Mozilla database leaks 76,000 email addresses, 4,000 passwords

Filed Under: Data loss, Featured, Security threats

Mozilla leak. Image courtesy of ShutterstockEmail addresses and encrypted passwords of thousands of Mozilla developers were accidentally exposed for a month - and there are no guarantees that they were not snaffled up by those with ill intent.

Mozilla's Director of Developer Relations Stormy Peters and Operations Security Manager Joe Stevenson revealed that around 76,000 Mozilla Development Network (MDN) email addresses were leaked in addition to 4,000 hashed and salted passwords:

The issue came to light ten days ago when one of our web developers discovered that, starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server.

As soon as Mozilla became aware of the issue it removed the database dump file from the server but, whilst the Foundation is not aware of any malicious activity on the server, it did point out that it cannot guarantee who has accessed the data:

We traced back as much as we could. Access logs, netflow data, etc... We found that the tar.gz containing the DB dump had been downloaded only a small number of times. Mostly by known contributors. But we can't rule out that someone with malicious intentions got access to it.

Following the recent news that Australian shopping site CatchOfTheDay took three years to reveal a security snafu, and Irish bookmaker Paddy Power took over four years to reveal a data breach, it is refreshing to see a prompt reveal and apology from Mozilla.

As the encrypted passwords were salted hashes – step 4 in our recent 5 step plan to securely storing your users' passwords – and have already been changed on the MDN website, the risk to Mozilla developer accounts has already passed.

However, as the security team at Mozilla wrote:

Still, it is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems. We've sent notices to the users who were affected. For those that had both email and encrypted passwords disclosed, we recommended that they change any similar passwords they may be using.

So, as we always say after a security incident in which passwords have actually or potentially been leaked, the real danger lies with those users who have reused their passwords across one or more additional online accounts.

As Mozilla says, if you have reused your credentials then, now is the time to change your login details elsewhere on the web. We would suggest using lengthy non-dictionary passwords made up of a combination of upper and lower case letters, numbers and symbols.

If you have a large number of accounts online, then remembering those complex passwords will be tough and you may want to consider a password manager such as LastPass or KeePass.

For its part, Mozilla is now reviewing its processes and principles to see if it can make improvements that would lessen the risk of such an incident being repeated in the future, which is probably just as well as this isn't the first time that it has accidentally let passwords slip out.

Further information

Learn more about server-side safe password storage in our Serious Security article How to store your users' passwords safely.

Click to read the article...

Image of water drop courtesy of Shutterstock.

, , ,

You might like

6 Responses to Mozilla database leaks 76,000 email addresses, 4,000 passwords

  1. Straightgrain · 78 days ago

    Naturally, Mozilla is going to notify every user who was affected...er, right?

    If they don't, they will have screamed that they don't care about security or their users.

    • maggotification · 78 days ago

      According to their statement, they already have. Also, this isn't all users, only Mozilla Developers are affected.

      • 4caster · 78 days ago

        So are there 76,000 Mozilla Developers?

        • Steve · 78 days ago

          That's not hard to believe; just think of all the add-ons/extensions out there, with all the possible Mozilla products and operating systems.

        • maggotification · 77 days ago

          As Steve said, it wouldn't be surprising. Remember that Mozilla (not just Firefox here) have open source projects, and anyone can register as a developer.

      • I can confirm that yes, they've already notified affected developers. I got an e-mail from them on Friday. :(

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Lee Munson is the founder of Security FAQs, a social media manager with BH Consulting and a blogger with a huge passion for information security.