MDN Database Disclosure

We have just concluded an investigation into a disclosure affecting members of Mozilla Developer Network. We began investigating the incident as soon as we learned of the disclosure. The issue came to light ten days ago when one of our web developers discovered that, starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server. As soon as we learned of it, the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure. While we have not been able to detect malicious activity on that server, we cannot be sure there wasn’t any such access.

We are known for our commitment to privacy and security, and we are deeply sorry for any inconvenience or concern this incident may cause you.

The encrypted passwords were salted hashes and they by themselves cannot be used to authenticate with the MDN website today. Still, it is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems. We’ve sent notices to the users who were affected. For those that had both email and encrypted passwords disclosed, we recommended that they change any similar passwords they may be using.

In addition to notifying users and recommending short term fixes, we’re also taking a look at the processes and principles that are in place that may be made better to reduce the likelihood of something like this happening again. If you have questions, please reach out to security@mozilla.org.

Thanks,

Stormy Peters
Director of Developer Relations

Joe Stevensen
Operations Security Manager

116 responses

  1. Steve Lee wrote on :

    Thanks for letting us know quickly after you had performed your analysis. That always inspires confidence.

    It’s good you used best practice of one way hashes for password storage.

  2. Jake Nixon wrote on :

    Not too happy about this, but at least I didn’t get any spam emails.

  3. mojo706 wrote on :

    Aaah that explains the increase in spam in my spam folder. Luckily it is my public email and they didn’t get my password. Oh thanks too for letting me know I changed everything just in case.

  4. Gautham PJ wrote on :

    Thanks for letting us know of the mishap and being honest about it. Appreciate the openness about it.
    Not much damage done to me, hope everyone feels the same way.

  5. I Hate Mozilla wrote on :

    Thank you so much! My email address is now corrupted by Mozilla. I get lot of spam every day. Before this tragedy, I get no spam.

  6. Andreas wrote on :

    Thanks for informing us!

  7. xgdfdfbcbvbc wrote on :

    This explains why I have gotten a constant influx of spam since one random day in July before which I previously got very little or no spam.

  8. Miryafa wrote on :

    Thank you for reporting this faster than the business norm (a month, and I’m assuming you finished the investigation on July 23). No sarcasm. I appreciate your transparency Mozilla.

  9. Dale S wrote on :

    Disappointing that as a “Developer” site, you do not realize that “hashing” != “encrypting”. I see that you explain what you mean later in it, but still lets be professional and use right terms to start.

    You don’t see McDonald’s advertising “Get a foot long hotdog”, then when later say “Well by foot long hotdog, we really mean a hamburger patty that we cut into thin slices and put in a hot dog bun” They just not the same.

  10. Matthew wrote on :

    Thanks for being honest. I really appreciate it and I’m not mad. Good luck!

  11. Kiomi wrote on :

    I Googled my email and found it on a email data list website, I’ll have spam for life…

    1. Racheal wrote on :

      Someone is using my pictures and making user names on porno sites how do I stop this

  12. Hans Schmucker wrote on :

    Well… sh*t happens…

    But maybe we can take the full disclosure one step further:
    The mail isn’t exactly clear whether I belong to the “they just got the address” or the “they got everything” category. I guess the first one, since I haven’t accessed MDN during that time, but I can’t be sure.

    I’m also unsure what password I had on this account… my guess is that it’s one of my old ones which was used with some subtle changes on a variety of sites (nowadays I use a password generator). So if you have the time, it would be great if you could notify us whether we belong in group #1 or #2 and if possible give us a way to check which password we used (basically by providing a field that checks any user input against the saved hash).

    Of course such a breach isn’t something that’s supposed to happen, but I really want to say that you did the right thing by informing everybody as quickly as possible. Why the heck isn’t everybody doing it this way? 😉

    1. Michael wrote on :

      Hi Hans, I was wondering if you could explain to me how you use a password generator? I guess what I’m asking, are you changing your password each log-in? I myself have had a few email accounts hacked and like the idea of increased security. Please advise me.
      Michael

  13. Leonardo wrote on :

    I’m glad I got e-mailed about this, otherwise I would never know.

  14. Ahmed Tareque Pantha wrote on :

    I wish it will not gonna happen again. amiin …

    1. Anees Iqbal wrote on :

      I wonder, how come you are on MDN, It was meant to be a developer network, you guys talk like gangstas. That poor guy just said I hope it’ll not happen again. what’s wrong about it..?

  15. Hacker wrote on :

    This is our chance to finally committed to repository support for webp in firefox!

  16. Austin wrote on :

    “Your email address (but not password) was posted”

    Were the 4000 users with leaked passwords sent a different email?

    1. Austin wrote on :

      NVM, I see they were sent notices.

      1. Felipesvjr wrote on :

        I’ve using gmail before at mozilla messaging thunderbird now on MDN i still not changing my email address…

  17. harry wrote on :

    so where do we go to change our password, it would be nice to have a link to that point

    1. Daniel Veditz wrote on :

      There are no more passwords on MDN, the site now uses “Persona” for authentication. You don’t need to change anything on MDN itself. If you were notified that your password was potentially at risk AND if you re-use the same password on multiple sites then you should change your password on any site that used the same password.

  18. Philippe Verdy wrote on :

    I was notified about the mail address disclosure, however the salted hashed passwords are still a sever issue and we should have been notified if the hashed passwords had been disclosed too (because they can now be targetted offline by brute force attacks, possibly distributed to find collisions.
    If the hased passwords had been disclosed you should have warned us to change the password and look in our own private datbase of passwords if they match with some passwords used in othe websites (I hope this is not the case; because I use now a password generator for most sites since about one year, however my accound on MDN is much older and I have probably not updated the pasdwd since long here and possibly the local password is not so unique and could be used to look for some other related passwords on other websites.
    Before I used a password generator and password mamanger I was already using distinct passwords for many websites, but with some mnemonic way and these distinct ikd passwords could possibly be guessed because they were mnemonic. I no longer use any mnemonic rule for new passwords added and changed since one your and on all the most widely used sites. As all these new passowrds have abolutly no mnemonic way to be rememered, this also means that I’m dependant of my email manager (which uses itself for its master password, a long password phrase, with strange and unexpectable meaning and no relation between several concepts linked in that strange phrase (which also contains some rare characters plus some voluntary typos in their syntax, and an invented word not existing in any dictionnary; but stil pronouncable for me, and another word in a foreign langage).

    1. Pluto wrote on :

      Read the blog, it says that it notified users whose password hashes were revealed:

      “The encrypted passwords were salted hashes and they by themselves cannot be used to authenticate with the MDN website today. Still, it is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems. We’ve sent notices to the users who were affected. For those that had both email and encrypted passwords disclosed, we recommended that they change any similar passwords they may be using.”

    2. Daniel Veditz wrote on :

      We did exactly what you suggest for the people who had not logged in to MDN since we stopped using passwords and whose hashed passwords were exposed. A separate mail was sent to those people with more information about passwords.

  19. Fira wrote on :

    While I was unaffected, I thank you and the entire team for being so open and transparent about this issue. This is why I trust Mozilla more than many of the large tech companies. Openness is the key to building that trust, and seeing it in action reinforces it.

  20. Roos wrote on :

    I googled my e-mail address, i found it in some list of e-mails published on the main pages of an unknown (for me) website.

More comments: 1 2 3 4