MDN Database Disclosure

We have just concluded an investigation into a disclosure affecting members of Mozilla Developer Network. We began investigating the incident as soon as we learned of the disclosure. The issue came to light ten days ago when one of our web developers discovered that, starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server. As soon as we learned of it, the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure. While we have not been able to detect malicious activity on that server, we cannot be sure there wasn’t any such access.

We are known for our commitment to privacy and security, and we are deeply sorry for any inconvenience or concern this incident may cause you.

The encrypted passwords were salted hashes and they by themselves cannot be used to authenticate with the MDN website today. Still, it is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems. We’ve sent notices to the users who were affected. For those that had both email and encrypted passwords disclosed, we recommended that they change any similar passwords they may be using.

In addition to notifying users and recommending short term fixes, we’re also taking a look at the processes and principles that are in place that may be made better to reduce the likelihood of something like this happening again. If you have questions, please reach out to security@mozilla.org.

Thanks,

Stormy Peters
Director of Developer Relations

Joe Stevensen
Operations Security Manager

116 responses

  1. Channely wrote on :

    这篇文章让我发现了在了为何近一个月来,垃圾邮件突现的真相,虽影响不大,但觉无能为力.[|-_-|]

    1. 文科 wrote on :

      为何你们都说收到了垃圾邮件,我就是没有收到呢。

  2. CT wrote on :

    Yeah these things are gonna happen, All I can say is I appreciate how Mozilla has handled this.

  3. opensource wrote on :

    Was the Database dump actually accessed from the outside world? I’m sure you guys have server logs that at least show IP addresses.

    Many thanks to the Developer that actually discovered this.

  4. Sarah wrote on :

    I’m a bit confused…is MDN the open source team? I don’t remember ever creating a Mozilla account, but maybe I did for support at some point? I must be involved somehow or I would not have gotten that email informing me of this.

    Ahhh, just looked at my logins list, could not figure out why I would have a login for MDN, but was for Bugzilla. Leaving my initial confusion in case it helps someone else who is wondering what the heck. But I made that account AGES ago. Is going to be a hassle, though, unless so old doesn’t matter.

    Hey, spam is just all over, no matter what, and I’ve had it using any ISP I ever have. Use a spamblocker and anti-virus on email, esp if you POP it. My ISP uses anti-virus before they let me have the email, thank goodness (although I’d never open an attachment unless I was expecting it). It’s a defensive world out there. Sometimes I feel like my computer is Ft. Knox, but even so, things get through.

    Thankyou for letting us know this and owning up to it. It was very responsible of you. You could have just not told us, esp since it was mostly to alert us if we use the same password multiple places. My email is pretty public and emails can be found easily. Look yourself up on Google if you think not. Stuff happens and is good to get rid of any logins you don’t use anymore or need. And hey, before you go flaming on Mozilla, some of you, remember how many Fortune 500 companies have had worse happen?

  5. অর্নব দাস wrote on :

    ঘটনা সম্পর্কে ব্যবহারকারীদের জ্ঞাপক জন্য মোজিলা আপনাকে ধন্যবাদ| আমাদের বিশ্বাস মোজিলা এই দুর্বলতা ভবিষ্যতে সংশোধন করবে|

  6. Robert Longson wrote on :

    Why not delete all the old passwords from MDN now that we’re all logging in via Persona. If you’d done that shortly after switch over this issue would not have occurred.

    Are there any other mozilla systems that now use persona but which still have passwords from their pre Persona days?

    1. Pluto wrote on :

      It seems like it would be important to keep the passwords for anyone who hasn’t used MDN since the authentication switch to Persona.

  7. Guglielmo wrote on :

    Must tranlate because Im not understanding what happen.Tks.

    1. Stormy wrote on :

      What language would you like it translated into?

  8. Amit wrote on :

    I didn’t know I had an MDN e-mail address.

  9. Axel Hecht wrote on :

    Are the old passwords pruned from our prod/stage/etc databases now? As we can’t use them, should be “!” ?

    Also, will the all-auth login changes affect what/if acccount/password data we store?

  10. Andrew wrote on :

    I use a different email address for every site I sign up to, and despite this leak I’ve had no spam (yet) sent to the email address I use for MDN. So maybe the spam some people are getting is from a different source…?

  11. Conrad Kleinespel wrote on :

    Oh, that probably explains the large increase in spam of the last weeks. I even emailed my email provider asking what was going on…

  12. gaspard wrote on :

    Come on, Mozilla, seriously ? how can this happen ?

    When I fill this comment, there is a field entitled “E-mail (required, will not be published)”, should I enter a fake e-mail address ?

  13. DevilishDB wrote on :

    Don’t worry about it, if the passwords were salted and hashed I’m happy. (Md5 or sha-something? Preferably not MD5 since that’s not as secure) Also, evoryone in the spam industry seems to already know my email address, so I don’t really care still. And I use unique, random per-site passwords so if it gets hacked I can just change it. Thankyou for notifying everyone.

  14. Matthieu Jung wrote on :

    Many thanks for your transparency.

  15. Gray wrote on :

    Thanks for being open and honest about it.

  16. Steve lee wrote on :

    Thanks for coming clean quickly. It always inspires some confidence.

    Perhaps use a one way hash rather than encryption for password storage in future?

  17. SIETEC wrote on :

    While I appreciate the full disclosure, I see a couple of MAJOR screw ups with this situation. The first is – why are the Mozilla DB’s dumping personally identifiable information into any publicly accessible domain in the first place? For what purpose is it that anyone without proper credentials should have access to any contents of the databases? Perhaps I’m reading the disclosure wrong, but I’m assuming this was a back-end database for general authentication and user demographics/etc. so I’m just confused as to why and how a dump would suddenly occur into a publicly accessible area (without malicious intervention or seriously flawed code).

    The second issue is – if the old username and password combos are DEFUNCT, why are they even still in existence anywhere? Since the conversion to the new SSO utility (forgot it’s name), are there any people that even still use the old method to access their account? Or does the new sign on actually take the information passed to it and hand it to the database in question for further processing and authentication? That would explain issue number two, although, it is always a best practice to minimize the attack surface by streamlining confidential information to the smallest (within reason for performance, redundancy and security) set of servers possible – especially any that are publicly vulnerable. So, this issue number two takes me back to number one. Why is the database (malfunctioning or not) dumping information outside the confines of the private backends? That is a very serious and, frankly, embarrassing issue for Mozilla.

    I take issue with something like this occurring mainly for the simple reason that, while FF is still my favorite browser and I still actively develop with it and for it, Mozilla has been taking a more and more confining stance on the security of the browser – to the point of making it almost unusable in certain scenarios and with many of those issues unable to be modified. While this is not the correct forum to discuss my gripe with Firefox and the lack of end-user ability to override things, etc. I found it quite ironic that such a situation would happen to an organization so terrified of security issues.

    Anyway, the heads up is appreciated. Take care.

    1. groovecoder wrote on :

      See https://news.ycombinator.com/item?id=8123781:

      ” A process failed, and the DB dump that is published to help contributors improve the MDN site got out unsanitized. The sanitization/publication process will be redesigned to include stricter controls. For now, it is shut down.

      MDN has been using persona for a while now, meaning that most accounts don’t have passwords in the database. But older accounts still had the SHA256 salted hash that Django creates.”

  18. Rolandas wrote on :

    Things like that could happen to anyone. Stay strong, Mozilla.

  19. Steve lee wrote on :

    Thanks for coming clean quickly. It always inspires confidence.

    Glad you used a one way hash rather than plain encryption for password storage.

  20. Sander wrote on :

    To those linking this incident to an increase in spam: I have a unique email address which I _only_ used to register at MDN, and I have received _zero_ spam email (or any email at all, really) on that email address. Same as Andrew and TechyZeldaNerd above. I think it’s extremely unlikely spam harvesters discovered this database dump during the month it was accessible. (For all that it was “publicly accessible”, it wasn’t in a place where spam harvesters or anyone else malicious would be likely to be looking.)

    Thanks Mozilla for the professional handling and disclosure.

More comments: 1 2 3 4