MDN Database Disclosure

We have just concluded an investigation into a disclosure affecting members of Mozilla Developer Network. We began investigating the incident as soon as we learned of the disclosure. The issue came to light ten days ago when one of our web developers discovered that, starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server. As soon as we learned of it, the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure. While we have not been able to detect malicious activity on that server, we cannot be sure there wasn’t any such access.

We are known for our commitment to privacy and security, and we are deeply sorry for any inconvenience or concern this incident may cause you.

The encrypted passwords were salted hashes and they by themselves cannot be used to authenticate with the MDN website today. Still, it is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems. We’ve sent notices to the users who were affected. For those that had both email and encrypted passwords disclosed, we recommended that they change any similar passwords they may be using.

In addition to notifying users and recommending short term fixes, we’re also taking a look at the processes and principles that are in place that may be made better to reduce the likelihood of something like this happening again. If you have questions, please reach out to security@mozilla.org.

Thanks,

Stormy Peters
Director of Developer Relations

Joe Stevensen
Operations Security Manager

116 responses

  1. Stojković wrote on :

    Good luck with fixing that. This shouldn’t happen again.

  2. Andre wrote on :

    Ah.. This is just lovely. It could also explain why the amount of spam I get has increased in the last month, I used to only get about 20 in a month, now I’ve got almost 60, each of which seem to be the same messge (but from different source addresses).

    Guess it’s a bit late now, they have my address already.. Whoever “they” are. :/

    1. max wrote on :

      TOTALLY AGREE! IN THE PAST 45 DAYS SINCE MOZILLA SOLD MY EMAIL ADDRESS TO SPAMMERS I’M AT 40 SPAM EMAILS/DAY! ! ! !

      NEXT TIME MOZILLA SELLS THEIR LIST THEY SHOULD AT LEAST GIVE US A PIECE OF THE PIE.

      I WOULD HAVE USED AN AOL ACCOUNT TO SIGN UP FOR THIS SERVICE.

      lol lollol lollol lollol lollol

    2. iMitwe wrote on :

      That’s it. I have so many spams these last days.

      1. Stefan wrote on :

        me too..
        normally on this account i had NO spam!!!
        and now i have about 10..30 spam messages a day!!
        🙁

        1. Erwan wrote on :

          Same here :-(!

          It never happened to me since YEARS, never been spammed so much, kind of desperate (just can’t change using what is my my main email since YEARS).

          Such a pain, you should have recommended to us to use a dedicated email…!

          Regards.

    3. Vincent wrote on :

      I use an unique email address for MDN and got zero spam on it.

    4. Pluto wrote on :

      I’m also not getting any spam.

  3. Dave wrote on :

    MDN currently requires a sign in with Persona. What was in the password fields that were leaked? Was this the old password before switching to the new system, are those with current logins not affected, or was some password/key associated with Persona compromised? Please elaborate.

    1. Stormy wrote on :

      It was the old password, not the Persona password.

    2. Ethan Henderson wrote on :

      The notifications and this post have said nothing about Persona being affected, only MDN itself.
      And with my understanding of Persona, the actual site (in this case, MDN) only gets the email of the Persona account, no password or anything. So, newer accounts using Persona have seemingly only had their emails addresses released and that is all (from what I’ve read).

      The leaked passwords were from older MDN accounts, and they were dumped without the salts, so they should be fine (though you should always play it safe anyways).

      1. Dave wrote on :

        If it’s only the old password I used when I first created an account long ago, that’s fine for me as I’ve long since stopped using any variations of it. My email is obtainable in a few places already so this isn’t a horrible occurrence for me personally, but it’s really disappointing to see this happen. :/

      2. Stormy wrote on :

        The passwords included salts that were unique to each user record.

        1. patrick gonzales wrote on :

          I need to erace the spy ware where do I go to do so?

        2. David Song wrote on :

          What type of hash? MD5? bcrypt?

  4. Akif Rabbani wrote on :

    This is just a lovely incident for e-mail harvesters.

  5. Luciano wrote on :

    Well, I have been receiving a lot of span lately (like 2 o 3 per day), and that never happened before. I’m not saying it’s related to this issue, but may be.

    Anyway. I’m not mad at all, my email is already public on my website, and the way you were open about this it’s great.

    1. Stanley wrote on :

      I do not agree! In light of big, data mining for purposes of exploitation I believe that Mozilla has two obligations. One is to share broadly a platform that WORKS FOR PEOPLE; which it does. And the other is to protect, at all costs, what is shared is that which one chooses not to share. This is integrity and integral to the internet, in the age we live in.

      1. Meta wrote on :

        uhh…
        Stanley, i agree that developers have a responsibility to protect their users… Mozilla did exactly that- they learned of a mistake and they told the people it would have affected.
        if they would have done anything differently, we would all be worse off- we’d be unaware of our vulnerability.
        first step of solving a problem is recognizing that there is one…
        human error exists.
        thats a constant.
        So…
        are you going to incentivize companies to tell you about mistakes/problems which affect you so that you may take steps to protect yourself
        or
        are you going to incentivize companies to try to hide the mistakes/problems which affect you from you (which would leave you wide open to exploitation).

