MDN Database Disclosure

Stormy

116

We have just concluded an investigation into a disclosure affecting members of Mozilla Developer Network. We began investigating the incident as soon as we learned of the disclosure. The issue came to light ten days ago when one of our web developers discovered that, starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server. As soon as we learned of it, the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure. While we have not been able to detect malicious activity on that server, we cannot be sure there wasn’t any such access.

We are known for our commitment to privacy and security, and we are deeply sorry for any inconvenience or concern this incident may cause you.

The encrypted passwords were salted hashes and they by themselves cannot be used to authenticate with the MDN website today. Still, it is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems. We’ve sent notices to the users who were affected. For those that had both email and encrypted passwords disclosed, we recommended that they change any similar passwords they may be using.

In addition to notifying users and recommending short term fixes, we’re also taking a look at the processes and principles that are in place that may be made better to reduce the likelihood of something like this happening again. If you have questions, please reach out to security@mozilla.org.

Thanks,

Stormy Peters
Director of Developer Relations

Joe Stevensen
Operations Security Manager

116 responses

  1. Kiomi wrote on :

    I Googled my email and found it on a email data list website, I’ll have spam for life…

    1. Racheal wrote on ::

      Someone is using my pictures and making user names on porno sites how do I stop this

  2. Hans Schmucker wrote on :

    Well… sh*t happens…

    But maybe we can take the full disclosure one step further:
    The mail isn’t exactly clear whether I belong to the “they just got the address” or the “they got everything” category. I guess the first one, since I haven’t accessed MDN during that time, but I can’t be sure.

    I’m also unsure what password I had on this account… my guess is that it’s one of my old ones which was used with some subtle changes on a variety of sites (nowadays I use a password generator). So if you have the time, it would be great if you could notify us whether we belong in group #1 or #2 and if possible give us a way to check which password we used (basically by providing a field that checks any user input against the saved hash).

    Of course such a breach isn’t something that’s supposed to happen, but I really want to say that you did the right thing by informing everybody as quickly as possible. Why the heck isn’t everybody doing it this way? ;)

    1. Michael wrote on :

      Hi Hans, I was wondering if you could explain to me how you use a password generator? I guess what I’m asking, are you changing your password each log-in? I myself have had a few email accounts hacked and like the idea of increased security. Please advise me.
      Michael

  3. Leonardo wrote on :

    I’m glad I got e-mailed about this, otherwise I would never know.

  4. Ahmed Tareque Pantha wrote on :

    I wish it will not gonna happen again. amiin …

    1. Anees Iqbal wrote on :

      I wonder, how come you are on MDN, It was meant to be a developer network, you guys talk like gangstas. That poor guy just said I hope it’ll not happen again. what’s wrong about it..?

  5. Hacker wrote on :

    This is our chance to finally committed to repository support for webp in firefox!

  6. Austin wrote on :

    “Your email address (but not password) was posted”

    Were the 4000 users with leaked passwords sent a different email?

    1. Austin wrote on :

      NVM, I see they were sent notices.

      1. Felipesvjr wrote on ::

        I’ve using gmail before at mozilla messaging thunderbird now on MDN i still not changing my email address…

  7. harry wrote on :

    so where do we go to change our password, it would be nice to have a link to that point

    1. Daniel Veditz wrote on :

      There are no more passwords on MDN, the site now uses “Persona” for authentication. You don’t need to change anything on MDN itself. If you were notified that your password was potentially at risk AND if you re-use the same password on multiple sites then you should change your password on any site that used the same password.

  8. Philippe Verdy wrote on :

    I was notified about the mail address disclosure, however the salted hashed passwords are still a sever issue and we should have been notified if the hashed passwords had been disclosed too (because they can now be targetted offline by brute force attacks, possibly distributed to find collisions.
    If the hased passwords had been disclosed you should have warned us to change the password and look in our own private datbase of passwords if they match with some passwords used in othe websites (I hope this is not the case; because I use now a password generator for most sites since about one year, however my accound on MDN is much older and I have probably not updated the pasdwd since long here and possibly the local password is not so unique and could be used to look for some other related passwords on other websites.
    Before I used a password generator and password mamanger I was already using distinct passwords for many websites, but with some mnemonic way and these distinct ikd passwords could possibly be guessed because they were mnemonic. I no longer use any mnemonic rule for new passwords added and changed since one your and on all the most widely used sites. As all these new passowrds have abolutly no mnemonic way to be rememered, this also means that I’m dependant of my email manager (which uses itself for its master password, a long password phrase, with strange and unexpectable meaning and no relation between several concepts linked in that strange phrase (which also contains some rare characters plus some voluntary typos in their syntax, and an invented word not existing in any dictionnary; but stil pronouncable for me, and another word in a foreign langage).

    1. Pluto wrote on :

      Read the blog, it says that it notified users whose password hashes were revealed:

      “The encrypted passwords were salted hashes and they by themselves cannot be used to authenticate with the MDN website today. Still, it is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems. We’ve sent notices to the users who were affected. For those that had both email and encrypted passwords disclosed, we recommended that they change any similar passwords they may be using.”

    2. Daniel Veditz wrote on :

      We did exactly what you suggest for the people who had not logged in to MDN since we stopped using passwords and whose hashed passwords were exposed. A separate mail was sent to those people with more information about passwords.

