97,000 Bugzilla email addresses and passwords exposed in another Mozilla leak

Filed Under: Data loss, Featured, Privacy

Image of torn paper from Shutterstock, with Mozilla Foundation logoAround 97,000 early testers of the Bugzilla bug tracking software have been warned that their email addresses and encrypted passwords were exposed for three months.

The accidental exposure is the second disclosed by the Mozilla Foundation this month - on 1 August, the organisation revealed that around 76,000 Mozilla Developer Network email addresses and 4,000 hashed and salted passwords had been left on a public-facing server for 30 days.

The new breach started during a server migration, Mark Cote, assistant project lead for Bugzilla, explained.

One of our developers discovered that, starting on about May 4th, 2014, for a period of around 3 months, during the migration of our testing server for test builds of the Bugzilla software, database dump files containing email addresses and encrypted passwords of roughly 97,000 users of the test build were posted on a publicly accessible server. As soon as we became aware, the database dump files were removed from the server immediately, and we’ve modified the testing process to not require database dumps.

We do not know whether or not the leaked database dumps have been picked up by anyone with ill-intent, or whether the passwords were hashed and salted, but Mozilla said it would like to think that developers who use test builds are aware of their insecure nature.

That said, passwords do still get reused. For that reason Mozilla has contacted everyone who is affected by the leak, urging them to change their passwords if they have used them for other additional sites or accounts.

So, if you use the Bugzilla tracking software, you need to change your password right now. And even if you don't, you can still learn from this incident by ensuring that you don't use the same password more than once.

We suggest using long non-dictionary passwords made up from a combination of upper and lower case letters, numbers and symbols.

If you have a tough time remembering all your complex passwords you may want to consider using a password manager such as LastPass or KeePass.

Meanwhile Mozilla, which is no stranger to leaking passwords, said it is "deeply sorry for any inconvenience or concern this incident may cause" and is undertaking a review of its data practices in the hope that it will minimise the likelihood of such incidents happening again in the future.

Image of torn paper courtesy of Shutterstock.

, , ,

You might like

One Response to 97,000 Bugzilla email addresses and passwords exposed in another Mozilla leak

  1. Frédéric Buclin · 56 days ago

    Since Bugzilla 3.4, released in 2009, Bugzilla uses SHA-256 + salt to encrypt passwords. The plan for a future release is to move to bcrypt + HMAC-SHA-256, see https://bugzilla.mozilla.org/show_bug.cgi?id=672129

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Lee Munson is the founder of Security FAQs, a social media manager with BH Consulting and a blogger with a huge passion for information security.