Bad news for tens of thousands of Mozilla developers, their email addresses and encrypted passwords were accidentally exposed. The news was reported in blog post published on the official Mozilla Security Blog, the risk is that those precious information may have been harvested by bad actors that intend to reuse them in targeted attacks.
“We have just concluded an investigation into a disclosure affecting members of Mozilla Developer Network. We began investigating the incident as soon as we learned of the disclosure. The issue came to light ten days ago when one of our web developers discovered that, starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server. As soon as we learned of it, the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure. While we have not been able to detect malicious activity on that server, we cannot be sure there wasn’t any such access.” have written Stormy Peters, director of developer relations, and Joe Stevensen, operations security manager at Mozilla.
As explained by The Mozilla Team, the hashed passwords were salted with unique salts for each user record, in these cases the MDN users that share their original MDN passwords on other non-Mozilla websites or authentication systems are exposed to serious risks, for this reason the company immediately notified the affected users of the compromise by email and is urging them to change the passwords on other online accounts.
“A process failed, and the DB dump that is published to help contributors improve the MDN site got out unsanitized. The sanitization/publication process will be redesigned to include stricter controls. For now, it is shut down,” explained Julien Vehent, a member of the Mozilla Operations Security team.
But reading the conversation on the news.ycombinator.com it seems that during the exposure the Mozilla team has identified some unknown IPs used to access data.
“We could identify most of the handful of IPs that downloaded the file during the time period where it was unsanitized to individuals (i.e. IPs inside Mozilla offices, etc.). However because some IPs were unknown, or public, or potential NAT addresses Mozilla decided it was best to disclose the issue.”
Mozilla Team said it was “deeply sorry” for the incident.
“In addition to notifying users and recommending short term fixes, we’re also taking a look at the processes and principles that are in place that may be made better to reduce the likelihood of something like this happening again,” according to the post.
Security Affairs – (Mozilla, authentication)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.