Mozilla Security Blog
Categories: Security

MDN Database Disclosure

Stormy

116 responses

We have just concluded an investigation into a disclosure affecting members of Mozilla Developer Network. We began investigating the incident as soon as we learned of the disclosure. The issue came to light ten days ago when one of our web developers discovered that, starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server. As soon as we learned of it, the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure. While we have not been able to detect malicious activity on that server, we cannot be sure there wasn’t any such access.

We are known for our commitment to privacy and security, and we are deeply sorry for any inconvenience or concern this incident may cause you.

The encrypted passwords were salted hashes and they by themselves cannot be used to authenticate with the MDN website today. Still, it is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems. We’ve sent notices to the users who were affected. For those that had both email and encrypted passwords disclosed, we recommended that they change any similar passwords they may be using.

In addition to notifying users and recommending short term fixes, we’re also taking a look at the processes and principles that are in place that may be made better to reduce the likelihood of something like this happening again. If you have questions, please reach out to security@mozilla.org.

Thanks,

Stormy Peters
Director of Developer Relations

Joe Stevensen
Operations Security Manager

116 comments on “MDN Database Disclosure”

  1. Stojković wrote on

    Good luck with fixing that. This shouldn’t happen again.

  2. Andre wrote on

    Ah.. This is just lovely. It could also explain why the amount of spam I get has increased in the last month, I used to only get about 20 in a month, now I’ve got almost 60, each of which seem to be the same messge (but from different source addresses).

    Guess it’s a bit late now, they have my address already.. Whoever “they” are. :/

    1. max wrote on

      TOTALLY AGREE! IN THE PAST 45 DAYS SINCE MOZILLA SOLD MY EMAIL ADDRESS TO SPAMMERS I’M AT 40 SPAM EMAILS/DAY! ! ! !

      NEXT TIME MOZILLA SELLS THEIR LIST THEY SHOULD AT LEAST GIVE US A PIECE OF THE PIE.

      I WOULD HAVE USED AN AOL ACCOUNT TO SIGN UP FOR THIS SERVICE.

      lol lollol lollol lollol lollol

    2. iMitwe wrote on

      That’s it. I have so many spams these last days.

      1. Stefan wrote on

        me too..
        normally on this account i had NO spam!!!
        and now i have about 10..30 spam messages a day!!
        🙁

        1. Erwan wrote on

          Same here :-(!

          It never happened to me since YEARS, never been spammed so much, kind of desperate (just can’t change using what is my my main email since YEARS).

          Such a pain, you should have recommended to us to use a dedicated email…!

          Regards.

    3. Vincent wrote on

      I use an unique email address for MDN and got zero spam on it.

    4. Pluto wrote on

      I’m also not getting any spam.

  3. Dave wrote on

    MDN currently requires a sign in with Persona. What was in the password fields that were leaked? Was this the old password before switching to the new system, are those with current logins not affected, or was some password/key associated with Persona compromised? Please elaborate.

    1. Stormy wrote on

      It was the old password, not the Persona password.

    2. Ethan Henderson wrote on

      The notifications and this post have said nothing about Persona being affected, only MDN itself.
      And with my understanding of Persona, the actual site (in this case, MDN) only gets the email of the Persona account, no password or anything. So, newer accounts using Persona have seemingly only had their emails addresses released and that is all (from what I’ve read).

      The leaked passwords were from older MDN accounts, and they were dumped without the salts, so they should be fine (though you should always play it safe anyways).

      1. Dave wrote on

        If it’s only the old password I used when I first created an account long ago, that’s fine for me as I’ve long since stopped using any variations of it. My email is obtainable in a few places already so this isn’t a horrible occurrence for me personally, but it’s really disappointing to see this happen. :/

      2. Stormy wrote on

        The passwords included salts that were unique to each user record.

        1. patrick gonzales wrote on

          I need to erace the spy ware where do I go to do so?

        2. David Song wrote on

          What type of hash? MD5? bcrypt?

  4. Akif Rabbani wrote on

    This is just a lovely incident for e-mail harvesters.

