- Apr 25, 2013
- 5,355
Email addresses of 76,000 members of Mozilla Developer Network (MDN) and 4,000 passwords have become publicly available because of a process failing to sanitize data properly.
Mozilla issued a warning about the incident, saying that they were informed by a web developer that around June 23 a data sanitization flaw caused the disclosure of the sensitive information about the developers.
It appears that the error persisted for a period of 30 days, and when Mozilla learned about the leak, they immediately pulled the database dump file and disabled the glitchy process in order to prevent further disclosure.
“While we have not been able to detect malicious activity on that server, we cannot be sure there wasn’t any such access,” says a blog post from Stormy Peters, Director of Developer Relations, and Joe Stevensen, Operations Security Manager.
The passwords were encrypted and the erroneous disclosure offered only salted hashes, which means that they cannot be used for authentication on the Mozilla Developer Network website. However, email addresses could be used for sending spam.
All users affected by the incident have been alerted of the accidental leak and advised to change their passwords for other non-Mozilla websites or authentication systems if they are similar to the leaked ones for MDN.
“In addition to notifying users and recommending short term fixes, we’re also taking a look at the processes and principles that are in place that may be made better to reduce the likelihood of something like this happening again,” say the Mozilla representatives.
Mozilla issued a warning about the incident, saying that they were informed by a web developer that around June 23 a data sanitization flaw caused the disclosure of the sensitive information about the developers.
It appears that the error persisted for a period of 30 days, and when Mozilla learned about the leak, they immediately pulled the database dump file and disabled the glitchy process in order to prevent further disclosure.
“While we have not been able to detect malicious activity on that server, we cannot be sure there wasn’t any such access,” says a blog post from Stormy Peters, Director of Developer Relations, and Joe Stevensen, Operations Security Manager.
The passwords were encrypted and the erroneous disclosure offered only salted hashes, which means that they cannot be used for authentication on the Mozilla Developer Network website. However, email addresses could be used for sending spam.
All users affected by the incident have been alerted of the accidental leak and advised to change their passwords for other non-Mozilla websites or authentication systems if they are similar to the leaked ones for MDN.
“In addition to notifying users and recommending short term fixes, we’re also taking a look at the processes and principles that are in place that may be made better to reduce the likelihood of something like this happening again,” say the Mozilla representatives.
