Script fails, thousands of Mozilla developer emails, passwords possibly exposed

Share this article:
Script fails, thousands of Mozilla developer emails, passwords possibly exposed
About 76,000 email addresses and roughly 4,000 passwords ended up on a publicly accessible server.

It is not uncommon for data breaches to be the result of programming errors – that is exactly what happened to Mozilla when a data sanitization process for the Mozilla Developer Network (MDN) failed and the email addresses and encrypted passwords of thousands of users ended up on a publicly accessible server.

A Mozilla web developer recognized sometime around July 21 that a data sanitization process – the act of completely wiping data from something – that began around June 23 was not going as smoothly as planned, according to a Friday post by Stormy Peters, director of developer relations with Mozilla, and Joe Stevensen, operations security manager with Mozilla.

“We had a script to remove all personal information and it failed,” Denelle Dixon-Thayer, senior vice president of business and legal affairs with Mozilla, told SCMagazine.com in a Monday email correspondence.

The incident resulted in the MDN email addresses of about 76,000 members being made available on a publicly accessible server, as well as roughly 4,000 encrypted passwords that were salted hashes, according to the post.

“While it is possible to decrypt the passwords [that were] leaked, it would be very difficult,” Dixon-Thayer said.

Mozilla has stopped the data sanitization process, Dixon-Thayer said. The database dump file has been removed from the publicly accessible server, the post indicates, and while Mozilla has not detected any malicious activity, the possibility that the file was accessed cannot be ruled out.

“The passwords that were leaked can no longer be used to log in to MDN,” Dixon-Thayer said. “We now use Persona to authenticate users. If users were using the same password on other websites, we encourage them to change those passwords and to use unique passwords for every account they have.”

On top of notifying users, Mozilla is also looking at ways to enhance its existing processes and procedures to reduce the chances of a similar incident happening again, according to the post.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.