On December 17th, Mozilla was notified by a security researcher that a partial database of addons.mozilla.org user accounts was mistakenly left on a Mozilla public server. The security researcher reported the issue to us via our web bounty program. We were able to account for every download of the database. This issue posed minimal risk to users, however as a precaution we felt we should disclose this issue to people affected and err on the side of disclosure.
The database included 44,000 inactive accounts using older, md5-based password hashes. We erased all the md5-passwords, rendering the accounts disabled. All current addons.mozilla.org accounts use a more secure SHA-512 password hash with per-user salts. SHA-512 and per user salts has been the standard storage method of password hashes for all active users since April 9th, 2009.
It is important to note that current addons.mozilla.org users and accounts are not at risk. Additionally, this incident did not impact any of Mozilla’s infrastructure. This information was also sent to impacted users by email on December 27th.
Chris Lyon
Director of Infrastructure Security
Khalil Fazal wrote on
Seung Soo, Ha wrote on
larry seltzer wrote on
Schwindle Justinbert wrote on
Daniel Cater wrote on
Alexandre Dulaunoy wrote on
Theo wrote on
Solar Designer wrote on
Evan Carroll wrote on
Tomer Cohen wrote on
Ken Saunders wrote on
Arun wrote on
David wrote on
George wrote on
Chris Lyon wrote on
Geek wrote on
Fendi wrote on
Avocat wrote on
Jonny N wrote on