MDN Database Disclosure

Stormy

18

We have just concluded an investigation into a disclosure affecting members of Mozilla Developer Network. We began investigating the incident as soon as we learned of the disclosure. The issue came to light ten days ago when one of our web developers discovered that, starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server. As soon as we learned of it, the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure. While we have not been able to detect malicious activity on that server, we cannot be sure there wasn’t any such access.

We are known for our commitment to privacy and security, and we are deeply sorry for any inconvenience or concern this incident may cause you.

The encrypted passwords were salted hashes and they by themselves cannot be used to authenticate with the MDN website today. Still, it is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems. We’ve sent notices to the users who were affected. For those that had both email and encrypted passwords disclosed, we recommended that they change any similar passwords they may be using.

In addition to notifying users and recommending short term fixes, we’re also taking a look at the processes and principles that are in place that may be made better to reduce the likelihood of something like this happening again. If you have questions, please reach out to security@mozilla.org.

Thanks,

Stormy Peters
Director of Developer Relations

Joe Stevensen
Operations Security Manager

18 responses

Post a comment

  1. Stojković wrote on ::

    Good luck with fixing that. This shouldn’t happen again.

    Reply

  2. Andre wrote on :

    Ah.. This is just lovely. It could also explain why the amount of spam I get has increased in the last month, I used to only get about 20 in a month, now I’ve got almost 60, each of which seem to be the same messge (but from different source addresses).

    Guess it’s a bit late now, they have my address already.. Whoever “they” are. :/

    Reply

  3. Dave wrote on :

    MDN currently requires a sign in with Persona. What was in the password fields that were leaked? Was this the old password before switching to the new system, are those with current logins not affected, or was some password/key associated with Persona compromised? Please elaborate.

    Reply

    1. Stormy wrote on ::

      It was the old password, not the Persona password.

      Reply

    2. Ethan Henderson wrote on ::

      The notifications and this post have said nothing about Persona being affected, only MDN itself.
      And with my understanding of Persona, the actual site (in this case, MDN) only gets the email of the Persona account, no password or anything. So, newer accounts using Persona have seemingly only had their emails addresses released and that is all (from what I’ve read).

      The leaked passwords were from older MDN accounts, and they were dumped without the salts, so they should be fine (though you should always play it safe anyways).

      Reply

      1. Dave wrote on :

        If it’s only the old password I used when I first created an account long ago, that’s fine for me as I’ve long since stopped using any variations of it. My email is obtainable in a few places already so this isn’t a horrible occurrence for me personally, but it’s really disappointing to see this happen. :/

        Reply

      2. Stormy wrote on ::

        The passwords included salts that were unique to each user record.

        Reply

  4. Akif Rabbani wrote on :

    This is just a lovely incident for e-mail harvesters.

    Reply

  5. Luciano wrote on :

    Well, I have been receiving a lot of span lately (like 2 o 3 per day), and that never happened before. I’m not saying it’s related to this issue, but may be.

    Anyway. I’m not mad at all, my email is already public on my website, and the way you were open about this it’s great.

    Reply

    1. Stanley wrote on :

      I do not agree! In light of big, data mining for purposes of exploitation I believe that Mozilla has two obligations. One is to share broadly a platform that WORKS FOR PEOPLE; which it does. And the other is to protect, at all costs, what is shared is that which one chooses not to share. This is integrity and integral to the internet, in the age we live in.

      Reply

      1. Meta wrote on :

        uhh…
        Stanley, i agree that developers have a responsibility to protect their users… Mozilla did exactly that- they learned of a mistake and they told the people it would have affected.
        if they would have done anything differently, we would all be worse off- we’d be unaware of our vulnerability.
        first step of solving a problem is recognizing that there is one…
        human error exists.
        thats a constant.
        So…
        are you going to incentivize companies to tell you about mistakes/problems which affect you so that you may take steps to protect yourself
        or
        are you going to incentivize companies to try to hide the mistakes/problems which affect you from you (which would leave you wide open to exploitation).

        Reply

  6. Eduardo Bautista wrote on ::

    Well that explains the spam.

    Reply

  7. TonyW wrote on ::

    Things happen!
    Mozilla should force reset of passwords, meaning send everyone whom might been affect a link to reset their passwords or the second someone try to sign in force a reset by sending a reset link to the email address on file.

    Reply

    1. Stormy wrote on ::

      Those passwords can no longer be used to login to MDN. We now use Persona.

      Reply

      1. Bishal Mukherjee wrote on :

        Recently I am also getting some MED–Male Enlrgmnt Spams–RBI- thorougly state me how to stop these Spammers.

        Thanks a lot to find the Sickness.

