Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Mozilla Mistakenly Posts File Containing Registered User Data

Mozilla Mistakenly Posts File Containing Registered User Data, Including MD5 Hash Passwords, to Public Web Server

Mozilla Mistakenly Posts File Containing Registered User Data, Including MD5 Hash Passwords, to Public Web Server

Mozilla Mistakenly Posts File Containing Registered User DataMozilla today alerted registered users of its addons.mozilla.org site that it had mistakenly posted a file to a publicly available Web server which contained data from its registered user database including email addresses, first and last names, and an md5 hash representation of user passwords.

The addons.mozilla.org site hosts add-ons to Mozilla software, such as Firefox, Thunderbird, SeaMonkey, and Sunbird which let users add new features and change the way browsers or applications work.

Suggested Reading > 2010 Device Integrity Report: U.S. Unprepared for Internet Device Flood

The organization claims it was notified by a third party who discovered the file on December 17th via its Web bounty program, and after investigating, does not believe the file was downloaded by others outside of Mozilla and the third party who reported the file to Mozilla. In response, Mozilla deleted all user passwords and has asked users to reset their passwords manually and change the password to any other sites which may utilize the same password. 

Developer? > Designing Security for Newly Networked Devices

Update: Chris Lyon, Director of Infrastructure Security at Mozilla, shared some additional information via blog post late Monday night (after we published this initial report) and noted that “The database included 44,000 inactive accounts using older, md5-based password hashes. We erased all the md5-passwords, rendering the accounts disabled. All current addons.mozilla.org accounts use a more secure SHA-512 password hash with per-user salts. SHA-512 and per user salts has been the standard storage method of password hashes for all active users since April 9th, 2009.

A copy of the email which Lyon sent to addons.mozilla.org on Monday evening is below:

Dear addons.mozilla.org user,

Advertisement. Scroll to continue reading.

The purpose of this email is to notify you about a possible disclosure of your information which occurred on December 17th. On this date, we were informed by a 3rd party who discovered a file with individual user records on a public portion of one of our servers. We immediately took the file off the server and investigated all downloads. We have identified all the downloads and with the exception of the 3rd party, who reported this issue, the file has been download by only Mozilla staff. This file was placed on this server by mistake and was a partial representation of the users database from addons.mozilla.org. The file included email addresses, first and last names, and an md5 hash representation of your password. The reason we are disclosing this event is because we have removed your existing password from the addons site and are asking you to reset it by going back to the addons site and clicking forgot password. We are also asking you to change your password on other sites in which you use the same password. Since we have effectively erased your password, you don’t need to do anything if you do not want to use your account. It is disabled until you perform the password recovery.

We have identified the process which allowed this file to be posted publicly and have taken steps to prevent this in the future. We are also evaluating other processes to ensure your information is safe and secure.

Should you have any questions, please feel free to contact the infrastructure security team directly at [email protected]. If you are having issues resetting your account, please contact [email protected]. We apologize for any inconvenience this has caused.

Chris Lyon

Director of Infrastructure Security

Related Reading >Mitigation of Security Vulnerabilities on Android & Other Open Handset Platforms

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.