Money Matters, Simplified.
Mozilla accidentally exposes accounts of 44000 users
by Jaspreet Virk - December 29, 2010 - comments
While Mozilla has informed the impacted users about the leak through email sent on Dec. 27, it has also assured that its current addons.mozilla.org users and accounts have not been exposed.
Ever thought that your online accounts may not be as secure as you think them to be? Following data leak at Walgreens, McDonalds, Microsoft, and Gawker, now Mozilla has accidentally left users confidential data on its server.
In a blog post, Chris Lyon, Mozilla's director of infrastructure security, confirmed that account and passwords of 44,000 addons.mozilla.org older users were mistakenly exposed on its public server.
“This issue posed minimal risk to users, however as a precaution we felt we should disclose this issue to people affected and err on the side of disclosure”- Chris Lyon Director of Infrastructure Security.
The leaked file included e-mail addresses, MD5 hash representation of password, and first and last name of the old users.
Leaks pose minimum risk
Though a numbers of accounts were exposed on company's server, it is being reported that only one person, working on Mozilla's web bounty program got access to the private data. Also, all the accounts leaked were inactive.
Further, after the firm was notified about the leak by a security researcher, it quickly deleted the passwords, thus disabling all the exposed accounts.
In order to access the accounts again, the effected users will have to reset their password. For this, they will have to click on the 'I forgot my password' and enter e-mail address.
A personalized link will be sent to user's e-mail address, which will enable them to reset the password. Unless users reset passwords, they will not be able to login.
Lyon further stated, “This issue posed minimal risk to users, however as a precaution we felt we should disclose this issue to people affected and err on the side of disclosure.”
Current users secure
While Mozilla has informed the impacted users about the leak through email sent on Dec. 27, it has also assured that its current addons.mozilla.org users and accounts have not been exposed.
“All current addons.mozilla.org accounts use a more secure SHA-512 password hash with per-user salts. SHA-512 and per user salts has been the standard storage method of password hashes for all active users since April 9th, 2009,” reads the blog.
Mozilla also added that the whole incident has not impacted any of its infrastructure.
As Mozilla passwords were stored as MD5 hashes, the incident points out that administrators should do away with passwords using methods like DES and MD5.
Chester Wisniewski's Sophos security expert warns that “it is important to migrate away from these algorithms in case you have a database accidentally make its way outside of your organization.”