Mozilla coughs to developer database leak
August 4, 2014 // 11:08 a.m.
Companies: #mozilla #mozilla-foundation
The Mozilla Foundation has apologised for a security foul-up that has seen the email addresses of around 76,000 of its registered developers and around 4,000 passwords published on a publicly-accessible website.
The Mozilla Developer Network, as its name suggests, is the group to which developers wanting to hack on the Foundation's various projects - the Firefox web browser being the most famous - belong. Their email addresses and passwords are stored by Mozilla, but data relating to them sanitised from publicly-accessible database outputs - at least, that's the theory.
'The issue came to light ten days ago when one of our web developers discovered that, starting on about June 23, for a period of 30 days, a data sanitisation process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server,' explained Mozilla's director of developer relations Stormy Peters in a blog post admitting to the flaw. 'As soon as we learned of it, the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure. While we have not been able to detect malicious activity on that server, we cannot be sure there wasn’t any such access.'
The email addresses leaked by the database dumping were visible in plain-text, but Peters has confirmed that all passwords were stored in a salted hash format, which should make them harder for ne'er-do-wells to abuse. 'It is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems,' admitted Peters. 'For those that had both email and encrypted passwords disclosed, we recommended that they change any similar passwords they may be using.'
Peters has confirmed that as well as patching the original flaw and removing the data from public view, Mozilla's security team is looking at ways of preventing similar issues from occurring again in the future.
The Mozilla Developer Network, as its name suggests, is the group to which developers wanting to hack on the Foundation's various projects - the Firefox web browser being the most famous - belong. Their email addresses and passwords are stored by Mozilla, but data relating to them sanitised from publicly-accessible database outputs - at least, that's the theory.
'The issue came to light ten days ago when one of our web developers discovered that, starting on about June 23, for a period of 30 days, a data sanitisation process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server,' explained Mozilla's director of developer relations Stormy Peters in a blog post admitting to the flaw. 'As soon as we learned of it, the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure. While we have not been able to detect malicious activity on that server, we cannot be sure there wasn’t any such access.'
The email addresses leaked by the database dumping were visible in plain-text, but Peters has confirmed that all passwords were stored in a salted hash format, which should make them harder for ne'er-do-wells to abuse. 'It is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems,' admitted Peters. 'For those that had both email and encrypted passwords disclosed, we recommended that they change any similar passwords they may be using.'
Peters has confirmed that as well as patching the original flaw and removing the data from public view, Mozilla's security team is looking at ways of preventing similar issues from occurring again in the future.
RELATED ARTICLES
Pivots the platform to IoT projects.
'Give back' and 'give forward' plans.
All fixed now, thankfully.
2.4 million customers affected.
Users 'having their choices ignored.'
Alleged attacker demands payment.
Flaw leads to validation bypass bug.
Brand-new films hit the torrents.
GOP claims full control.
Privacy-boosting guides aplenty.
Claims only a fraction are valid.
Hands off, says Eran Tromer.
Launches on Chrome next week.
Bumps secure sites up its rankings.
Monitoring subscriptions raise eyebrows.
Scans for images, reports to police.
A former Microsoft employee responsible for leaking WIndows 8 builds to a blogger has been sentenced to three months in prison.
Change your passwords now.
£16.25 fee may breach Mozilla's licence.
Adobe breach leads to new rankings.
Glitch in routine upgrade, company claims.
Nvidia has admitted that attackers have made off with 400,000 account credentials for its official forums.
WEEK IN REVIEW
TOP STORIES
SUGGESTED FOR YOU
Site Links
© Copyright bit-tech
Want to comment? Log in.
QUICK COMMENT