Mozilla: Failure of data-sanitisation process led to disclosure of MDN email address, passwords

By  | 

Mozilla has revealed that failure of data-sanitisation process in Mozilla Developer Network (MDN) site database had resulted into accidental disclosure of email addresses of about 76,000 users and encrypted passwords of about 4,000 users.

The issue seems to have been persisting from as early as June 23 and was brought to light sometime in fourth week of July after one of Mozilla’s web developer discovered the issue.

“As soon as we learned of it, the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure”, noted Mozilla’s director of developer relations Stormy Peters and Joe Stevensen, operations security manager in a co-authored blog post.

The duo has revealed that they haven’t come across any instance of malicious activity where the data was dumped, but also revealed that they “cannot be sure there wasn’t any such access.”

Mozilla said that it is known for its commitment to user privacy and security and apologised for the inconvenience or any concern this particular incident may have caused.

In the blog post they also recommended users to change their passwords on Mozilla network as well as other sites where they might be using the same email address just to ensure that they don’t fall victim to password reuse attacks.

“The encrypted passwords were salted hashes and they by themselves cannot be used to authenticate with the MDN website today. Still, it is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems,” the duo said.