Mozilla Admits Developer Password Breach

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Red faces and embarrassment all round at Mozilla after a serious breach of developer details

Mozilla continues to remain in the spotlight for all the wrong reasons after it admitted a serious “disclosure” of developer details, including their passwords (albeit encrypted).

It comes shortly after the Firefox creator appointed interim CEO Chris Beard as its permanent chief executive officer, succeeding former CEO Brendan Eich, who resigned in April.

Mozilla warned its members of the problem in a blog posting last Friday and announced that there had been a disclosure associated with its Mozilla Developer Network.

Data “Disclosure”

Firefox-Menu-on-Windows-en-US“The issue came to light ten days ago when one of our web developers discovered that, starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server,” wrote Stormy Peters, Director of Developer Relations.

“As soon as we learned of it, the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure. While we have not been able to detect malicious activity on that server, we cannot be sure there wasn’t any such access.”

The good news for Mozilla developers is that their salted hashed passwords were at least encrypted, and could only be used by hackers if they were authenticated with the MDN website last week, as all developers have to reset their passwords.

That of course doesn’t mean that the breach will not cause problems, especially if like many people, the Mozilla developers used the same passwords for other accounts.

“Still, it is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems,” wrote Peters. “We’ve sent notices to the users who were affected. For those that had both email and encrypted passwords disclosed, we recommended that they change any similar passwords they may be using.”

Mozilla said it was examining its current processes to reduce the likelihood of something like this happening again.

Email Harvesting

We are known for our commitment to privacy and security, and we are deeply sorry for any inconvenience or concern this incident may cause you,” she said.

But some developers are not happy, especially as their email addresses have escaped into the wild. “I Googled my email and found it on a email data list website, I’ll have spam for life,” wrote a user called Kiomi.

“I was wondering why spam started to pour in my gmail account. Found the reason. This is pretty sad,” wrote lordfuoco.

Other complained that Mozilla had not provided enough details of the breach, as some developers were unsure of which of their passwords have been affected. But on the whole, most developers were understanding, and thanked Mozilla for its prompt and open response.

Last week, Paddy Power admitted it was having to contact 649,055 of its customers, after the online betting firm discovered in May that unbeknown to it, its customer database had been compromised – way back in 2010.

Are you a Firefox enthusiast? Take our quiz!