Mozilla has admitted that its developer network database has been breached, potentially disclosing the details of 76,000 users.
According to a blog post authored by operations security manager Joe Stevensen and director of developer relations Stormy Peters, the incident was discovered following a data sanitisation process of the database. While the passwords were encrypted, the email addresses were not and all were available on a publicly accessible server.
“As soon as we learned of it, the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure. While we have not been able to detect malicious activity on that server, we cannot be sure there wasn’t any such access,” it said.
“We are known for our commitment to privacy and security, and we are deeply sorry for any inconvenience or concern this incident may cause you.”
It was confirmed that the encrypted passwords were salted hashes and cannot be used to authenticate with the developer website by themselves. “Still, it is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems,” they said. “We’ve sent notices to the users who were affected. For those that had both email and encrypted passwords disclosed, we recommended that they change any similar passwords they may be using.”
Andy Green, senior digital content producer also at Varonis, called it both a good news/bad news story as it is great that Mozilla had added some salt when hashing the passwords, but the fact the email addresses are valuable to hackers who can use them to launch a more finely tuned phishing campaign, based on knowing the targets are Mozilla users.
Ken Westin, security researcher at Tripwire, said: “Breaches caused by misconfigurations or introduced through improperly tested code changes are increasingly common. Mozilla may not be able to identify if the information was used maliciously, however the fact they disclosed the issue helps a great deal to mitigate the risks by alerting individuals affected to change passwords on other systems and services that might use the same password.
“There should be stronger controls in place, as well as testing to avoid issues such as this and I am sure that Mozilla will be revisiting their security architecture, policies and procedures as a result of this breach.”
Rob Sobers, manager at Varonis, said that the key lessons learned are that 1) that just because sensitive data natively resides in a database or application, doesn’t mean it’s going to stay there; 2) monitoring file system
s for sensitive information is critical for detecting when sensitive data becomes overexposed—accidentally or otherwise; and thirdly never re-use passwords!
“Also, a glitch implies that the database system itself was flawed,” he said. “Without having all the details, it would seem to me that one of Mozilla’s internal processes or systems operating against a database had a bug introduced that caused the problem.”