Mozilla accidentally leaks 76,000 email ids and 4000 password hashes of its developers on a public web server
Mozilla is the foundation behind popular Firefox Web Browser. Its web browser is very popular among testers, pen testers and developers. Yesterday Mozilla Foundation issued a warning that it had mistakenly exposed information on almost 80,000 members of its Mozilla Developer Network (MDN) as a result of a botched data sanitization process internally.
Stormy Peter, Director of Developer Relations at Mozilla Foundation said that Mozilla issued a public statement via its Mozilla Security Blog on Friday.
As per the Blog, Mozilla Developer Data Exposed “Starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server.”
The data was leaked on to a public server but it doesnt necessarily mean that all the cyber users had access to it. But it also means that if some person with a mala fide intent has downloaded the date before it was cleaned up, those 76000 developers are in for a lot of hell in future. Though Peter said that Mozilla hasn’t seen any malicious activity the server, but also noted they can’t rule it out as of now.
As for the data downloads, it has been download only a small number of times according to a comment posted by Julien Vehent on Y Combinator's Hacker News.
"We traced back as much as we could. Access logs, netflow data, etc.," the user wrote. "We found that the tar.gz containing the DB dump had been downloaded only a small number of times. Mostly by known contributors. But we can't rule out that someone with malicious intentions got access to it."
According to Peter, the encrypted passwords were salted hashes and they by themselves cannot currently be used to authenticate with the MDN. However, Peter warned that MDN users may be at risk if they reused their original MDN passwords on other non-Mozilla websites or authentication systems. Peter further clarified in comments on the blog that the exposed passwords included salts that were unique to each user record.
Mozilla Foundation has sent notices to all the affected developers and suggested that those who had both email and password information exposed change any similar passwords they may be using elsewhere.