Mozilla accidentally publishes user IDs and password hashes

The tshirt Jacob Appelbaum was wearing during his MD5 talk at 25c3

The tshirt Jacob Appelbaum was wearing during his MD5 talk at 25c3Note: I have made some edits for accuracy based upon input from my colleagues and commenters.

First the bad new. On Monday, Mozilla, the developer of popular open source applications like Firefox and Thunderbird, announced that a database containing usernames and password hashes belonging to users of had been posted publicly by accident. If you registered for an account on and you are one of the 44,000 users who might have been affected by this accidental disclosure, you already should have received an email notification from the Mozilla security team.

Is this simply another story of data leakage in a sea of lost usernames and passwords? Not exactly. Mozilla stored passwords set before April 9th, 2009 as MD5 hashes. While MD5 can be used to securely store passwords, it is unclear how MD5 was utilized the Mozilla infrastracture. Fortunately, Mozilla did not store passwords in plain text.

The good news? Mozilla audited their logs and determined that the only person outside of Mozilla who accessed the content was the person who disclosed the accidental publication to them through their web bounty program. Mozilla has deleted the passwords of all 44,000 accounts that were stored in MD5 format from the addons site regardless of whether they were exposed or not.

Newly created passwords will not be as vulnerable to a similar disclosure. Since April 9, 2009, Mozilla has used SHA-512 with per-user salts to store password hashes. This hashing algorithm provides a significant improvement in security for account holders.

If you were one of the unlucky recipients of one of these emails, make sure you were not using the same password at Mozilla as you are at other sites. While Mozilla is quite confident no one other than the person who reported the incident had access to the file, if they are wrong or the discloser is not trustworthy, your other accounts may be at risk. Remember, unique passwords are a requirement, not a luxury.

I commend Mozilla for their response to this incident, but it does leave a few issues we need to consider. How did they accidentally publish files containing usernames and password hashes? I asked the security team and was referred to the blog post explaining their response.

Mozilla made the right decision in 2009 to begin using a more secure system (SHA-512 with per-user salts) moving forward, but in hindsight might have prompted all of their users to migrate to the more secure hash before this incident.

This is interesting, and probably even important, but it still doesn’t excuse or explain how the account details were compromised in the first place. Account databases, even those containing strongly salted and hashed passwords, aren’t supposed to be world readable.

Oh, and if you do receive an email warning you that your password might have been compromised, whether from Mozilla or anyone else, don’t click on any links in the email to go and update your password. That’s a scammer’s trick. Always remember to make your own way to the relevant password-change page.

Creative Commons image of Jacob Appelbaum’s (<– It's safe to bypass this warning, promise!) t-shirt from 25C3 courtesy of Security4All’s Flickr photostream.