  5. Luciano wrote on

    Well, I have been receiving a lot of span lately (like 2 o 3 per day), and that never happened before. I’m not saying it’s related to this issue, but may be.

    Anyway. I’m not mad at all, my email is already public on my website, and the way you were open about this it’s great.

    1. Stanley wrote on

      I do not agree! In light of big, data mining for purposes of exploitation I believe that Mozilla has two obligations. One is to share broadly a platform that WORKS FOR PEOPLE; which it does. And the other is to protect, at all costs, what is shared is that which one chooses not to share. This is integrity and integral to the internet, in the age we live in.

      1. Meta wrote on

        uhh…
        Stanley, i agree that developers have a responsibility to protect their users… Mozilla did exactly that- they learned of a mistake and they told the people it would have affected.
        if they would have done anything differently, we would all be worse off- we’d be unaware of our vulnerability.
        first step of solving a problem is recognizing that there is one…
        human error exists.
        thats a constant.
        So…
        are you going to incentivize companies to tell you about mistakes/problems which affect you so that you may take steps to protect yourself
        or
        are you going to incentivize companies to try to hide the mistakes/problems which affect you from you (which would leave you wide open to exploitation).

  6. Eduardo Bautista wrote on

    Well that explains the spam.

  7. TonyW wrote on

    Things happen!
    Mozilla should force reset of passwords, meaning send everyone whom might been affect a link to reset their passwords or the second someone try to sign in force a reset by sending a reset link to the email address on file.

    1. groovecoder wrote on

      One of the concerns with sending reset links in an email like this is the potential for others to phish for accounts that way.

      In any case, there are no more passwords on MDN anyway, so there’s nothing to reset.

    2. Stormy wrote on

      Those passwords can no longer be used to login to MDN. We now use Persona.

      1. Bishal Mukherjee wrote on

        Recently I am also getting some MED–Male Enlrgmnt Spams–RBI- thorougly state me how to stop these Spammers.

        Thanks a lot to find the Sickness.

    3. Justdave wrote on

      Nobody should ever send links to reset passwords (not as part of an initial notification anyway). That’s the kind of thing phishers do to try to get people to enter their existing passwords as part of the password change form so they can get access to their accounts, so it’s bad to get people used to that being an option. That kind of link should only be sent after the user has themselves specifically hit something on the website to indicate they want it reset. The notification email should tell them where to go to find that link, and not actually link to it.

  8. 想睡 wrote on

    其實你們講的一對專用名詞,我從來不想去了解!
    那個用意,意義?
    我只知道電腦的執行能力真的是太厲害,太強了!
    但它的缺點也是執行能力!

  9. TechyZeldaNerd wrote on

    I’ve actually had no spam, so I’m not sure if these are actually in the hands of spammers.
    Don’t you have logs of every time a file is accessed though, I’d think you would be able to tell how many people downloaded it, if any.

    1. Pluto wrote on

      They spent a week investigating it, so I’m assuming they don’t have anything else they could really tell us or will tell us.

  10. Serge wrote on

    The email I received reads “we recommend that you immediately change your password”.
    What are the (actual) steps to do that (and for email address too) ?

    1. groovecoder wrote on

      Change your password on other sites if you re-used your MDN password on those sites.

    2. Stormy wrote on

      Your old MND password cannot be used to login to MDN anymore, so there is nothing to change on MDN. If you used your old MDN password on any other sites or any variation of that password, you should change your password on those sites.

      1. M. Straver wrote on

        I don’t exactly understand this advice. If the passwords leaked were salted hashes, then you can’t recover the original password from them. So any “similar” passwords would also not be at risk. Was there a bigger problem than just the hashes leaking if you advise people to change similar passwords elsewhere?

        1. Miryafa wrote on

          Salting and hashing passwords doesn’t mean they’ll never be found. Presumably MDN followed the best practices in hashing (using a long, unique salt for each password, using a hashing scheme that hashes them over 10000 times, etc). So it’s impossible to get the passwords out of those hashes right now. However, being leaked means that anyone who has a copy can keep it forever, and the system we use now could be broken eventually. If that happens, then in the (hopefully far distant) future, someone would get the passwords. And at that time, you wouldn’t want to still use that password on other sites.

