Firefox developer Mozilla has revealed this week that a database containing usernames and password hashes belonging to thousands of users of addons.mozilla.org had been posted publicly by accident.
44,000 user IDs and password hashes were revealed in the accidental disclosure. Mozilla's security team has already contacted all those potentially affected via email.
The weakness of the MD5 hash
Sophos explains how Mozilla stored passwords set before April 9th, 2009 as MD5 hashes – which has cryptographic weaknesses that could allow security experts to still determine your password and access your account.
Since April 9, 2009, Mozilla has used the far more secure SHA-512 with per-user salts to store password hashes.
In the spirit of open-ness, Mozilla has disclosed all the details about the potential privacy breach.
Take care with passwords
Mozilla's Chris Lyon, director of infrastructure security, writes on the Mozilla Security blog:
"On December 17th, Mozilla was notified by a security researcher that a partial database of addons.mozilla.org user accounts was mistakenly left on a Mozilla public server. The security researcher reported the issue to us via our web bounty program.
"We were able to account for every download of the database. This issue posed minimal risk to users, however as a precaution we felt we should disclose this issue to people affected and err on the side of disclosure.
"The database included 44,000 inactive accounts using older, md5-based password hashes. We erased all the md5-passwords, rendering the accounts disabled. All current addons.mozilla.org accounts use a more secure SHA-512 password hash with per-user salts. SHA-512 and per user salts has been the standard storage method of password hashes for all active users since April 9th, 2009."
Mozilla is confident that no one other than the person who reported the incident had access to the file. However, it is would still be wise to change your password if you are one of the 44,000 recipients of the latest email from Mozilla Security.
Better to be safe than sorry, after all!.
Via Nakedsecurity.sophos.com and the Mozilla Security Blog
