Mozilla, the foundation behind the widely popular FireFox browser, has accidentally leaked over 76,000 developer emails and 4,000 encrypted passwords.
The discovery of leaked data was found around June 23 by one of Mozilla’s web developers, Mozilla’s Director of Developer Relations Stormy Peters, said in a blog post Friday.
“The issue came to light ten days ago when one of our web developers discovered that, starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server,” Peters wrote
While the emails were leaked, Peters notes that Mozilla did not discover any malicious activity on the server, but does not want to rule the possibility out.
In a post on Y Combinator Hacker News, Juelient Vehent, author of Mozilla’s Server Side TLS and member of Mozilla’s Operations Security team said they identified the data had only been downloaded a small number of times.
We traced back as much as we could. Access logs, netflow data, etc… We found that the tar.gz containing the DB dump had been downloaded only a small number of times. Mostly by known contributors. But we can’t rule out that someone with malicious intentions got access to it.
Mozilla has stated the encrypted passwords were salted hashes and cannot be used to authenticate with the Mozilla Developer Network. Peters continues to state that users who may have reused their MDN password across the web may be at risk for unauthorized access to some accounts. Peter later clarified in the comments that old passwords before switching to Mozillas new login system, Persona, were the passwords leaked, and leaked passwords included salts that were unique to each user record.
Mozilla has sent security notices to those who were affected and recommends users to change their password if they re-used their MDN passwords elsewhere.
Such type of leak is rare as cybercriminals inch at every chance to breach any type of security, but Mozilla made a mistake that cost them the same embarrassment.