What can only be described as a large mistake by someone, Mozilla somehow accidentally left a partial database of user accounts on a public server. This breach in security went on for some time, until on December 17 after Mozilla was notified by a security researcher of the issue.
The leaked database contained 44,000 inactive accounts for addons.mozilla.org that had passwords hashed using md5 technology. This leak only affected accounts created before April 9, 2009, as since then up through now Mozilla uses a SHA-512 password hash with per-user salts to protect account data.
Chris Lyon, Mozilla’s Director of Infrastructure, posted on the Mozilla Security Blog about the breach late Monday night. Lyon says that all impacted users have been sent an email, or will be sent one soon about their potentially compromised account. He also wants to make the fact very clear that this security issue does not affect current addons.mozilla.org users or accounts, only those that were inactive and created before April 9, 2009.
Additionally, there was no impact by the incident on any of Mozilla’s infrastructure. Mozilla has been very upfront about the issue reported to them via their web bounty program, and took appropriate measures to ensure the security of everyone’s data. The company also said that they “were able to account for every download of the database. This issue posed minimal risk to users, however as a precaution we felt we should disclose this issue to people affected and err on the side of disclosure.”
The root cause of the leak was not identified, however with the way that Mozilla has reacted, it is clear that they want to protect customer data and will take steps in the future to prevent such a potentially horrible slip-up like this from happening again.