Categories: Security

MDN Database Disclosure

We have just concluded an investigation into a disclosure affecting members of Mozilla Developer Network. We began investigating the incident as soon as we learned of the disclosure. The issue came to light ten days ago when one of our web developers discovered that, starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server. As soon as we learned of it, the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure. While we have not been able to detect malicious activity on that server, we cannot be sure there wasn’t any such access.

We are known for our commitment to privacy and security, and we are deeply sorry for any inconvenience or concern this incident may cause you.

The encrypted passwords were salted hashes and they by themselves cannot be used to authenticate with the MDN website today. Still, it is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems. We’ve sent notices to the users who were affected. For those that had both email and encrypted passwords disclosed, we recommended that they change any similar passwords they may be using.

In addition to notifying users and recommending short term fixes, we’re also taking a look at the processes and principles that are in place that may be made better to reduce the likelihood of something like this happening again. If you have questions, please reach out to


Stormy Peters
Director of Developer Relations

Joe Stevensen
Operations Security Manager

116 comments on “MDN Database Disclosure”

  1. Stojković wrote on

    Good luck with fixing that. This shouldn’t happen again.

  2. Andre wrote on

    Ah.. This is just lovely. It could also explain why the amount of spam I get has increased in the last month, I used to only get about 20 in a month, now I’ve got almost 60, each of which seem to be the same messge (but from different source addresses).

    Guess it’s a bit late now, they have my address already.. Whoever “they” are. :/

    1. max wrote on




      lol lollol lollol lollol lollol

    2. iMitwe wrote on

      That’s it. I have so many spams these last days.

      1. Stefan wrote on

        me too..
        normally on this account i had NO spam!!!
        and now i have about 10..30 spam messages a day!!

        1. Erwan wrote on

          Same here :-(!

          It never happened to me since YEARS, never been spammed so much, kind of desperate (just can’t change using what is my my main email since YEARS).

          Such a pain, you should have recommended to us to use a dedicated email…!


    3. Vincent wrote on

      I use an unique email address for MDN and got zero spam on it.

    4. Pluto wrote on

      I’m also not getting any spam.

  3. Dave wrote on

    MDN currently requires a sign in with Persona. What was in the password fields that were leaked? Was this the old password before switching to the new system, are those with current logins not affected, or was some password/key associated with Persona compromised? Please elaborate.

    1. Stormy wrote on

      It was the old password, not the Persona password.

    2. Ethan Henderson wrote on

      The notifications and this post have said nothing about Persona being affected, only MDN itself.
      And with my understanding of Persona, the actual site (in this case, MDN) only gets the email of the Persona account, no password or anything. So, newer accounts using Persona have seemingly only had their emails addresses released and that is all (from what I’ve read).

      The leaked passwords were from older MDN accounts, and they were dumped without the salts, so they should be fine (though you should always play it safe anyways).

      1. Dave wrote on

        If it’s only the old password I used when I first created an account long ago, that’s fine for me as I’ve long since stopped using any variations of it. My email is obtainable in a few places already so this isn’t a horrible occurrence for me personally, but it’s really disappointing to see this happen. :/

      2. Stormy wrote on

        The passwords included salts that were unique to each user record.

        1. patrick gonzales wrote on

          I need to erace the spy ware where do I go to do so?

        2. David Song wrote on

          What type of hash? MD5? bcrypt?

  4. Akif Rabbani wrote on

    This is just a lovely incident for e-mail harvesters.

  5. Luciano wrote on

    Well, I have been receiving a lot of span lately (like 2 o 3 per day), and that never happened before. I’m not saying it’s related to this issue, but may be.

    Anyway. I’m not mad at all, my email is already public on my website, and the way you were open about this it’s great.

    1. Stanley wrote on

      I do not agree! In light of big, data mining for purposes of exploitation I believe that Mozilla has two obligations. One is to share broadly a platform that WORKS FOR PEOPLE; which it does. And the other is to protect, at all costs, what is shared is that which one chooses not to share. This is integrity and integral to the internet, in the age we live in.

      1. Meta wrote on

        Stanley, i agree that developers have a responsibility to protect their users… Mozilla did exactly that- they learned of a mistake and they told the people it would have affected.
        if they would have done anything differently, we would all be worse off- we’d be unaware of our vulnerability.
        first step of solving a problem is recognizing that there is one…
        human error exists.
        thats a constant.
        are you going to incentivize companies to tell you about mistakes/problems which affect you so that you may take steps to protect yourself
        are you going to incentivize companies to try to hide the mistakes/problems which affect you from you (which would leave you wide open to exploitation).

  6. Eduardo Bautista wrote on

    Well that explains the spam.