  11. Gage wrote on

    Just GREAT! 🙁

  12. LeMaire Lee wrote on

    Is there a way to check to make sure I’m okay other than waiting for stuff to happen?

    1. Stormy wrote on

      If you received an email saying your encrypted password was on the public server, and you used that password anywhere else, you should change your password on those other sites.

  13. Daniel Wilson wrote on

    Good luck with following this incident up and thank you for keeping everyone in the loop.

    Accidents happen, but this could have been so easy for a company to just brush this under the rug, thankfully Mozilla go the extra mile and are fully transparent – Exactly how it should be done!

    Keep up the good work guys!
    – Dan

    1. Dejan wrote on

      Exactly!!!!

      Keep up Mozilla

  14. BillD wrote on

    I got a SPAM e-mail saying my MDN email address was temporarily posted on a publicly accessible server and might have possibly been hacked.

    [/Gallows Humor]

  15. Stevan wrote on

    This happens more frequently than we can possibly imagine. Mozilla has an admirable transparency on informing this occurrence, and I’m particularly thankful for that.

  16. Channely wrote on

    这篇说明文章让我找到了近一个月来垃圾邮件突现的原因.虽影响不大,但毕竟心里有过节.[|-_-|]

  17. Stanley wrote on

    I do not understand you people, generally, and how lightly this infringement on personal security is processed. Your government, particularly in the United States, is NOT your friend; and neither are the corporations and ‘secret or clandestine operations’ that benefit from these breaches of trust.

  18. Morgan wrote on

    Props to Mozilla for cleaning up and disclosing the breach promptly.

  19. Price Hale wrote on

    I’ve used Firefox for at least 12 years and trust Mozilla and its staff. Your handling of this error is consistent with the kind of trustworthy Mozilla is known for. Sorry you’re having to deal with older equipment. I can only make a small donation, but your situation is a reminder that many small donations could make a significant difference. Thanks to Mozilla’s staff for the continued work.

  20. Jam wrote on

    Well now I know why I started receiving shite loads of junk mail. Haha shite happens…

  21. Channely wrote on

    这篇文章让我发现了在了为何近一个月来,垃圾邮件突现的真相,虽影响不大,但觉无能为力.[|-_-|]

    1. 文科 wrote on

      为何你们都说收到了垃圾邮件,我就是没有收到呢。

  22. CT wrote on

    Yeah these things are gonna happen, All I can say is I appreciate how Mozilla has handled this.

  23. opensource wrote on

    Was the Database dump actually accessed from the outside world? I’m sure you guys have server logs that at least show IP addresses.

    Many thanks to the Developer that actually discovered this.

  24. Sarah wrote on

    I’m a bit confused…is MDN the open source team? I don’t remember ever creating a Mozilla account, but maybe I did for support at some point? I must be involved somehow or I would not have gotten that email informing me of this.

    Ahhh, just looked at my logins list, could not figure out why I would have a login for MDN, but was for Bugzilla. Leaving my initial confusion in case it helps someone else who is wondering what the heck. But I made that account AGES ago. Is going to be a hassle, though, unless so old doesn’t matter.

    Hey, spam is just all over, no matter what, and I’ve had it using any ISP I ever have. Use a spamblocker and anti-virus on email, esp if you POP it. My ISP uses anti-virus before they let me have the email, thank goodness (although I’d never open an attachment unless I was expecting it). It’s a defensive world out there. Sometimes I feel like my computer is Ft. Knox, but even so, things get through.

    Thankyou for letting us know this and owning up to it. It was very responsible of you. You could have just not told us, esp since it was mostly to alert us if we use the same password multiple places. My email is pretty public and emails can be found easily. Look yourself up on Google if you think not. Stuff happens and is good to get rid of any logins you don’t use anymore or need. And hey, before you go flaming on Mozilla, some of you, remember how many Fortune 500 companies have had worse happen?

