Pierluigi Paganini August 04, 2014

Mozilla Security Team announced the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users.

Bad news for tens of thousands of Mozilla developers, their email addresses and encrypted passwords were accidentally exposed. The news was reported in blog post published on the official Mozilla Security Blog, the risk is that those precious information may have been harvested by bad actors that intend to reuse them in targeted attacks.

“We have just concluded an investigation into a disclosure affecting members of Mozilla Developer Network. We began investigating the incident as soon as we learned of the disclosure. The issue came to light ten days ago when one of our web developers discovered that, starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server. As soon as we learned of it, the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure. While we have not been able to detect malicious activity on that server, we cannot be sure there wasn’t any such access.” have written Stormy Peters, director of developer relations, and Joe Stevensen, operations security manager at Mozilla.

As explained by The Mozilla Team, the hashed passwords were salted with unique salts for each user record, in these cases the MDN users that share their original MDN passwords on other non-Mozilla websites or authentication systems are exposed to serious risks, for this reason the company immediately notified the affected users of the compromise by email and is urging them to change the passwords on other online accounts.

 “A process failed, and the DB dump that is published to help contributors improve the MDN site got out unsanitized. The sanitization/publication process will be redesigned to include stricter controls. For now, it is shut down,” explained Julien Vehent, a member of the Mozilla Operations Security team.

But reading the conversation on the news.ycombinator.com it seems that during the exposure the Mozilla team has identified some unknown IPs used to access data.

“We could identify most of the handful of IPs that downloaded the file during the time period where it was unsanitized to individuals (i.e. IPs inside Mozilla offices, etc.). However because some IPs were unknown, or public, or potential NAT addresses Mozilla decided it was best to disclose the issue.”

Mozilla Team said it was “deeply sorry” for the incident.

“In addition to notifying users and recommending short term fixes, we’re also taking a look at the processes and principles that are in place that may be made better to reduce the likelihood of something like this happening again,” according to the post.

Pierluigi Paganini

Security Affairs – (Mozilla, authentication)