Mozilla password disclosure a non-event

by Steve Ragan - Dec 29 2010, 05:30

Earlier this month Mozilla learned that a partial database of user accounts, used on addons.mozilla.org, was inadvertently left on a public server. Contrary to reports, however, there is nothing to panic over.

The only outsider who accessed the data was the security researcher that reported the mistake to Mozilla. The FUD-laced headlines are a bit misleading, as the third sentence in the Mozilla blog post disclosing the issue clearly explains the open-source corporation can account for each download.

The researcher reporting the incident via Mozilla’s Web Bounty Program discovered the database on a public server. It contained 44,000 inactive accounts with accounts with passwords protected by MD5 hashing. Current accounts use stronger password protections in the database, as they are hashed with SHA-512 using per user salts.

“This issue posed minimal risk to users, however as a precaution we felt we should disclose this issue to people affected and err on the side of disclosure,” Mozilla’s director of infrastructure security, Chris Lyon, said in a blog post.

“We erased all the md5-passwords, rendering the accounts disabled... It is important to note that current addons.mozilla.org users and accounts are not at risk. Additionally, this incident did not impact any of Mozilla’s infrastructure.”

The hype over Mozilla’s disclosure is somewhat understandable, especially given the 1.3 million records lost by Gawker Media when it was compromised earlier this month. That incident led to a rush of spam on Twitter, using accounts compromised by the Gawker breach.

Around the Web