        Reply

    2. Justdave wrote on :

      Nobody should ever send links to reset passwords (not as part of an initial notification anyway). That’s the kind of thing phishers do to try to get people to enter their existing passwords as part of the password change form so they can get access to their accounts, so it’s bad to get people used to that being an option. That kind of link should only be sent after the user has themselves specifically hit something on the website to indicate they want it reset. The notification email should tell them where to go to find that link, and not actually link to it.

      Reply

  8. 想睡 wrote on :

    其實你們講的一對專用名詞,我從來不想去了解!
    那個用意,意義?
    我只知道電腦的執行能力真的是太厲害,太強了!
    但它的缺點也是執行能力!

    Reply

    1. testttt wrote on :

      Shut the fuck up

      Reply

  9. TechyZeldaNerd wrote on :

    I’ve actually had no spam, so I’m not sure if these are actually in the hands of spammers.
    Don’t you have logs of every time a file is accessed though, I’d think you would be able to tell how many people downloaded it, if any.

    Reply

  10. Serge wrote on :

    The email I received reads “we recommend that you immediately change your password”.
    What are the (actual) steps to do that (and for email address too) ?

    Reply

    1. Stormy wrote on ::

      Your old MND password cannot be used to login to MDN anymore, so there is nothing to change on MDN. If you used your old MDN password on any other sites or any variation of that password, you should change your password on those sites.

      Reply

  11. LeMaire Lee wrote on :

    Is there a way to check to make sure I’m okay other than waiting for stuff to happen?

    Reply

    1. Stormy wrote on ::

      If you received an email saying your encrypted password was on the public server, and you used that password anywhere else, you should change your password on those other sites.

      Reply

  12. Daniel Wilson wrote on ::

    Good luck with following this incident up and thank you for keeping everyone in the loop.

    Accidents happen, but this could have been so easy for a company to just brush this under the rug, thankfully Mozilla go the extra mile and are fully transparent – Exactly how it should be done!

    Keep up the good work guys!
    – Dan

    Reply

    1. Dejan wrote on :

      Exactly!!!!

      Keep up Mozilla

      Reply

  13. Stevan wrote on :

    This happens more frequently than we can possibly imagine. Mozilla has an admirable transparency on informing this occurrence, and I’m particularly thankful for that.

    Reply

  14. Stanley wrote on :

    I do not understand you people, generally, and how lightly this infringement on personal security is processed. Your government, particularly in the United States, is NOT your friend; and neither are the corporations and ‘secret or clandestine operations’ that benefit from these breaches of trust.

    Reply

  15. Morgan wrote on :

    Props to Mozilla for cleaning up and disclosing the breach promptly.

    Reply

  16. Jam wrote on :

    Well now I know why I started receiving shite loads of junk mail. Haha shite happens…

    Reply

  17. Channely wrote on ::

    这篇文章让我发现了在了为何近一个月来,垃圾邮件突现的真相,虽影响不大,但觉无能为力.[|-_-|]

    Reply

  18. opensource wrote on :

    Was the Database dump actually accessed from the outside world? I’m sure you guys have server logs that at least show IP addresses.

    Many thanks to the Developer that actually discovered this.

    Reply

  19. Sarah wrote on :

    I’m a bit confused…is MDN the open source team? I don’t remember ever creating a Mozilla account, but maybe I did for support at some point? I must be involved somehow or I would not have gotten that email informing me of this.

    Ahhh, just looked at my logins list, could not figure out why I would have a login for MDN, but was for Bugzilla. Leaving my initial confusion in case it helps someone else who is wondering what the heck. But I made that account AGES ago. Is going to be a hassle, though, unless so old doesn’t matter.

    Hey, spam is just all over, no matter what, and I’ve had it using any ISP I ever have. Use a spamblocker and anti-virus on email, esp if you POP it. My ISP uses anti-virus before they let me have the email, thank goodness (although I’d never open an attachment unless I was expecting it). It’s a defensive world out there. Sometimes I feel like my computer is Ft. Knox, but even so, things get through.

    Thankyou for letting us know this and owning up to it. It was very responsible of you. You could have just not told us, esp since it was mostly to alert us if we use the same password multiple places. My email is pretty public and emails can be found easily. Look yourself up on Google if you think not. Stuff happens and is good to get rid of any logins you don’t use anymore or need. And hey, before you go flaming on Mozilla, some of you, remember how many Fortune 500 companies have had worse happen?

    Reply

  20. অর্নব দাস wrote on :

    ঘটনা সম্পর্কে ব্যবহারকারীদের জ্ঞাপক জন্য মোজিলা আপনাকে ধন্যবাদ| আমাদের বিশ্বাস মোজিলা এই দুর্বলতা ভবিষ্যতে সংশোধন করবে|

    Reply

Post Your Comment