Mozilla Discloses Another Security Breach Exposing User Data

by Ostatic Staff - Aug. 28, 2014

Only weeks after it released the distressing news that its website dedicated to developers suffered from a database error that exposed email addresses and encrypted passwords of registered users, Mozilla is back in the news with a similar snafu. The company has just disclosed that email addresses and encrypted passwords of approximately 97,000 users who worked with early builds of the Bugzilla bug tracking software were exposed for three months after a server migration.

In a blog post, Mark Côté, the Bugzilla project’s assistant lead, writes:

"One of our developers discovered that, starting on about May 4th, 2014, for a period of around 3 months, during the migration of our testing server for test builds of the Bugzilla software, database dump files containing email addresses and encrypted passwords of roughly 97,000 users of the test build were posted on a publicly accessible server.  As soon as we became aware, the database dump files were removed from the server immediately, and we’ve modified the testing process to not require database dumps."

"...Because it is possible that some users could have reused their passwords on other websites or authentication systems, we’ve sent notices to the users who were affected by this disclosure and recommended that they change any similar passwords they may be using. It’s important to note that, unless users reused the password they used on, this does not affect email addresses or passwords."

Notably, the database dumps behind this latest security breach are similar to the ones that caused a problem for Mozilla reported in August. In that incident, about 76,000 Mozilla Development Network (MDN) users had their email addresses exposed, along with around 4,000 encrypted passwords. The leak was caused by what Mozilla referred to as a database error and a failed "data sanitization process." A web developer first noticed that incident.

Mozilla has apologized for both incidents.