Mozilla inadvertently leaks 44,000 users' passwords

What can only be described as a large mistake by someone, Mozilla somehow accidentally left a partial database of user accounts on a public server. This breach in security went on for some time, until on December 17 after Mozilla was notified by a security researcher of the issue.

The leaked database contained 44,000 inactive accounts for addons.mozilla.org that had passwords hashed using md5 technology. This leak only affected accounts created before April 9, 2009, as since then up through now Mozilla uses a SHA-512 password hash with per-user salts to protect account data.

Chris Lyon, Mozilla's Director of Infrastructure, posted on the Mozilla Security Blog about the breach late Monday night. Lyon says that all impacted users have been sent an email, or will be sent one soon about their potentially compromised account. He also wants to make the fact very clear that this security issue does not affect current addons.mozilla.org users or accounts, only those that were inactive and created before April 9, 2009.

Additionally, there was no impact by the incident on any of Mozilla's infrastructure. Mozilla has been very upfront about the issue reported to them via their web bounty program, and took appropriate measures to ensure the security of everyone's data. The company also said that they "were able to account for every download of the database. This issue posed minimal risk to users, however as a precaution we felt we should disclose this issue to people affected and err on the side of disclosure."

The root cause of the leak was not identified, however with the way that Mozilla has reacted, it is clear that they want to protect customer data and will take steps in the future to prevent such a potentially horrible slip-up like this from happening again.

Report a problem with article
Previous Story

WP7 hits 5,000 apps in its marketplace

Next Story

Call of Duty: Black Ops was most pirated game for 2010

42 Comments

Commenting is disabled on this article.

The way they were all inactive accounts, and on a public server makes me think they were sold/copied somewhere for some sort of "mailing". Maybe I'm just being cynical...

DomZ said,
The way they were all inactive accounts, and on a public server makes me think they were sold/copied somewhere for some sort of "mailing". Maybe I'm just being cynical...

Sold? Advertising companies aren't interesting in buying inactive accounts because the user may have also changed email addresses. They are more interested in paying fo active users where they know the information isn't stale.

If Mozilla was selling user information (which I don't think they are) they would be selling active accounts not inactive ones.

thatguyandrew1992 said,
So ONLY inactive accounts? What constitutes inactive?

I was one of the affected people. Here is the email that they sent to affected users: (It clearly states that if your password was included that they deactivated your account so you can change the password)

Dear addons.mozilla.org user,

The purpose of this email is to notify you about a possible disclosure of your information which occurred on December 17th. On this date, we were informed by a 3rd party who discovered a file with individual user records on a public portion of one of our servers. We immediately took the file off the server and investigated all downloads. We have identified all the downloads and with the exception of the 3rd party, who reported this issue, the file has been download by only Mozilla staff. This file was placed on this server by mistake and was a partial representation of the users database from addons.mozilla.org. The file included email addresses, first and last names, and an md5 hash representation of your password. The reason we are disclosing this event is because we have removed your existing password from the addons site and are asking you to reset it by going back to the addons site and clicking forgot password. We are also asking you to change your password on other sites in which you use the same password. Since we have effectively erased your password, you don't need to do anything if you do not want to use your account. It is disabled until you perform the password recovery.

We have identified the process which allowed this file to be posted publicly and have taken steps to prevent this in the future. We are also evaluating other processes to ensure your information is safe and secure.

Should you have any questions, please feel free to contact the infrastructure security team directly at infrasec@mozilla.com. If you are having issues resetting your account, please contact amo-admins@mozilla.org.

We apologize for any inconvenience this has caused.

Chris Lyon
Director of Infrastructure Security

MazdawgRollin said,
Seconded

We had some ****tard in uni talking about how 'amazing' his online backup is... Yeh, so great that altering a single bit of it meant the entire backup is useless, wow sign me right up.... Everything is going cloud, and it takes all the worst reasons with it.

Skyfrog said,
This is why "cloud computing" can go take a flying leap.

And here I thought I was the only one that felt this way...

n_K said,

We had some ****tard in uni talking about how 'amazing' his online backup is... Yeh, so great that altering a single bit of it meant the entire backup is useless, wow sign me right up.... Everything is going cloud, and it takes all the worst reasons with it.

Happy Carbonite User here!

If your password is all numeric, a word in a dictionary, or under 8 characters it will take only seconds to crack it.

dyl4n said,
If your password is all numeric, a word in a dictionary, or under 8 characters it will take only seconds to crack it.
MD5 Hashed passwords are the most commonly cracked ones on the net. So I don't see how your so calm about it.

Morphine-X said,
MD5 Hashed passwords are the most commonly cracked ones on the net. So I don't see how your so calm about it.