  7. TonyW wrote on

    Things happen!
    Mozilla should force reset of passwords, meaning send everyone whom might been affect a link to reset their passwords or the second someone try to sign in force a reset by sending a reset link to the email address on file.

    1. groovecoder wrote on

      One of the concerns with sending reset links in an email like this is the potential for others to phish for accounts that way.

      In any case, there are no more passwords on MDN anyway, so there’s nothing to reset.

    2. Stormy wrote on

      Those passwords can no longer be used to login to MDN. We now use Persona.

      1. Bishal Mukherjee wrote on

        Recently I am also getting some MED–Male Enlrgmnt Spams–RBI- thorougly state me how to stop these Spammers.

        Thanks a lot to find the Sickness.

    3. Justdave wrote on

      Nobody should ever send links to reset passwords (not as part of an initial notification anyway). That’s the kind of thing phishers do to try to get people to enter their existing passwords as part of the password change form so they can get access to their accounts, so it’s bad to get people used to that being an option. That kind of link should only be sent after the user has themselves specifically hit something on the website to indicate they want it reset. The notification email should tell them where to go to find that link, and not actually link to it.

  8. 想睡 wrote on


  9. TechyZeldaNerd wrote on

    I’ve actually had no spam, so I’m not sure if these are actually in the hands of spammers.
    Don’t you have logs of every time a file is accessed though, I’d think you would be able to tell how many people downloaded it, if any.

    1. Pluto wrote on

      They spent a week investigating it, so I’m assuming they don’t have anything else they could really tell us or will tell us.

  10. Serge wrote on

    The email I received reads “we recommend that you immediately change your password”.
    What are the (actual) steps to do that (and for email address too) ?

    1. groovecoder wrote on

      Change your password on other sites if you re-used your MDN password on those sites.

    2. Stormy wrote on

      Your old MND password cannot be used to login to MDN anymore, so there is nothing to change on MDN. If you used your old MDN password on any other sites or any variation of that password, you should change your password on those sites.

      1. M. Straver wrote on

        I don’t exactly understand this advice. If the passwords leaked were salted hashes, then you can’t recover the original password from them. So any “similar” passwords would also not be at risk. Was there a bigger problem than just the hashes leaking if you advise people to change similar passwords elsewhere?

        1. Miryafa wrote on

          Salting and hashing passwords doesn’t mean they’ll never be found. Presumably MDN followed the best practices in hashing (using a long, unique salt for each password, using a hashing scheme that hashes them over 10000 times, etc). So it’s impossible to get the passwords out of those hashes right now. However, being leaked means that anyone who has a copy can keep it forever, and the system we use now could be broken eventually. If that happens, then in the (hopefully far distant) future, someone would get the passwords. And at that time, you wouldn’t want to still use that password on other sites.

  11. Gage wrote on

    Just GREAT! 🙁

  12. LeMaire Lee wrote on

    Is there a way to check to make sure I’m okay other than waiting for stuff to happen?

    1. Stormy wrote on

      If you received an email saying your encrypted password was on the public server, and you used that password anywhere else, you should change your password on those other sites.

  13. Daniel Wilson wrote on

    Good luck with following this incident up and thank you for keeping everyone in the loop.

    Accidents happen, but this could have been so easy for a company to just brush this under the rug, thankfully Mozilla go the extra mile and are fully transparent – Exactly how it should be done!

    Keep up the good work guys!
    – Dan

    1. Dejan wrote on


      Keep up Mozilla

  14. BillD wrote on

    I got a SPAM e-mail saying my MDN email address was temporarily posted on a publicly accessible server and might have possibly been hacked.

    [/Gallows Humor]

  15. Stevan wrote on

    This happens more frequently than we can possibly imagine. Mozilla has an admirable transparency on informing this occurrence, and I’m particularly thankful for that.

  16. Channely wrote on


  17. Stanley wrote on

    I do not understand you people, generally, and how lightly this infringement on personal security is processed. Your government, particularly in the United States, is NOT your friend; and neither are the corporations and ‘secret or clandestine operations’ that benefit from these breaches of trust.

  18. Morgan wrote on

    Props to Mozilla for cleaning up and disclosing the breach promptly.

  19. Price Hale wrote on

    I’ve used Firefox for at least 12 years and trust Mozilla and its staff. Your handling of this error is consistent with the kind of trustworthy Mozilla is known for. Sorry you’re having to deal with older equipment. I can only make a small donation, but your situation is a reminder that many small donations could make a significant difference. Thanks to Mozilla’s staff for the continued work.

  20. Jam wrote on

    Well now I know why I started receiving shite loads of junk mail. Haha shite happens…

More comments:1 2 3 4