According to Joe Stevensen, operations security manager at Mozilla and Stormy Peters, director of developer relations, the issue started on 23rd June, for a period of 30 days, a data-sanitisation procedure of Mozilla Developer Network (MDN) site database had been failing, thus leading to the unintentional disclosure of encrypted passwords of about 4,000 users and MDN email addresses of about 76,000 users on a publicly accessible server.The database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure.
While they are not been able to detect malicious activity on that server, we cannot be sure there wasn’t any such access.
The encrypted passwords were salted hashes and they by themselves cannot be used to authenticate with the MDN website today. Still, it is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems.
They have sent notices to the users who are affected. For those that had both email and encrypted passwords disclosed and recommended that they change any similar passwords they may be using.
This is not the first time Mozilla accidentally reveals sensitive information. In 2010, a database containing user IDs and password hashes was mistakenly made public, exposing more than 44,000 of its users.
Mozilla apologized and is working on both short and long term fixes. Though, the login information cannot be used to access the Mozilla developer network, they face the danger of the passwords being utilized on other websites and other logins being exploited, the company said.