He wasn't? he said it would take seconds to crack.

dyl4n said,
If your password is all numeric, a word in a dictionary, or under 8 characters it will take only seconds to crack it.
Rainbow tables. They take a brute force attack (start with 0, then 1, then 2, then 3.... a1, a2.... ab, ac...timmy, timmz, timoa), hash it, and then you just have to compare hash to hash.

With a rainbow table, any password can be cracked in 28 seconds MAX.... provided you have the hash. http://en.wikipedia.org/wiki/Rainbow_table

A rainbow table is a precomputed lookup table offering a time-memory tradeoff used in recovering the plaintext password from a password hash generated by a hash function, often a cryptographic hash function. A common application is to make attacks against hashed passwords feasible. A salt is often employed with hashed passwords to make this attack more difficult, often unfeasible.

To the last part, since these were unsalted, that doesn't apply

cybertimber2008 said,
With a rainbow table, any password can be cracked in 28 seconds MAX.... provided you have the hash.

Please ship your 'supercomputer' over to IBM; they'd like to know how it defies all logic for a single computer with a pretty crap stock compared to the supercomputers they're making and installing all over the world.

cybertimber2008 said,
Rainbow tables. They take a brute force attack (start with 0, then 1, then 2, then 3.... a1, a2.... ab, ac...timmy, timmz, timoa), hash it, and then you just have to compare hash to hash.

With a rainbow table, any password can be cracked in 28 seconds MAX.... provided you have the hash. http://en.wikipedia.org/wiki/Rainbow_table

To the last part, since these were unsalted, that doesn't apply

28 sec? Really? 2/3 chars password maybe

m4n3 said,
28 sec? Really? 2/3 chars password maybe

@n_k, @m4n3: How about you google a bit on Rainbow Tables? I'm just quoting what I learned in my security courses.

Now, the book I have says 28 seconds... this site say 160. http://www.kavoir.com/2010/03/...ry-and-rainbow-attacks.html

"With a mapping table of trillions of hash to cleartext pairs, it takes only 160 seconds to crack the password “Fgpyyih804423” which most of us would generally agree is fairly safe."

cybertimber2008 said,

@n_k, @m4n3: How about you google a bit on Rainbow Tables? I'm just quoting what I learned in my security courses.

Now, the book I have says 28 seconds... this site say 160. http://www.kavoir.com/2010/03/...ry-and-rainbow-attacks.html

"With a mapping table of trillions of hash to cleartext pairs, it takes only 160 seconds to crack the password “Fgpyyih804423” which most of us would generally agree is fairly safe."


You didn't do a very good security course.
Seeing as I do rainbow tables and whatnot for penetration testing let me give YOU an insight;
LM tables (which is the old windows method of storing passwords) which has lengths from 0-7 lowercase letters, numbers and some symbols and a space character, I've got the rainbow table for every single possible hash of it and it's almost 150GB in space.
The programs work by loading chunks of the rainbow table into memory and then searching through them, and even if you've got a very expensive computer with 8GB of RAM, you're loading 150GB of data from hard drive to RAM and searching through it all, loading the chunks into RAM is the most time consuming piece and is limited by the speed of the hard drive and takes a VERY long time, my LM method for instance would take 40 minutes to run through a single password, and that's with 3GB of RAM.

Eraknelo said,
I don't see any problem. They where hashed into MD5... No way to decrypt :\

i bet you use wep on your wifi, right? script kiddie proof... lol

lcg said,
Ouch. What an awful security breach.

Hardly. Passwords for inactive accounts on an addons website isn't exactly a serious breach. Actually thinking about it, it isn't even a breach at all. Nothing was breached. It's a leak at worst.

Also for the record, anybody stupid enough to use the same password for a browser addons site and anything important like banking deserves to have their money stolen

I suppose you're right. In comparison to some recent breaches, 44,000 usernames and passwords isn't exactly a record breaker. Not serious at all. Really, anything under a million isn't very serious.

TCLN Ryster said,

Hardly. Passwords for inactive accounts on an addons website isn't exactly a serious breach. Actually thinking about it, it isn't even a breach at all. Nothing was breached. It's a leak at worst.

Also for the record, anybody stupid enough to use the same password for a browser addons site and anything important like banking deserves to have their money stolen

TCLN Ryster said,

Also for the record, anybody stupid enough to use the same password for a browser addons site and anything important like banking deserves to have their money stolen

youy are right but that's not the point anyway

waruikoohii said,
I suppose you're right. In comparison to some recent breaches, 44,000 usernames and passwords isn't exactly a record breaker. Not serious at all. Really, anything under a million isn't very serious.

I don't agree with your view on this, there are lot of users use same password for the forums and common websites. I don't this is the kind of reply we will got if the same is happend with Internet Explorer.
I am a lover of firefox & mozialla but it doesn't mean they can be very casual about the security of the user's information.