{"id":433,"date":"2010-12-27T22:35:55","date_gmt":"2010-12-28T05:35:55","guid":{"rendered":"http:\/\/blog.mozilla.org\/security\/?p=433"},"modified":"2010-12-27T22:35:55","modified_gmt":"2010-12-28T05:35:55","slug":"addons-mozilla-org-disclosure","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2010\/12\/27\/addons-mozilla-org-disclosure\/","title":{"rendered":"addons.mozilla.org disclosure"},"content":{"rendered":"<p>On December 17th, Mozilla was notified by a security researcher that a partial database of addons.mozilla.org user accounts was mistakenly left on a Mozilla public server. The security researcher reported the issue to us via our <a href=\"http:\/\/www.mozilla.org\/security\/bug-bounty.html\">web bounty program<\/a>. We were able to account for every download of the database. This issue  posed minimal risk to users, however as a precaution we felt we should  disclose this issue to people affected and err on the side of  disclosure.<\/p>\n<p>The database included 44,000 inactive accounts using older, md5-based password hashes.\u00a0 We erased all the md5-passwords, rendering the accounts disabled. All current addons.mozilla.org accounts use a  more secure SHA-512 password hash with per-user salts. SHA-512 and per  user salts has been the standard storage method of password hashes for  all active users since April 9th, 2009.<\/p>\n<p>It is important to note that current addons.mozilla.org users and  accounts are not at risk. Additionally, this incident did not impact any  of Mozilla&#8217;s infrastructure.\u00a0 This information was also sent to  impacted users by email on December 27th.<\/p>\n<p>Chris Lyon<br \/>\nDirector of Infrastructure Security<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On December 17th, Mozilla was notified by a security researcher that a partial database of addons.mozilla.org user accounts was mistakenly left on a Mozilla public server. The security researcher reported &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2010\/12\/27\/addons-mozilla-org-disclosure\/\">Read more<\/a><\/p>\n","protected":false},"author":175,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[],"coauthors":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>addons.mozilla.org disclosure - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2010\/12\/27\/addons-mozilla-org-disclosure\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Chris Lyon\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2010\/12\/27\/addons-mozilla-org-disclosure\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2010\/12\/27\/addons-mozilla-org-disclosure\/\",\"name\":\"addons.mozilla.org disclosure - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"datePublished\":\"2010-12-28T05:35:55+00:00\",\"dateModified\":\"2010-12-28T05:35:55+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/ea919a02109b25695672251a83c2120e\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2010\/12\/27\/addons-mozilla-org-disclosure\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2010\/12\/27\/addons-mozilla-org-disclosure\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2010\/12\/27\/addons-mozilla-org-disclosure\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"addons.mozilla.org disclosure\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/ea919a02109b25695672251a83c2120e\",\"name\":\"Chris Lyon\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/feee60d163cdfc62fe2d9c5d49cae0ec\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/279c764abcbdce6373555f5fbc43f327?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/279c764abcbdce6373555f5fbc43f327?s=96&d=identicon&r=g\",\"caption\":\"Chris Lyon\"},\"description\":\"Director of Infrastructure Security\",\"sameAs\":[\"http:\/\/cslyon.net\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"addons.mozilla.org disclosure - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2010\/12\/27\/addons-mozilla-org-disclosure\/","twitter_misc":{"Written by":"Chris Lyon","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2010\/12\/27\/addons-mozilla-org-disclosure\/","url":"https:\/\/blog.mozilla.org\/security\/2010\/12\/27\/addons-mozilla-org-disclosure\/","name":"addons.mozilla.org disclosure - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"datePublished":"2010-12-28T05:35:55+00:00","dateModified":"2010-12-28T05:35:55+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/ea919a02109b25695672251a83c2120e"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2010\/12\/27\/addons-mozilla-org-disclosure\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2010\/12\/27\/addons-mozilla-org-disclosure\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2010\/12\/27\/addons-mozilla-org-disclosure\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"addons.mozilla.org disclosure"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/ea919a02109b25695672251a83c2120e","name":"Chris Lyon","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/feee60d163cdfc62fe2d9c5d49cae0ec","url":"https:\/\/secure.gravatar.com\/avatar\/279c764abcbdce6373555f5fbc43f327?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/279c764abcbdce6373555f5fbc43f327?s=96&d=identicon&r=g","caption":"Chris Lyon"},"description":"Director of Infrastructure Security","sameAs":["http:\/\/cslyon.net"]}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/433"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/175"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=433"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/433\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=433"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=433"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=433"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=433"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}