Pierluigi Paganini August 29, 2014

Mozilla Security Team announced a new accidental disclosure of email addresses and encrypted passwords of about 97,000 Bugzilla users.

On Wednesday, officials at Bugzilla, the bug-tracking system managed by Mozilla, confirmed that email addresses and encrypted passwords belonging to 97,000 of their users had been disclosed. Bugzilla is a bug-tracking software system widely used by many organizations, according to Mozilla’s Bugzilla, the data were hosted on a publicly accessible test server named Landfill since early May.

“One of our developers discovered that, starting on about May 4th, 2014, for a period of around 3 months, during the migration of our testing server for test builds of the Bugzilla software, database dump files containing email addresses and encrypted passwords of roughly 97,000 users of the test build were posted on a publicly accessible server.  As soon as we became aware, the database dump files were removed from the server immediately, and we’ve modified the testing process to not require database dumps,” Mark Côté, an assistant project lead at Bugzilla, said in a blog post.

As explained in the post published by Mozilla’s Bugzilla team, the database dump files containing the disclosed data were posted on a publicly accessible server.

Officials confirmed that the incident didn’t affect any users of bugzilla.mozilla.org.

“It’s important to note that, unless users reused the password they used onlandfill.bugzilla.org, this does not affect bugzilla.mozilla.org email addresses or passwords.” reports the Bugzilla uptade.

The incident occurred a few weeks after Mozilla requested about 76,000 members of the Mozilla Developer Network to change their passwords due to the accidental disclosure of MDN email addresses and encrypted passwords of about 4,000 users.

“While it is important to note that the disclosure of this development database does not affect bugzilla.mozilla.org, we continue to believe that the broader community would benefit from our increased focus on data practices and therefore will continue with our plan of including the Bugzilla project as well as other community projects in the data practices initiatives we’ve described above.”

Generally, developers use to access the test builds with passwords they would not reuse elsewhere because they are aware that test infrastructures are usually not secure like live environments.

The Bugzilla team has reset all of the passwords of users’ accounts used on the Landfill test server and impacted by the data disclosure.

Pierluigi Paganini

(Security Affairs – Bugzilla, data leakage)