Spam private message incident update

Hi all, 

We want to update you on the incident earlier this week where many of you received private messages from spam accounts on this Forum. 

At around 11pm on 19 May, 30 spam accounts were created and sent private ‘phishing’ messages to many users of our Forum. They were able to get around the anti-spam measures we have in place. These messages were sent between midnight and 7am on 20 May, outside of our working hours. After we received multiple reports of these messages early in the morning of 20 May, we immediately identified the spam users who had sent the messages and ensured their accounts were blocked. We followed our internal breach procedure involving and informing key staff including our Data Protection Officer, as we managed the incident.  

As we say in our previous update (20/05/21), we have banned all of these spam users and blocked the email domains they used to create the accounts to prevent further similar accounts being set up. 

Because Forum messages between two users are (by design) private, at present we do not have a way to find out which of you received the spam messages, and so we cannot contact you directly about this. 

We want to reassure you that the spam accounts did not have access to your email address**  and we do not believe that any information which could identify an individual Forum user was affected ** When you receive a private message, the Forum automatically sends you an email to let you know there’s a message waiting in your Forum inbox. The spam users were not able to directly email you. 

We are working with Khoros, the third party company who provide the Forum software, to understand more about this incident and establish how it happened and what more can be done to stop similar incidents. We are confident there was no access to the system but are continuing our investigation to be completely certain of this. 

We have activated a new rule which means that Forum users can only send private messages after they have posted on the Forum at least twice. This will prevent spam accounts from immediately sending private messages after creating accounts. We have also introduced rules meaning that private messages cannot be sent more than twice in a minute, to further avoid a repeat of this. 

For your peace of mind, while we have no reason to believe your password was compromised, we recommend you change your password to a new,  secure password .  

And please be vigilant for any similar messages, notifying us immediately if you receive one. 

You can call our Supporter Care team on  0333 20 70 300  if you’d like to discuss this further.

Thank you all for your understanding and support as we work through this, reassure users and do everything we can to ensure the safety and security of this Forum.   

Best wishes from all of us at Breast Cancer Now 

Dan 

Head of Digital Engagement