2 min read

Oops! Mozilla left thousands of email addresses and passwords lying around (again)

Graham CLULEY

August 28, 2014

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Oops! Mozilla left thousands of email addresses and passwords lying around (again)

For second time in a month, Mozilla – famous for the Firefox web browser – has had to warn that thousands of email addresses and passwords were left lying around on a server that the public could easily access.

At the beginning of August members of the Mozilla developer community were warned that approximately 76,000 email addresses and 4,000 encrypted passwords had been left on a publicly accessible server for 30 days.

For most organisations, that would be embarrassing enough. But security screw-ups can be like buses, you can wait for ages noticing nothing, and then two come along at once.

Because Mozilla announced this week a second accidental disclosure of email addresses and encrypted passwords – this time affecting roughly 97,000 users.

Not only is that more people than were affected by the previous incident, but also the data was exposed for a longer period of time – three months.

In this case, the 97,000 users affected were testers of early builds of the Bugzilla bug tracking software, and information became exposed during a server migration.

One of our developers discovered that, starting on about May 4th, 2014, for a period of around 3 months, during the migration of our testing server for test builds of the Bugzilla software, database dump files containing email addresses and encrypted passwords of roughly 97,000 users of the test build were posted on a publicly accessible server. As soon as we became aware, the database dump files were removed from the server immediately, and we`ve modified the testing process to not require database dumps.

It’s not known, of course, that anyone with malicious intent has accessed the leaked databases. But if they had, even if they weren’t able to decrypt the (hopefully stored as salted hashes) passwords, criminals might be able to cause trouble.

For instance, tens of thousands of email addresses are useful for spammers and fraudsters who might use them to launch malicious campaigns, or attempt to phish information from users in carefully-crafted attacks.

The Mozilla Foundation is pinning its hopes on its testers not having used the same passwords as ones they might not use elsewhere on the net.

Generally, developers who use our test builds have told us they understand that these builds are insecure and may break, so they do not use passwords they would reuse elsewhere.

I do hope that Mozilla is right about that. Because I think it’s human nature to be lazy and sloppy, and I can easily imagine that many people (even the technical dudes who have accounts on the Bugzilla testing server) might easily make the mistake of reusing passwords.

Mozilla says it is “deeply sorry for any inconvenience” and has informed users who are affected by the disclosure, advising them to change “any similar passwords that they might be using.”

Lets hope that Mozilla takes these two scares seriously, and puts in place practices and controls to prevent accidents like this happening again.

tags


Author



Right now

Top posts

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

Threat actors impersonate Canadian gas retailer to deliver malicious OneNote phishing campaign, Bitdefender Labs warns

January 26, 2023

2 min read
Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns

January 19, 2023

4 min read
Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

Enhance your cyber resilience and privacy on Computer Security Day in four easy steps

November 29, 2022

2 min read
How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet More than 50,000 People Affected by US Cellular Data Breach; Leaked Info Hits the Internet
Silviu STAHIE

February 08, 2023

2 min read
Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns
Silviu STAHIE

February 06, 2023

1 min read
U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine U.S. Department of Health and Human Services Hits ‘Banner Health’ with $1.25 Million Fine
Silviu STAHIE

February 03, 2023

1 min read