  6. Eduardo Bautista wrote on :

    Well that explains the spam.

  7. TonyW wrote on :

    Things happen!
    Mozilla should force reset of passwords, meaning send everyone whom might been affect a link to reset their passwords or the second someone try to sign in force a reset by sending a reset link to the email address on file.

    1. groovecoder wrote on :

      One of the concerns with sending reset links in an email like this is the potential for others to phish for accounts that way.

      In any case, there are no more passwords on MDN anyway, so there’s nothing to reset.

    2. Stormy wrote on :

      Those passwords can no longer be used to login to MDN. We now use Persona.

      1. Bishal Mukherjee wrote on :

        Recently I am also getting some MED–Male Enlrgmnt Spams–RBI- thorougly state me how to stop these Spammers.

        Thanks a lot to find the Sickness.

    3. Justdave wrote on :

      Nobody should ever send links to reset passwords (not as part of an initial notification anyway). That’s the kind of thing phishers do to try to get people to enter their existing passwords as part of the password change form so they can get access to their accounts, so it’s bad to get people used to that being an option. That kind of link should only be sent after the user has themselves specifically hit something on the website to indicate they want it reset. The notification email should tell them where to go to find that link, and not actually link to it.

  8. 想睡 wrote on :

    其實你們講的一對專用名詞,我從來不想去了解!
    那個用意,意義?
    我只知道電腦的執行能力真的是太厲害,太強了!
    但它的缺點也是執行能力!

  9. TechyZeldaNerd wrote on :

    I’ve actually had no spam, so I’m not sure if these are actually in the hands of spammers.
    Don’t you have logs of every time a file is accessed though, I’d think you would be able to tell how many people downloaded it, if any.

    1. Pluto wrote on :

      They spent a week investigating it, so I’m assuming they don’t have anything else they could really tell us or will tell us.

  10. Serge wrote on :

    The email I received reads “we recommend that you immediately change your password”.
    What are the (actual) steps to do that (and for email address too) ?

    1. groovecoder wrote on :

      Change your password on other sites if you re-used your MDN password on those sites.

    2. Stormy wrote on :

      Your old MND password cannot be used to login to MDN anymore, so there is nothing to change on MDN. If you used your old MDN password on any other sites or any variation of that password, you should change your password on those sites.

      1. M. Straver wrote on :

        I don’t exactly understand this advice. If the passwords leaked were salted hashes, then you can’t recover the original password from them. So any “similar” passwords would also not be at risk. Was there a bigger problem than just the hashes leaking if you advise people to change similar passwords elsewhere?

        1. Miryafa wrote on :

          Salting and hashing passwords doesn’t mean they’ll never be found. Presumably MDN followed the best practices in hashing (using a long, unique salt for each password, using a hashing scheme that hashes them over 10000 times, etc). So it’s impossible to get the passwords out of those hashes right now. However, being leaked means that anyone who has a copy can keep it forever, and the system we use now could be broken eventually. If that happens, then in the (hopefully far distant) future, someone would get the passwords. And at that time, you wouldn’t want to still use that password on other sites.

  11. Gage wrote on :

    Just GREAT! 🙁

  12. LeMaire Lee wrote on :

    Is there a way to check to make sure I’m okay other than waiting for stuff to happen?

    1. Stormy wrote on :

      If you received an email saying your encrypted password was on the public server, and you used that password anywhere else, you should change your password on those other sites.

  13. Daniel Wilson wrote on :

    Good luck with following this incident up and thank you for keeping everyone in the loop.

    Accidents happen, but this could have been so easy for a company to just brush this under the rug, thankfully Mozilla go the extra mile and are fully transparent – Exactly how it should be done!

    Keep up the good work guys!
    – Dan

    1. Dejan wrote on :

      Exactly!!!!

      Keep up Mozilla

  14. BillD wrote on :

    I got a SPAM e-mail saying my MDN email address was temporarily posted on a publicly accessible server and might have possibly been hacked.

    [/Gallows Humor]

  15. Stevan wrote on :

    This happens more frequently than we can possibly imagine. Mozilla has an admirable transparency on informing this occurrence, and I’m particularly thankful for that.

  16. Channely wrote on :

    这篇说明文章让我找到了近一个月来垃圾邮件突现的原因.虽影响不大,但毕竟心里有过节.[|-_-|]

  17. Stanley wrote on :

    I do not understand you people, generally, and how lightly this infringement on personal security is processed. Your government, particularly in the United States, is NOT your friend; and neither are the corporations and ‘secret or clandestine operations’ that benefit from these breaches of trust.

  18. Morgan wrote on :

    Props to Mozilla for cleaning up and disclosing the breach promptly.

  19. Price Hale wrote on :

    I’ve used Firefox for at least 12 years and trust Mozilla and its staff. Your handling of this error is consistent with the kind of trustworthy Mozilla is known for. Sorry you’re having to deal with older equipment. I can only make a small donation, but your situation is a reminder that many small donations could make a significant difference. Thanks to Mozilla’s staff for the continued work.

  20. Jam wrote on :

    Well now I know why I started receiving shite loads of junk mail. Haha shite happens…

More comments:1 2 3 4