Mozilla Dumps Info of 76,000 Developers To Public Web Server

wiredmikey writes Mozilla warned on Friday that it had mistakenly exposed information on almost 80,000 members of its Mozilla Developer Network (MDN) as a result of a botched data sanitization process. The discovery was made around June 22 by one of Mozilla's Web developers, Stormy Peters, Director of Developer Relations at Mozilla, said in a security advisory posted to the Mozilla Security Blog on Friday. "Starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server," Peters wrote. According to Peters, the encrypted passwords were salted hashes and they by themselves cannot currently be used to authenticate with the MDN. However, Peters warned that MDN users may be at risk if they reused their original MDN passwords on other non-Mozilla websites or authentication systems.

Re:Slashdot comments

I think people in here believe that Mozilla made an honest mistake here. A mistake that wasn't a result of cost cutting or malice.

In those instances, a little understanding is called for.

Re:Mozilla...

[lgw]

Oh? Shame you haven't helped others like Mozilla with that. It would sure be nice if you could spread your magical immunity from human error out to others, but apparently you're too professional to share that wisdom.

Best practices for avoiding leaks of important stuff are well known (and, really, Mozilla didn't suck here). But they had insufficient code or process review somewhere, to have had this leak. Normally, I'm all for rapid, agile development, but when it comes to the important stuff don't do that. Go slow. Get 20 people to review the change. Come back after a week or a month and review it again. It's important, don't rush it. There's very little most of us work on that's actually important, since most people don't work on life safety code, but user personal info counts.

Sounds like the process that was supposed to scrub this info was failing for quite some time. Where was the monitoring? Where was the alerting? If a process is important, you don't let it fail silently.

None of this is rocket science. You know how some guys go on about the difference between "software engineering" and "coding"? Yeah, sometimes it's not just BS.