  9. Fira wrote on ::

    While I was unaffected, I thank you and the entire team for being so open and transparent about this issue. This is why I trust Mozilla more than many of the large tech companies. Openness is the key to building that trust, and seeing it in action reinforces it.

  10. Roos wrote on :

    I googled my e-mail address, i found it in some list of e-mails published on the main pages of an unknown (for me) website.

  11. Nocarz wrote on ::

    Good luck and I hope this never happens again.

  12. Claudia g wrote on :

    Hay don’t understand what’s going on my celular phone was encrypted and when I’m fine get in the with my password it was inposinle get in.
    Show loss all my information.
    You were were responsanle about this?
    Can you help me please?
    I’m with cover of my information because was very important for me because I’m a a whiter.
    Sorry is my english is not the best but I’m from Chile South America.

  13. Ezequiel tafur peralta wrote on ::

    Ver seguridad

  14. gb2g wrote on :

    Terrific I spent the last four hours changing all my passwords.

    1. Stop wrote on :

      Use Lastpass, stop reusing passwords, and stop complaining.

  15. lordfuoco wrote on :

    I was wondering why spam started to pour in my gmail account. Found the reason. This is pretty sad.

    1. Pluto wrote on :

      Didn’t happen to me at all. I’m not using Gmail, but either whoever didn’t target everyone on the email list or perhaps there’s another cause for your spam.

  16. Slau wrote on :

    I understand it’s not about piracy but about incompetency… Maybe you should worry more about security and user service and less about people’s personal opinion ? Maybe you should have kept Brendan Eich ?

  17. Jessie wrote on :

    I know my ex feonsay did this! She knows all about those special apps.to use on her phone! She can see everything I do on my phone and she can chang my info and see EVERY THING I DO ON MY PHONE! !! What can I do? I already went through At&t and they did all they could do. WITH OUT cutting her service off.HEIP

    1. Zak wrote on :

      @Jessie – What are you smoking bro? Change your damn passwords (especially email) and factory reset your damn phone.

      This article is about a database leak from Mozilla’s MDN website, that as far as they are aware was not caused by malicious activity, but a mistake.
      The nature of the leak is only email addresses and pre-encrypted passwords.
      The pre-encrypted password that were leaked have a pretty minimal security threat.
      Somebody has to do a lot of work to get your actual password from them.

      That said it is still technically possible to crack your plain text password from the encrypted passwords; Best practices demand you change your password on any system or service that you use a similar password with.

      1. Imanol wrote on :

        About the leak…

        Posted on a public server by mistake?? -_-

        Impossible is nothing, but…

        Another people should stop smoking too, just in case.

    2. Imanol wrote on :

      Don’t stop smoking mate! I laughed very hard at your comment. You made my day. :)

  18. Washington wrote on :

    Now I understand why I was getting over 500 emails a day, every virus, spam, advertisements, until I lost access to my email, Microsoft said there was unusual activity on my account, I lost access to messages, photos and important contacts and even claiming it was not my fault I did not have access to my account. I do not trust in Mozilla.

  19. Kevin Garrity wrote on ::

    Don’t have a whole lot of nothing to comment on other than this all can become almost nightmares.

  20. lwz wrote on :

    1. Maybe there should be a CAPTCHA for this blog.
    2. Many email addresses are somehow already available here: http://people.mozilla.org/~eakhgari/gitdm-mozilla.txt

    1. Daniel Veditz wrote on :

      Those addresses are from contributors to Firefox source code. People who check in code must have a publicly available development address so people can communicate with them about their changes if necessary.

  21. dbd wrote on :

    I know that these kind of things may happen even to a big corporation, but still…

  22. Malakeh erlinda Abdullah wrote on :

    THS JUST ADDS MORE HEADACHES. IM THNKIN THA UR SECURITY SHULD B PROTECTIN MY PERSONEL INFO. I ALREADY HAV MAJOR ISSUES WIT FRAUDULENT USEAGE OF MY EMAILS, N IDENTITY THIEVES. N IM CONSTANTLY HAVIN 2 CHANGE MY PASSWORDS. N THM CODE GENERATED PASSWORDS R USELESS 4 ME. VERIFICATION BY SMS SEEMS TH ONLY GD THNG. N THA REMOTE ACCESS REALLY NDS 2 B REMOVED 4 EVR AS I DIDNT GIV PERMISSION 4 NO SKANK NOR SWINGIN DICK 2 B N MY SHIT. AS I OBSERVED THS ASSWIPES R USIN MY NAM 2 PORNO N SMUT GARBAGE. I AM 100% FEMALE YET I DAILY B GETTIN EMAILS FRM BITCHES LOOKIN 4 DATES N ALWAYS TH DATA DATE IS 12-31-1969. N I TRIED 2 REPLY N THR EMAIL IS FAKE. SO THR ENCRIPTED SHIT IS GOIN ON ILLEGALLY USIN MY NAM. N HOW DO I KNO THA THEY HAVNT PUT ILLEGAL APPS OR WEBSITES ON MY DEVICES. N WHO N THM “HIGH TECH DEVELOPERS” IS CHECKIN N 2 THS PROBLEMS.

  23. Anonymous wrote on :

    LOL

More comments: 1 2