Email addresses and encrypted passwords of tens of thousands of Mozilla developers were accidentally exposed and might have been harvested by malicious individuals, Stormy Peters, director of developer relations, and Joe Stevensen, operations security manager at Mozilla announced on Friday.
“The issue came to light ten days ago when one of our web developers discovered that, starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server,” they noted.
“As soon as we learned of it, the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure.”
While there is no evidence that anyone accessed the server, and the hashed passwords were salted with unique salts for each user record, the company has notified affected users of the compromise by email and is urging them to change the passwords on other online accounts if they recycled the MDN password.
“A process failed, and the DB dump that is published to help contributors improve the MDN site got out unsanitized. The sanitization/publication process will be redesigned to include stricter controls. For now, it is shut down,” explained Julien Vehent, a member of the Mozilla Operations Security team.
“MDN has been using Persona for a while now, meaning that most accounts don’t have passwords in the database. But older accounts still had the SHA256 salted hash that Django creates. We traced back as much as we could. Access logs, netflow data, etc… We found that the tar.gz containing the DB dump had been downloaded only a small number of times. Mostly by known contributors. But we can’t rule out that someone with malicious intentions got access to it.”