  25. অর্নব দাস wrote on

    ঘটনা সম্পর্কে ব্যবহারকারীদের জ্ঞাপক জন্য মোজিলা আপনাকে ধন্যবাদ| আমাদের বিশ্বাস মোজিলা এই দুর্বলতা ভবিষ্যতে সংশোধন করবে|

  26. Robert Longson wrote on

    Why not delete all the old passwords from MDN now that we’re all logging in via Persona. If you’d done that shortly after switch over this issue would not have occurred.

    Are there any other mozilla systems that now use persona but which still have passwords from their pre Persona days?

    1. Pluto wrote on

      It seems like it would be important to keep the passwords for anyone who hasn’t used MDN since the authentication switch to Persona.

  27. Guglielmo wrote on

    Must tranlate because Im not understanding what happen.Tks.

    1. Stormy wrote on

      What language would you like it translated into?

  28. Amit wrote on

    I didn’t know I had an MDN e-mail address.

  29. Axel Hecht wrote on

    Are the old passwords pruned from our prod/stage/etc databases now? As we can’t use them, should be “!” ?

    Also, will the all-auth login changes affect what/if acccount/password data we store?

  30. Andrew wrote on

    I use a different email address for every site I sign up to, and despite this leak I’ve had no spam (yet) sent to the email address I use for MDN. So maybe the spam some people are getting is from a different source…?

  31. Conrad Kleinespel wrote on

    Oh, that probably explains the large increase in spam of the last weeks. I even emailed my email provider asking what was going on…

  32. gaspard wrote on

    Come on, Mozilla, seriously ? how can this happen ?

    When I fill this comment, there is a field entitled “E-mail (required, will not be published)”, should I enter a fake e-mail address ?

  33. DevilishDB wrote on

    Don’t worry about it, if the passwords were salted and hashed I’m happy. (Md5 or sha-something? Preferably not MD5 since that’s not as secure) Also, evoryone in the spam industry seems to already know my email address, so I don’t really care still. And I use unique, random per-site passwords so if it gets hacked I can just change it. Thankyou for notifying everyone.

  34. Matthieu Jung wrote on

    Many thanks for your transparency.

  35. Gray wrote on

    Thanks for being open and honest about it.

  36. Steve lee wrote on

    Thanks for coming clean quickly. It always inspires some confidence.

    Perhaps use a one way hash rather than encryption for password storage in future?

  37. SIETEC wrote on

    While I appreciate the full disclosure, I see a couple of MAJOR screw ups with this situation. The first is – why are the Mozilla DB’s dumping personally identifiable information into any publicly accessible domain in the first place? For what purpose is it that anyone without proper credentials should have access to any contents of the databases? Perhaps I’m reading the disclosure wrong, but I’m assuming this was a back-end database for general authentication and user demographics/etc. so I’m just confused as to why and how a dump would suddenly occur into a publicly accessible area (without malicious intervention or seriously flawed code).

    The second issue is – if the old username and password combos are DEFUNCT, why are they even still in existence anywhere? Since the conversion to the new SSO utility (forgot it’s name), are there any people that even still use the old method to access their account? Or does the new sign on actually take the information passed to it and hand it to the database in question for further processing and authentication? That would explain issue number two, although, it is always a best practice to minimize the attack surface by streamlining confidential information to the smallest (within reason for performance, redundancy and security) set of servers possible – especially any that are publicly vulnerable. So, this issue number two takes me back to number one. Why is the database (malfunctioning or not) dumping information outside the confines of the private backends? That is a very serious and, frankly, embarrassing issue for Mozilla.

    I take issue with something like this occurring mainly for the simple reason that, while FF is still my favorite browser and I still actively develop with it and for it, Mozilla has been taking a more and more confining stance on the security of the browser – to the point of making it almost unusable in certain scenarios and with many of those issues unable to be modified. While this is not the correct forum to discuss my gripe with Firefox and the lack of end-user ability to override things, etc. I found it quite ironic that such a situation would happen to an organization so terrified of security issues.

    Anyway, the heads up is appreciated. Take care.

