MDN Database Disclosure

Stormy

116

We have just concluded an investigation into a disclosure affecting members of Mozilla Developer Network. We began investigating the incident as soon as we learned of the disclosure. The issue came to light ten days ago when one of our web developers discovered that, starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server. As soon as we learned of it, the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure. While we have not been able to detect malicious activity on that server, we cannot be sure there wasn’t any such access.

We are known for our commitment to privacy and security, and we are deeply sorry for any inconvenience or concern this incident may cause you.

The encrypted passwords were salted hashes and they by themselves cannot be used to authenticate with the MDN website today. Still, it is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems. We’ve sent notices to the users who were affected. For those that had both email and encrypted passwords disclosed, we recommended that they change any similar passwords they may be using.

In addition to notifying users and recommending short term fixes, we’re also taking a look at the processes and principles that are in place that may be made better to reduce the likelihood of something like this happening again. If you have questions, please reach out to security@mozilla.org.

Thanks,

Stormy Peters
Director of Developer Relations

Joe Stevensen
Operations Security Manager

116 responses

  1. Nocarz wrote on :

    Good luck and I hope this never happens again.

  2. Claudia g wrote on :

    Hay don’t understand what’s going on my celular phone was encrypted and when I’m fine get in the with my password it was inposinle get in.
    Show loss all my information.
    You were were responsanle about this?
    Can you help me please?
    I’m with cover of my information because was very important for me because I’m a a whiter.
    Sorry is my english is not the best but I’m from Chile South America.

  3. Ezequiel tafur peralta wrote on :

    Ver seguridad

  4. gb2g wrote on :

    Terrific I spent the last four hours changing all my passwords.

    1. Stop wrote on :

      Use Lastpass, stop reusing passwords, and stop complaining.

  5. lordfuoco wrote on :

    I was wondering why spam started to pour in my gmail account. Found the reason. This is pretty sad.

    1. Pluto wrote on :

      Didn’t happen to me at all. I’m not using Gmail, but either whoever didn’t target everyone on the email list or perhaps there’s another cause for your spam.

  6. Slau wrote on :

    I understand it’s not about piracy but about incompetency… Maybe you should worry more about security and user service and less about people’s personal opinion ? Maybe you should have kept Brendan Eich ?

  7. Jessie wrote on :

    I know my ex feonsay did this! She knows all about those special apps.to use on her phone! She can see everything I do on my phone and she can chang my info and see EVERY THING I DO ON MY PHONE! !! What can I do? I already went through At&t and they did all they could do. WITH OUT cutting her service off.HEIP

    1. Zak wrote on :

      @Jessie – What are you smoking bro? Change your damn passwords (especially email) and factory reset your damn phone.

      This article is about a database leak from Mozilla’s MDN website, that as far as they are aware was not caused by malicious activity, but a mistake.
      The nature of the leak is only email addresses and pre-encrypted passwords.
      The pre-encrypted password that were leaked have a pretty minimal security threat.
      Somebody has to do a lot of work to get your actual password from them.

      That said it is still technically possible to crack your plain text password from the encrypted passwords; Best practices demand you change your password on any system or service that you use a similar password with.

      1. Imanol wrote on :

        About the leak…

        Posted on a public server by mistake?? -_-

        Impossible is nothing, but…

        Another people should stop smoking too, just in case.

    2. Imanol wrote on :

      Don’t stop smoking mate! I laughed very hard at your comment. You made my day. :)

  8. Washington wrote on :

    Now I understand why I was getting over 500 emails a day, every virus, spam, advertisements, until I lost access to my email, Microsoft said there was unusual activity on my account, I lost access to messages, photos and important contacts and even claiming it was not my fault I did not have access to my account. I do not trust in Mozilla.

  9. Kevin Garrity wrote on :

    Don’t have a whole lot of nothing to comment on other than this all can become almost nightmares.

  10. lwz wrote on :

    1. Maybe there should be a CAPTCHA for this blog.
    2. Many email addresses are somehow already available here: http://people.mozilla.org/~eakhgari/gitdm-mozilla.txt

    1. Daniel Veditz wrote on :

      Those addresses are from contributors to Firefox source code. People who check in code must have a publicly available development address so people can communicate with them about their changes if necessary.

  11. dbd wrote on :

    I know that these kind of things may happen even to a big corporation, but still…

  12. Malakeh erlinda Abdullah wrote on :

    THS JUST ADDS MORE HEADACHES. IM THNKIN THA UR SECURITY SHULD B PROTECTIN MY PERSONEL INFO. I ALREADY HAV MAJOR ISSUES WIT FRAUDULENT USEAGE OF MY EMAILS, N IDENTITY THIEVES. N IM CONSTANTLY HAVIN 2 CHANGE MY PASSWORDS. N THM CODE GENERATED PASSWORDS R USELESS 4 ME. VERIFICATION BY SMS SEEMS TH ONLY GD THNG. N THA REMOTE ACCESS REALLY NDS 2 B REMOVED 4 EVR AS I DIDNT GIV PERMISSION 4 NO SKANK NOR SWINGIN DICK 2 B N MY SHIT. AS I OBSERVED THS ASSWIPES R USIN MY NAM 2 PORNO N SMUT GARBAGE. I AM 100% FEMALE YET I DAILY B GETTIN EMAILS FRM BITCHES LOOKIN 4 DATES N ALWAYS TH DATA DATE IS 12-31-1969. N I TRIED 2 REPLY N THR EMAIL IS FAKE. SO THR ENCRIPTED SHIT IS GOIN ON ILLEGALLY USIN MY NAM. N HOW DO I KNO THA THEY HAVNT PUT ILLEGAL APPS OR WEBSITES ON MY DEVICES. N WHO N THM “HIGH TECH DEVELOPERS” IS CHECKIN N 2 THS PROBLEMS.

  13. Anonymous wrote on :

    LOL

More comments: 1 2 3 4