It is not uncommon for data breaches to be the result of programming errors – that is exactly what happened to Mozilla when a data sanitization process for the Mozilla Developer Network (MDN) failed and the email addresses and encrypted passwords of thousands of users ended up on a publicly accessible server.
A Mozilla web developer recognized sometime around July 21 that a data sanitization process – the act of completely wiping data from something – that began around June 23 was not going as smoothly as planned, according to a Friday post by Stormy Peters, director of developer relations with Mozilla, and Joe Stevensen, operations security manager with Mozilla.
“We had a script to remove all personal information and it failed,” Denelle Dixon-Thayer, senior vice president of business and legal affairs with Mozilla, told SCMagazine.com in a Monday email correspondence.
The incident resulted in the MDN email addresses of about 76,000 members being made available on a publicly accessible server, as well as roughly 4,000 encrypted passwords that were salted hashes, according to the post.
“While it is possible to decrypt the passwords [that were] leaked, it would be very difficult,” Dixon-Thayer said.
Mozilla has stopped the data sanitization process, Dixon-Thayer said. The database dump file has been removed from the publicly accessible server, the post indicates, and while Mozilla has not detected any malicious activity, the possibility that the file was accessed cannot be ruled out.
“The passwords that were leaked can no longer be used to log in to MDN,” Dixon-Thayer said. “We now use Persona to authenticate users. If users were using the same password on other websites, we encourage them to change those passwords and to use unique passwords for every account they have.”
On top of notifying users, Mozilla is also looking at ways to enhance its existing processes and procedures to reduce the chances of a similar incident happening again, according to the post.