Mozilla accidentally leaks 76,000 developers' email addresses, 4,000 passwords

Snafu went unnoticed for a month


Firefox maker Mozilla has fallen foul to a security breach that exposed personal data relating to members of its Mozilla Developer Network (MDN).

In a co-authored blog post, Stormy Peters, head of Mozilla's developers unit, and Joe Stevenson, its head security honcho, wrote that a failed data sanitization process of the MDN's site database caused email addresses belonging to 76,000 users and encrypted passwords of around 4,000 users to be dumped onto a publicly viewable server.

The snafu went unnoticed for 30 days until being picked up by a web developer on July 23, according to Mozilla, which immediately removed the data dump from the server and disabled the offending process.

Article continues below

Safe move

The company wrote that it hasn't detected any malicious activity on the server in question but encouraged users to change their login details to be on the safe side.

"The encrypted passwords were salted hashes and they by themselves cannot be used to authenticate with the MDN website today," Peters and Stevenson wrote. "Still, it is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems.

"We've sent notices to the users who were affected. For those that had both email and encrypted passwords disclosed, we recommended that they change any similar passwords they may be using."