    1. groovecoder wrote on

      See https://news.ycombinator.com/item?id=8123781:

      ” A process failed, and the DB dump that is published to help contributors improve the MDN site got out unsanitized. The sanitization/publication process will be redesigned to include stricter controls. For now, it is shut down.

      MDN has been using persona for a while now, meaning that most accounts don’t have passwords in the database. But older accounts still had the SHA256 salted hash that Django creates.”

  38. Rolandas wrote on

    Things like that could happen to anyone. Stay strong, Mozilla.

  39. Steve lee wrote on

    Thanks for coming clean quickly. It always inspires confidence.

    Glad you used a one way hash rather than plain encryption for password storage.

  40. Sander wrote on

    To those linking this incident to an increase in spam: I have a unique email address which I _only_ used to register at MDN, and I have received _zero_ spam email (or any email at all, really) on that email address. Same as Andrew and TechyZeldaNerd above. I think it’s extremely unlikely spam harvesters discovered this database dump during the month it was accessible. (For all that it was “publicly accessible”, it wasn’t in a place where spam harvesters or anyone else malicious would be likely to be looking.)

    Thanks Mozilla for the professional handling and disclosure.

  41. Steve Lee wrote on

    Thanks for letting us know quickly after you had performed your analysis. That always inspires confidence.

    It’s good you used best practice of one way hashes for password storage.

  42. Jake Nixon wrote on

    Not too happy about this, but at least I didn’t get any spam emails.

  43. mojo706 wrote on

    Aaah that explains the increase in spam in my spam folder. Luckily it is my public email and they didn’t get my password. Oh thanks too for letting me know I changed everything just in case.

  44. Gautham PJ wrote on

    Thanks for letting us know of the mishap and being honest about it. Appreciate the openness about it.
    Not much damage done to me, hope everyone feels the same way.

  45. I Hate Mozilla wrote on

    Thank you so much! My email address is now corrupted by Mozilla. I get lot of spam every day. Before this tragedy, I get no spam.

  46. Andreas wrote on

    Thanks for informing us!

  47. xgdfdfbcbvbc wrote on

    This explains why I have gotten a constant influx of spam since one random day in July before which I previously got very little or no spam.

  48. Miryafa wrote on

    Thank you for reporting this faster than the business norm (a month, and I’m assuming you finished the investigation on July 23). No sarcasm. I appreciate your transparency Mozilla.

  49. Dale S wrote on

    Disappointing that as a “Developer” site, you do not realize that “hashing” != “encrypting”. I see that you explain what you mean later in it, but still lets be professional and use right terms to start.

    You don’t see McDonald’s advertising “Get a foot long hotdog”, then when later say “Well by foot long hotdog, we really mean a hamburger patty that we cut into thin slices and put in a hot dog bun” They just not the same.

  50. Matthew wrote on

    Thanks for being honest. I really appreciate it and I’m not mad. Good luck!

  51. Kiomi wrote on

    I Googled my email and found it on a email data list website, I’ll have spam for life…

    1. Racheal wrote on

      Someone is using my pictures and making user names on porno sites how do I stop this

  52. Hans Schmucker wrote on

    Well… sh*t happens…

    But maybe we can take the full disclosure one step further:
    The mail isn’t exactly clear whether I belong to the “they just got the address” or the “they got everything” category. I guess the first one, since I haven’t accessed MDN during that time, but I can’t be sure.

    I’m also unsure what password I had on this account… my guess is that it’s one of my old ones which was used with some subtle changes on a variety of sites (nowadays I use a password generator). So if you have the time, it would be great if you could notify us whether we belong in group #1 or #2 and if possible give us a way to check which password we used (basically by providing a field that checks any user input against the saved hash).

    Of course such a breach isn’t something that’s supposed to happen, but I really want to say that you did the right thing by informing everybody as quickly as possible. Why the heck isn’t everybody doing it this way? 😉

    1. Michael wrote on

      Hi Hans, I was wondering if you could explain to me how you use a password generator? I guess what I’m asking, are you changing your password each log-in? I myself have had a few email accounts hacked and like the idea of increased security. Please advise me.
      Michael

  53. Leonardo wrote on

    I’m glad I got e-mailed about this, otherwise I would never know.

