Oops! Mozilla left thousands of email addresses and passwords lying around (again)

For second time in a month, Mozilla – famous for the Firefox web browser – has had to warn that thousands of email addresses and passwords were left lying around on a server that the public could easily access.

At the beginning of August members of the Mozilla developer community were warned that approximately 76,000 email addresses and 4,000 encrypted passwords had been left on a publicly accessible server for 30 days.

For most organisations, that would be embarrassing enough. But security screw-ups can be like buses, you can wait for ages noticing nothing, and then two come along at once.

Because Mozilla announced this week a second accidental disclosure of email addresses and encrypted passwords – this time affecting roughly 97,000 users.

Not only is that more people than were affected by the previous incident, but also the data was exposed for a longer period of time – three months.

In this case, the 97,000 users affected were testers of early builds of the Bugzilla bug tracking software, and information became exposed during a server migration.

One of our developers discovered that, starting on about May 4th, 2014, for a period of around 3 months, during the migration of our testing server for test builds of the Bugzilla software, database dump files containing email addresses and encrypted passwords of roughly 97,000 users of the test build were posted on a publicly accessible server. As soon as we became aware, the database dump files were removed from the server immediately, and we`ve modified the testing process to not require database dumps.

It’s not known, of course, that anyone with malicious intent has accessed the leaked databases. But if they had, even if they weren’t able to decrypt the (hopefully stored as salted hashes) passwords, criminals might be able to cause trouble.

For instance, tens of thousands of email addresses are useful for spammers and fraudsters who might use them to launch malicious campaigns, or attempt to phish information from users in carefully-crafted attacks.

The Mozilla Foundation is pinning its hopes on its testers not having used the same passwords as ones they might not use elsewhere on the net.

Generally, developers who use our test builds have told us they understand that these builds are insecure and may break, so they do not use passwords they would reuse elsewhere.

I do hope that Mozilla is right about that. Because I think it’s human nature to be lazy and sloppy, and I can easily imagine that many people (even the technical dudes who have accounts on the Bugzilla testing server) might easily make the mistake of reusing passwords.

Mozilla says it is “deeply sorry for any inconvenience” and has informed users who are affected by the disclosure, advising them to change “any similar passwords that they might be using.”

Lets hope that Mozilla takes these two scares seriously, and puts in place practices and controls to prevent accidents like this happening again.