this and recompense me?
Please feel free to raise a ticket if you believe that there have been some irregularities with your account, although we believe that this should not be the case.
8. If someone has my details what can they do with them?
If someone did have access to your details, they could potentially downgrade your account type, or making a forum posting using your username. It is a low risk, but absolutely no risk whatsoever if you change your account password.
9. I have private emails, could someone have accessed them?
Whilst this is extremely unlikely, we have been tracking usage across a large number of accounts since the security flaw became known and we have seen nothing untoward.
10. How did this happen?
Please refer to the email that we have sent you for a comprehensive break down of the security flaw and the actions that we have taken.
11. I don't access the forums, does this affect me?
No, this will not affect you at all, but changing your password periodically is always a good practice to get into.
12. Does this breach my contract and any nullify my contract to you?
No, this is not a breach of contract.
13. Has the DPA been informed?
Yes, we have informed the Information Commissioner and we are awaiting further comment from them.
14. How do I contact you with an enquiry about this?
Please feel free to contact us in our discussion forums after you have changed your password.
|Did this support article help you?
If not, get further help using Contact Us.