  54. Ahmed Tareque Pantha wrote on

    I wish it will not gonna happen again. amiin …

    1. Anees Iqbal wrote on

      I wonder, how come you are on MDN, It was meant to be a developer network, you guys talk like gangstas. That poor guy just said I hope it’ll not happen again. what’s wrong about it..?

  55. Hacker wrote on

    This is our chance to finally committed to repository support for webp in firefox!

  56. Austin wrote on

    “Your email address (but not password) was posted”

    Were the 4000 users with leaked passwords sent a different email?

    1. Austin wrote on

      NVM, I see they were sent notices.

      1. Felipesvjr wrote on

        I’ve using gmail before at mozilla messaging thunderbird now on MDN i still not changing my email address…

  57. harry wrote on

    so where do we go to change our password, it would be nice to have a link to that point

    1. Daniel Veditz wrote on

      There are no more passwords on MDN, the site now uses “Persona” for authentication. You don’t need to change anything on MDN itself. If you were notified that your password was potentially at risk AND if you re-use the same password on multiple sites then you should change your password on any site that used the same password.

  58. Philippe Verdy wrote on

    I was notified about the mail address disclosure, however the salted hashed passwords are still a sever issue and we should have been notified if the hashed passwords had been disclosed too (because they can now be targetted offline by brute force attacks, possibly distributed to find collisions.
    If the hased passwords had been disclosed you should have warned us to change the password and look in our own private datbase of passwords if they match with some passwords used in othe websites (I hope this is not the case; because I use now a password generator for most sites since about one year, however my accound on MDN is much older and I have probably not updated the pasdwd since long here and possibly the local password is not so unique and could be used to look for some other related passwords on other websites.
    Before I used a password generator and password mamanger I was already using distinct passwords for many websites, but with some mnemonic way and these distinct ikd passwords could possibly be guessed because they were mnemonic. I no longer use any mnemonic rule for new passwords added and changed since one your and on all the most widely used sites. As all these new passowrds have abolutly no mnemonic way to be rememered, this also means that I’m dependant of my email manager (which uses itself for its master password, a long password phrase, with strange and unexpectable meaning and no relation between several concepts linked in that strange phrase (which also contains some rare characters plus some voluntary typos in their syntax, and an invented word not existing in any dictionnary; but stil pronouncable for me, and another word in a foreign langage).

    1. Pluto wrote on

      Read the blog, it says that it notified users whose password hashes were revealed:

      “The encrypted passwords were salted hashes and they by themselves cannot be used to authenticate with the MDN website today. Still, it is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems. We’ve sent notices to the users who were affected. For those that had both email and encrypted passwords disclosed, we recommended that they change any similar passwords they may be using.”

    2. Daniel Veditz wrote on

      We did exactly what you suggest for the people who had not logged in to MDN since we stopped using passwords and whose hashed passwords were exposed. A separate mail was sent to those people with more information about passwords.

  59. Fira wrote on

    While I was unaffected, I thank you and the entire team for being so open and transparent about this issue. This is why I trust Mozilla more than many of the large tech companies. Openness is the key to building that trust, and seeing it in action reinforces it.

  60. Roos wrote on

    I googled my e-mail address, i found it in some list of e-mails published on the main pages of an unknown (for me) website.

  61. Nocarz wrote on

    Good luck and I hope this never happens again.

  62. Claudia g wrote on

    Hay don’t understand what’s going on my celular phone was encrypted and when I’m fine get in the with my password it was inposinle get in.
    Show loss all my information.
    You were were responsanle about this?
    Can you help me please?
    I’m with cover of my information because was very important for me because I’m a a whiter.
    Sorry is my english is not the best but I’m from Chile South America.

  63. Ezequiel tafur peralta wrote on

    Ver seguridad

  64. gb2g wrote on

    Terrific I spent the last four hours changing all my passwords.

    1. Stop wrote on

      Use Lastpass, stop reusing passwords, and stop complaining.

