Mozilla, the building blocks behind the widely used Web Browser, Firefox, cautioned on Friday that it had mistakenly revealed details on almost 80,000 members of its Mozilla Developer Network (MDN) as a result of a botched data sanitization process.
The discovery was made at the end of June by one of Mozilla’s Web developers, Stormy Peters, Manager of Developer Operations at Mozilla, stated in a security advisory published to the Mozilla Security Blog on Friday.
“Starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server,” Peters stated.
As the information was exposed to the public, it doesn’t imply that anyone with malicious motives had uncovered it prior to being cleaned up, and in accordance with Peters, Mozilla hasn’t noticed any malicious activity on the servers, but noted they can’t rule it out.
“We traced back as much as we could. Access logs, netflow data, etc.,” the author of Mozilla’s Server Side TLS and part of Mozilla’s Operations Security team wrote. “We found that the tar.gz containing the DB dump had been downloaded only a small number of times. Mostly by known contributors. But we can’t rule out that someone with malicious intentions got access to it.”
According to Peters, the encoded passwords were salted hashes and they, alone, can’t currently be utilized to authenticate with the MDN. However, Peter warned that MDN users might be vulnerable if they reused their initial MDN passwords on other non-Mozilla websites or authentication systems.
Mozilla sent notices to those affected, and suggested that those who had both email and password information exposed change any similar passwords they may be using elsewhere.