Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Dumps Info of 76,000 Developers To Public Web Server

Posted by samzenpus on from the for-everyone's-eyes dept.

wiredmikey writes Mozilla warned on Friday that it had mistakenly exposed information on almost 80,000 members of its Mozilla Developer Network (MDN) as a result of a botched data sanitization process. The discovery was made around June 22 by one of Mozilla's Web developers, Stormy Peters, Director of Developer Relations at Mozilla, said in a security advisory posted to the Mozilla Security Blog on Friday. "Starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server," Peters wrote. According to Peters, the encrypted passwords were salted hashes and they by themselves cannot currently be used to authenticate with the MDN. However, Peters warned that MDN users may be at risk if they reused their original MDN passwords on other non-Mozilla websites or authentication systems.

13 of 80 comments (clear)

  1. Mozilla... by SeaFox · · Score: 3, Funny

    "Committed to you, your privacy and an open Web"

    1. Re: Mozilla... by relisher · · Score: 5, Insightful

      Well, in Mozillas defense, at least they admitted their mistake rather than ignoring it like many companies we have seen on Slashdot do.

    2. Re:Mozilla... by lgw · · Score: 2

      If even a tiny fraction of the people who bitch about their mistakes actually acted then things would be much better and you would have to find something else to complain about.

      I do do something about it. You don't see this kind of leak nonsense from any product I've ever worked on. I expect developers elsewhere to be equally professional. User credential data (and personal info) is important, and development processes need to be more careful around it.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    3. Re:Mozilla... by lgw · · Score: 2, Interesting

      Oh? Shame you haven't helped others like Mozilla with that. It would sure be nice if you could spread your magical immunity from human error out to others, but apparently you're too professional to share that wisdom.

      Best practices for avoiding leaks of important stuff are well known (and, really, Mozilla didn't suck here). But they had insufficient code or process review somewhere, to have had this leak. Normally, I'm all for rapid, agile development, but when it comes to the important stuff don't do that. Go slow. Get 20 people to review the change. Come back after a week or a month and review it again. It's important, don't rush it. There's very little most of us work on that's actually important, since most people don't work on life safety code, but user personal info counts.

      Sounds like the process that was supposed to scrub this info was failing for quite some time. Where was the monitoring? Where was the alerting? If a process is important, you don't let it fail silently.

      None of this is rocket science. You know how some guys go on about the difference between "software engineering" and "coding"? Yeah, sometimes it's not just BS.

      --
      Socialism: a lie told by totalitarians and believed by fools.
  2. FUBAR by Blue+Stone · · Score: 2

    This is the one thing we didn't want to happen

    --
    Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
  3. Re:Stop Storing Personal Data by Charliemopps · · Score: 4, Insightful

    All this personal data? It's your email address... that's it. Because your email is used to log you in.
    They also leaked a hashed and salted password.

    I keep hearing your argument, but I always ask myself... if you car that much, why did you surrender personal information in the first place??!? I've never been to any site other than facebook that actually required any personal information. Even then you can just put in bullshit.

    Mozilla did everything right here... other than the breach itself of course. Mistakes happen, and with properly Hashed/Salted passwords and quick and full disclosure those mistakes don't have to be serious.

  4. Re:Stop Storing Personal Data by viperidaenz · · Score: 4, Informative

    By personal data, they mean 76,000 email addressed and 4000 salted password hashes.

    As for how many times it was accessed, RTFA

    "We traced back as much as we could. Access logs, netflow data, etc.," the user wrote. "We found that the tar.gz containing the DB dump had been downloaded only a small number of times. Mostly by known contributors. But we can't rule out that someone with malicious intentions got access to it."

    Or... you could throw your toys out of your cot and post a rant condemning Mozilla.

    You're obviously not effected by this either or you would already know the answers to your questions because they emailed everyone effected about it already.

  5. Slashdot comments by say2joe · · Score: 2

    I find it rather laughable that mostly everyone in the comments has taken a "forgive and forget" attitude in regards to this post. I love Mozilla...as a developer who uses their mdn site actively, I applaud their active involvement in creating awareness of their mistake so people like me can take measures in protecting their accounts, however, if it was another company, most of these comments would be lambasting this breach of security and protocol on their part. That being said, I'm confident that Mozilla has taken every action they can to prevent this from happening in the future. And, I'm looking forward to looking up a reference section on mdn this week!

    1. Re:Slashdot comments by Anonymous Coward · · Score: 2, Interesting

      I think people in here believe that Mozilla made an honest mistake here. A mistake that wasn't a result of cost cutting or malice.

      In those instances, a little understanding is called for.

  6. Sentence Structure by ohnocitizen · · Score: 2

    The discovery was made around June 22 by one of Mozilla's Web developers, Stormy Peters, Director of Developer Relations at Mozilla, said

    Makes it sound like Stormy Peters is both the Director of Developer Relations and the developer who discovered the error.

  7. Re:They don't deserve to be commended. by jopsen · · Score: 5, Insightful

    but meeting the bare minimum requirements doesn't earn somebody commendation from me.

    How often do hear news stories about leaks with encrypted passwords that are properly salted? :)
    How often does anybody admit a possible leak, when there is no evidence anybody downloaded the database dump...?
    Really, how often do you hear about things like this, if discovered internally?

    I agree, it's the decent thing to do, but I don't think you can expect this level of detail, openness and honesty from commercial players.
    I can't imagine any organization that wouldn't sweep this under the rug, after all it was discovered internally.

    It makes me wonder why the hell they aren't doing any better.

    Avoiding a leak would certainly have been preferred. But mistakes happens, processes fails.

  8. On which the most common hash is based by raymorris · · Score: 3, Informative

    DES is the encryption standard which is the basis of what for many years was the most common type of hash.
    For DES-based hashing, as used in .htpasswd files, the least significant bits of the first eight characters are used as a 56-bit key. This key (the users password) is used to encrypt a null bytes, 25 times. crypt(3) accepts a two-character salt, but uses only the lowest six bits of each character, so it's a 12 bit salt and a 56 bit password (maximum).

    crypt(3) can also support better hash algorthims by passing salt values such as $1$xxxxxxxx$ or $5$xxxxxxxxxxxx$

  9. Re:They don't deserve to be commended. by stoborrobots · · Score: 2, Insightful

    Why should we commend them...?

    We shouldn't. They fucked up. We should call them out for fucking up.

    What the GP said was not "we should commend them", but "in their defense".

    It's a valid defense: they fucked up, they noticed, they cleaned up what they could, and they admitted their mistake and advised people appropriately. That doesn't make their mistake go away, but it changes it from Badness Level 50 (eBay) to Badness Level 30 (Target).

    --
    "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco