We have just concluded an investigation into a disclosure affecting members of Mozilla Developer Network. We began investigating the incident as soon as we learned of the disclosure. The issue came to light ten days ago when one of our web developers discovered that, starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server. As soon as we learned of it, the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure. While we have not been able to detect malicious activity on that server, we cannot be sure there wasn’t any such access.
We are known for our commitment to privacy and security, and we are deeply sorry for any inconvenience or concern this incident may cause you.
The encrypted passwords were salted hashes and they by themselves cannot be used to authenticate with the MDN website today. Still, it is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems. We’ve sent notices to the users who were affected. For those that had both email and encrypted passwords disclosed, we recommended that they change any similar passwords they may be using.
In addition to notifying users and recommending short term fixes, we’re also taking a look at the processes and principles that are in place that may be made better to reduce the likelihood of something like this happening again. If you have questions, please reach out to security@mozilla.org
.
Thanks,
Stormy Peters
Director of Developer Relations
Joe Stevensen
Operations Security Manager
Steve Lee
wrote on
:
Jake Nixon
wrote on
:
mojo706
wrote on
:
Gautham PJ
wrote on
:
I Hate Mozilla
wrote on
:
Andreas
wrote on
:
xgdfdfbcbvbc
wrote on
:
Miryafa
wrote on
:
Dale S
wrote on
:
Matthew
wrote on
:
Kiomi
wrote on
:
Racheal
wrote on
:
Hans Schmucker
wrote on
:
Michael
wrote on
:
Leonardo
wrote on
:
Ahmed Tareque Pantha
wrote on
:
Anees Iqbal
wrote on
:
Hacker
wrote on
:
Austin
wrote on
:
Austin
wrote on
:
Felipesvjr
wrote on
:
harry
wrote on
:
Daniel Veditz
wrote on
:
Philippe Verdy
wrote on
:
Pluto
wrote on
:
Daniel Veditz
wrote on
:
Fira
wrote on
:
Roos
wrote on
: