Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Posts File Containing Registered User Data

Posted by Soulskill on from the heads-up dept.

wiredmikey writes "Mozilla yesterday sent an email to registered users of its addons.mozilla.org site, letting them know that it had mistakenly posted a file to a publicly available Web server which contained data from its user database including email addresses, first and last names, and an md5 hash representation of user passwords."

4 of 154 comments (clear)

  1. Mozilla's public disclosure by Giorgio+Maone · · Score: 5, Informative

    http://blog.mozilla.com/security/2010/12/27/addons-mozilla-org-disclosure/
    Active accounts have their password SHA-512 hashed with per-user salt, so they're safe (for a while). However those 44,000 holders of older (and now disabled) MD5 hashed accounts should rush changing their passwords elsewhere, if they have the bad habit of using the same password everywhere...

    --
    There's a browser safer than Firefox, it is Firefox, with NoScript
    1. Re:Mozilla's public disclosure by Rich0 · · Score: 5, Interesting

      if they have the bad habit of using the same password everywhere

      What alternative do you propose? I must have accounts on 100 different websites by now, including this one. I can't create and remember 100 distinct strong username/password combinations on all of those websites. Unless you're an autistic savant you can't either.

      Passwords are false security - they are a way to CYA and blame the victim for causing the problem, while giving them no realistic solution. Sites that depend on their users choosing unique passwords for security are simply insecure, period.

  2. Kudos to Mozilla by duvel · · Score: 5, Interesting

    This is really well played by Mozilla. We are witnessing a prime example of crisis-communication. The basic rules are:
      - Communicate early (even if you don't have all the facts yet)
      - Communicate honestly (even if you're to blame)
      - Promise follow-up (as needed)
    Performing their crisis-communication this well will probably improve public perception of Mozilla. It will certainly raise the bar for other companies.

    --

    I have a photographic memory for numbers. I know almost a hundred of them.

    1. Re:Kudos to Mozilla by Opportunist · · Score: 5, Insightful

      No, they should not. But mistakes happen where humans are at work. The question is, how do these human then deal with the problems they caused?

      The usual is to hush-hush and hope nobody notices. Mozilla could have done just that, and with far better conscience than other companies who followed that practice. According to the logs, the file was downloaded once, and that's by the person that informed them about the mistake. Essentially, one could assume that this is as "safe" as it gets considering the blunder. If they just decided to shut up about it, probably nobody would have noticed.

      But is that the right way to deal with a problem that can potentially affect your customers?

      I quite strongly recommend NOT chewing them out for making a mistake but actually applauding their very considerate approach to dealing with it. Consider the "learning effect": Chew them out and the learning effect is that it's better to just hush up when you lose customer data, especially if the chance of it getting into the wrong hands is slim. That's pretty much what most other companies do, and even if it gets out it rarely causes more than a bit of a tempest in a teapot on /.

      Outside the security concerned tech community, nobody even notices.

      So yes, mistakes like that should not happen. But they do. They happened, they happen and they will happen as long as humans are somehow involved in the process. Hence I welcome how they dealt with it.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.