Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Posts File Containing Registered User Data

Posted by Soulskill on from the heads-up dept.

wiredmikey writes "Mozilla yesterday sent an email to registered users of its addons.mozilla.org site, letting them know that it had mistakenly posted a file to a publicly available Web server which contained data from its user database including email addresses, first and last names, and an md5 hash representation of user passwords."

9 of 154 comments (clear)

  1. Mozilla's public disclosure by Giorgio+Maone · · Score: 5, Informative

    http://blog.mozilla.com/security/2010/12/27/addons-mozilla-org-disclosure/
    Active accounts have their password SHA-512 hashed with per-user salt, so they're safe (for a while). However those 44,000 holders of older (and now disabled) MD5 hashed accounts should rush changing their passwords elsewhere, if they have the bad habit of using the same password everywhere...

    --
    There's a browser safer than Firefox, it is Firefox, with NoScript
    1. Re:Mozilla's public disclosure by Rich0 · · Score: 5, Interesting

      if they have the bad habit of using the same password everywhere

      What alternative do you propose? I must have accounts on 100 different websites by now, including this one. I can't create and remember 100 distinct strong username/password combinations on all of those websites. Unless you're an autistic savant you can't either.

      Passwords are false security - they are a way to CYA and blame the victim for causing the problem, while giving them no realistic solution. Sites that depend on their users choosing unique passwords for security are simply insecure, period.

  2. Kudos to Mozilla by duvel · · Score: 5, Interesting

    This is really well played by Mozilla. We are witnessing a prime example of crisis-communication. The basic rules are:
      - Communicate early (even if you don't have all the facts yet)
      - Communicate honestly (even if you're to blame)
      - Promise follow-up (as needed)
    Performing their crisis-communication this well will probably improve public perception of Mozilla. It will certainly raise the bar for other companies.

    --

    I have a photographic memory for numbers. I know almost a hundred of them.

    1. Re:Kudos to Mozilla by higuita · · Score: 4, Insightful

      it should not happen, but we are all humans (i think!!) and human people do mistakes (and scripts/robots break and fail by the way)

      all of us that administer servers have done some mistake in the past and probably will make more in the future. We can try to put enough road blocks to reduce the severity of the mistake, but they happen.

      so as "sh*t happens", the openness and honesty of mozilla is to praise, most close source companies would try to hide and ignore things like this.

      --
      Higuita
    2. Re:Kudos to Mozilla by Opportunist · · Score: 5, Insightful

      No, they should not. But mistakes happen where humans are at work. The question is, how do these human then deal with the problems they caused?

      The usual is to hush-hush and hope nobody notices. Mozilla could have done just that, and with far better conscience than other companies who followed that practice. According to the logs, the file was downloaded once, and that's by the person that informed them about the mistake. Essentially, one could assume that this is as "safe" as it gets considering the blunder. If they just decided to shut up about it, probably nobody would have noticed.

      But is that the right way to deal with a problem that can potentially affect your customers?

      I quite strongly recommend NOT chewing them out for making a mistake but actually applauding their very considerate approach to dealing with it. Consider the "learning effect": Chew them out and the learning effect is that it's better to just hush up when you lose customer data, especially if the chance of it getting into the wrong hands is slim. That's pretty much what most other companies do, and even if it gets out it rarely causes more than a bit of a tempest in a teapot on /.

      Outside the security concerned tech community, nobody even notices.

      So yes, mistakes like that should not happen. But they do. They happened, they happen and they will happen as long as humans are somehow involved in the process. Hence I welcome how they dealt with it.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. Re:Don't fret before reading TFA... by cheater512 · · Score: 4, Informative

    Nope no exploit. They just accidentally made a backup publicly accessible.

    They went through the logs and no one actually downloaded it except the person who notified them of the problem.

  4. I think my Gmail was hacked because of this by kbg · · Score: 4, Informative

    The day before this was noticed my Gmail account was hacked by Chinese spammers and I know I used the same password there. So I am skeptical about the claims that no one had downloaded this file. The email only says when they noticed the problem, but doesn't specify how long the file was available before that. It could have been available for a long time.

  5. Re:Encrypting passwords is less secure by carlhaagen · · Score: 4, Informative

    No, you're actually wrong - in the context of password protection, encrypting passwords means using a one-way encryption scheme. The method is in some ways similar to hashing, but the common process used is actually that of a modified version of the Blowfish crypto cipher resulting in a non-reversible output. The process is very time-consuming compared to generic hashing such as MD5, SHAx etc., and is practically impossible to create rainbow tables for, practically impossible to bruteforce. You can educate yourself further on the topic here: http://codahale.com/how-to-safely-store-a-password/

  6. Re:Don't fret before reading TFA... by Anonymous Coward · · Score: 4, Funny

    I just checked with the RIAA and they said that it is likely that thousands of people downloaded it from that person's machine.