  65. lordfuoco wrote on

    I was wondering why spam started to pour in my gmail account. Found the reason. This is pretty sad.

    1. Pluto wrote on

      Didn’t happen to me at all. I’m not using Gmail, but either whoever didn’t target everyone on the email list or perhaps there’s another cause for your spam.

  66. Slau wrote on

    I understand it’s not about piracy but about incompetency… Maybe you should worry more about security and user service and less about people’s personal opinion ? Maybe you should have kept Brendan Eich ?

  67. Jessie wrote on

    I know my ex feonsay did this! She knows all about those special apps.to use on her phone! She can see everything I do on my phone and she can chang my info and see EVERY THING I DO ON MY PHONE! !! What can I do? I already went through At&t and they did all they could do. WITH OUT cutting her service off.HEIP

    1. Zak wrote on

      @Jessie – What are you smoking bro? Change your damn passwords (especially email) and factory reset your damn phone.

      This article is about a database leak from Mozilla’s MDN website, that as far as they are aware was not caused by malicious activity, but a mistake.
      The nature of the leak is only email addresses and pre-encrypted passwords.
      The pre-encrypted password that were leaked have a pretty minimal security threat.
      Somebody has to do a lot of work to get your actual password from them.

      That said it is still technically possible to crack your plain text password from the encrypted passwords; Best practices demand you change your password on any system or service that you use a similar password with.

      1. Imanol wrote on

        About the leak…

        Posted on a public server by mistake?? -_-

        Impossible is nothing, but…

        Another people should stop smoking too, just in case.

    2. Imanol wrote on

      Don’t stop smoking mate! I laughed very hard at your comment. You made my day. 🙂

  68. Washington wrote on

    Now I understand why I was getting over 500 emails a day, every virus, spam, advertisements, until I lost access to my email, Microsoft said there was unusual activity on my account, I lost access to messages, photos and important contacts and even claiming it was not my fault I did not have access to my account. I do not trust in Mozilla.

  69. Kevin Garrity wrote on

    Don’t have a whole lot of nothing to comment on other than this all can become almost nightmares.

  70. lwz wrote on

    1. Maybe there should be a CAPTCHA for this blog.
    2. Many email addresses are somehow already available here: http://people.mozilla.org/~eakhgari/gitdm-mozilla.txt

    1. Daniel Veditz wrote on

      Those addresses are from contributors to Firefox source code. People who check in code must have a publicly available development address so people can communicate with them about their changes if necessary.

  71. dbd wrote on

    I know that these kind of things may happen even to a big corporation, but still…

  72. Malakeh erlinda Abdullah wrote on

    THS JUST ADDS MORE HEADACHES. IM THNKIN THA UR SECURITY SHULD B PROTECTIN MY PERSONEL INFO. I ALREADY HAV MAJOR ISSUES WIT FRAUDULENT USEAGE OF MY EMAILS, N IDENTITY THIEVES. N IM CONSTANTLY HAVIN 2 CHANGE MY PASSWORDS. N THM CODE GENERATED PASSWORDS R USELESS 4 ME. VERIFICATION BY SMS SEEMS TH ONLY GD THNG. N THA REMOTE ACCESS REALLY NDS 2 B REMOVED 4 EVR AS I DIDNT GIV PERMISSION 4 NO SKANK NOR SWINGIN DICK 2 B N MY SHIT. AS I OBSERVED THS ASSWIPES R USIN MY NAM 2 PORNO N SMUT GARBAGE. I AM 100% FEMALE YET I DAILY B GETTIN EMAILS FRM BITCHES LOOKIN 4 DATES N ALWAYS TH DATA DATE IS 12-31-1969. N I TRIED 2 REPLY N THR EMAIL IS FAKE. SO THR ENCRIPTED SHIT IS GOIN ON ILLEGALLY USIN MY NAM. N HOW DO I KNO THA THEY HAVNT PUT ILLEGAL APPS OR WEBSITES ON MY DEVICES. N WHO N THM “HIGH TECH DEVELOPERS” IS CHECKIN N 2 THS PROBLEMS.

  73. Anonymous wrote on

    LOL