Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Mozilla Fesses up to Accidental Data Breach

Databreach
Databreach

Firefox maker Mozilla has admitted it accidentally exposed the email addresses of almost 80,000 members of its Developer Network, along with thousands of encrypted passwords.

A Mozilla developer discovered the incident around two weeks ago, according to a new blog post by operations security manager Joe Stevensen and developer relations director Stormy Peters.
 
“Starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server,” they explained.
 
“As soon as we learned of it, the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure. While we have not been able to detect malicious activity on that server, we cannot be sure there wasn’t any such access.”
 
The encrypted passwords were salted hashes and they can’t be used on their own in the event that attackers have got hold of them to log-in to the site, Mozilla said.
 
However, MDN users re-using their passwords on other sites were warned to change these credentials immediately.
 
"We’ve sent notices to the users who were affected. For those that had both email and encrypted passwords disclosed, we recommended that they change any similar passwords they may be using,” Peters and Stevensen added.
 
This isn’t the first time Mozilla has accidentally exposed user data.
 
Back in 2010 a third party contacted it to warn that the developer had posted sensitive information about users of its addons.mozilla.org site to a public web server.
 
The database in question apparently contained user email addresses, first and last names, and MD5 password hashes relating to 44,000 inactive accounts.

What’s Hot on Infosecurity Magazine?