Mozilla Exposes Add-On Developer User Data

User data for some registered developers of Mozilla Add-ons was temporarily exposed by mistake on a Mozilla server. Mozilla has disabled those users’ accounts until they reset their passwords.

As a registered user, I received an e-mail last night from Chris Lyon, Director of Infrastructure Security at Mozilla, informing me of the breach, which occurred on December 17 and was discovered by “a 3rd party,” identified as a security researcher in a subsequent blog post on the matter.

A file was on the server containing “…a partial representation of the users database from addons.mozilla.org. The file included email addresses, first and last names, and an md5 hash representation of your password.”

The letter stated that, apart from the referenced 3rd party, only Mozilla staff had downloaded the file before it was removed. They have also identified how the file came to be on the server and have take steps to prevent it being repeated.

Nevertheless, as a precaution they removed all those users’ pass words from the Addons site and requested that users perform the Password Reset function in order to create a new one. To do so, users click “I forgot my password” at the login screen and enter an e-mail address.

An e-mail with a personalized link is sent to the e-mail address, which is associated with a particular account. That link brings the user to a page which resets the password. Until that is done, the user cannot log in.

The accounts in the exposed file all had older MD5 hashes and (like mine) were inactive. On April 9, 2009, Mozilla changed to a password system using SHA-512 password hashes and per-user salts. Users with active accounts were not affected.