Email addresses and encrypted passwords of thousands of Mozilla developers were accidentally exposed for a month – and there are no guarantees that they were not snaffled up by those with ill intent.
Mozilla’s Director of Developer Relations Stormy Peters and Operations Security Manager Joe Stevenson revealed that around 76,000 Mozilla Development Network (MDN) email addresses were leaked in addition to 4,000 hashed and salted passwords:
The issue came to light ten days ago when one of our web developers discovered that, starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server.
As soon as Mozilla became aware of the issue it removed the database dump file from the server but, whilst the Foundation is not aware of any malicious activity on the server, it did point out that it cannot guarantee who has accessed the data:
We traced back as much as we could. Access logs, netflow data, etc... We found that the tar.gz containing the DB dump had been downloaded only a small number of times. Mostly by known contributors. But we can't rule out that someone with malicious intentions got access to it.
Following the recent news that Australian shopping site CatchOfTheDay took three years to reveal a security snafu, and Irish bookmaker Paddy Power took over four years to reveal a data breach, it is refreshing to see a prompt reveal and apology from Mozilla.
As the encrypted passwords were salted hashes – step 4 in our recent 5 step plan to securely storing your users’ passwords – and have already been changed on the MDN website, the risk to Mozilla developer accounts has already passed.
However, as the security team at Mozilla wrote:
Still, it is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems. We've sent notices to the users who were affected. For those that had both email and encrypted passwords disclosed, we recommended that they change any similar passwords they may be using.
So, as we always say after a security incident in which passwords have actually or potentially been leaked, the real danger lies with those users who have reused their passwords across one or more additional online accounts.
As Mozilla says, if you have reused your credentials then, now is the time to change your login details elsewhere on the web. We would suggest using lengthy non-dictionary passwords made up of a combination of upper and lower case letters, numbers and symbols.
If you have a large number of accounts online, then remembering those complex passwords will be tough and you may want to consider a password manager such as LastPass or KeePass.
For its part, Mozilla is now reviewing its processes and principles to see if it can make improvements that would lessen the risk of such an incident being repeated in the future, which is probably just as well as this isn’t the first time that it has accidentally let passwords slip out.
Learn more about server-side safe password storage in our Serious Security article How to store your users’ passwords safely.