User data from registered developers of Mozilla add-ons was temporarily exposed by a mistake on a Mozilla server. Mozilla has disabled those users’ accounts until they reset their passwords.
As a registered user, I received an e-mail last night from Chris Lyon, director of infrastructure security at Mozilla, informing me of the breach. It occurred on December 17 and was discovered by “a third party” who was identified as a security researcher in a subsequent blog post. A file was on the server containing “a partial representation of the users database from addons.mozilla.org. The file included e-mail addresses, first and last names, and an md5 hash representation of your password.”
The letter stated that, apart from the referenced third party, only Mozilla staff had downloaded the file before it was removed. The company also identified how the file came to be on the server and have take steps to prevent it from being repeated.
Nevertheless, as a precaution Mozilla removed all those users’ passwords from the add-ons site and requested that users perform the password reset function in order to create a new one. To do so, users click “I forgot my password” at the login screen and enter an e-mail address. An e-mail with a personalized link is sent to the e-mail address, which is associated with a particular account. That link brings the user to a page that resets the password. Until that is done, the user cannot log in.
The accounts in the exposed file all had older MD5 hashes and (like mine) were inactive. On April 9, 2009, Mozilla changed to a password system using SHA-512 password hashes and per-user salts. Users with active accounts were not affected.
Originally posted on PCMag’s Security Watch blog.
very nice publish, i definitely love this web site, keep on it