Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Mozilla Privacy Security

Mozilla Dumps Info of 76,000 Developers To Public Web Server 80

Posted by samzenpus
from the for-everyone's-eyes dept.
wiredmikey writes Mozilla warned on Friday that it had mistakenly exposed information on almost 80,000 members of its Mozilla Developer Network (MDN) as a result of a botched data sanitization process. The discovery was made around June 22 by one of Mozilla's Web developers, Stormy Peters, Director of Developer Relations at Mozilla, said in a security advisory posted to the Mozilla Security Blog on Friday. "Starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server," Peters wrote. According to Peters, the encrypted passwords were salted hashes and they by themselves cannot currently be used to authenticate with the MDN. However, Peters warned that MDN users may be at risk if they reused their original MDN passwords on other non-Mozilla websites or authentication systems.
This discussion has been archived. No new comments can be posted.

Mozilla Dumps Info of 76,000 Developers To Public Web Server

Comments Filter:
  • Mozilla... (Score:4, Funny)

    by SeaFox (739806) on Sunday August 03, 2014 @05:32PM (#47595723)

    "Committed to you, your privacy and an open Web"

    • Re: Mozilla... (Score:5, Insightful)

      by relisher (2955441) on Sunday August 03, 2014 @05:42PM (#47595777)
      Well, in Mozillas defense, at least they admitted their mistake rather than ignoring it like many companies we have seen on Slashdot do.
    • by Anonymous Coward

      Well, at least they succeeded on the last one.

    • The more you think about it, the more it sounds like doublespeak.

      You: oh, so that's why they remove useful features that everyone wants with every new release? That's why they shove a godawful UI that nobody wants down everyone's throat?

      Your privacy: see summary

      Open web: the EME debacle says otherwise

      • by narcc (412956)

        You: oh, so that's why they remove useful features that everyone wants with every new release?

        Wasn't everyone complaining about feature 'bloat' before? Damned if you do...

        That's why they shove a godawful UI that nobody wants down everyone's throat?

        I think by 'nobody' you mean 'a tiny minority'. It looks fine to me. What do you think is so awful about it?

    • by Anonymous Coward

      The name "Mozilla" used to be among the most respected names in computing. It represented integrity, honesty, innovation, and quality software.

      Bugzilla was one of their first successes. It was widely used during the early 2000s, and some development teams still use it to this day. It's the kind of tool that helped make a lot of software development teams a lot more efficient, and it helped users do what they could to get a better experience out of the software they were using. People's lives were made bette

      • by haruchai (17472)

        Like how you managed to slip in a jab against "hipsters", who will no doubt destroy civilization.
        And you must be smoking a lot of crack if you think IE is a better browser.

        • by Anonymous Coward

          Well, I think the GP could be right. Hipsters have done a pretty damn good job of destroying GNOME 3, Windows 8, iOS 7, and Firefox. Given how they've managed to harm or kill prominent and widely used software systems like those, I don't see why civilization itself wouldn't be next!

          Have you actually used IE 11? Its UI is kind of in the dumps, but underneath it's actually a pretty good browsers these days. It's fast, it's standards compliant, and it works. It's not as good as Chrome, but it's a huge step up

      • by Anonymous Coward

        What happened is that they can no longer fight the good fight on their own like they could when it was just them, the like-minded Opera, and a Microsoft who cared nothing about the situation and let their own browser rot. Now they have Google, Apple, and Microsoft to face off against, and an increasingly useless fanbase who just see the negatives and don't even want to pitch in anymore.

        You try stopping Google when they say "jump". At least Mozilla stands up to them and tries to effect change. Everyone else

        • by Anonymous Coward

          I know, I know: it's tough. We all have day jobs and that's why we want Mozilla to be a magical shield for us. But times have changed, and we clearly haven't. Mozilla tried to, but they clearly can't do it on their own anymore. So it's high time we actually did something too. Yet all I hear is whining about UI changes and other constant melodrama over things not being as flawless as they once were (which they weren't; rose-colored glasses just makes you think they were, until you actually use an old version

      • by narcc (412956)

        And then they wasted even more on that failed mobile OS that nobody really wants.

        I must have missed the part where it failed ... and the part where 'nobody' wants it.

  • Data is easy to keep but it's also easy to leak. And given the consequences of leaks, companies need to start asking themselves whether it is worth storing all this data in the first place.

    How many times did Mozilla ever actually use all this personal data internally? How many times on average the data for each of the 76,000 developers used? How many records were never accessed at all?

    If you don't need all this data, then just don't store it. It's easy!

    • by Charliemopps (1157495) on Sunday August 03, 2014 @05:51PM (#47595815)

      All this personal data? It's your email address... that's it. Because your email is used to log you in.
      They also leaked a hashed and salted password.

      I keep hearing your argument, but I always ask myself... if you car that much, why did you surrender personal information in the first place??!? I've never been to any site other than facebook that actually required any personal information. Even then you can just put in bullshit.

      Mozilla did everything right here... other than the breach itself of course. Mistakes happen, and with properly Hashed/Salted passwords and quick and full disclosure those mistakes don't have to be serious.

    • by viperidaenz (2515578) on Sunday August 03, 2014 @05:57PM (#47595833)

      By personal data, they mean 76,000 email addressed and 4000 salted password hashes.

      As for how many times it was accessed, RTFA

      "We traced back as much as we could. Access logs, netflow data, etc.," the user wrote. "We found that the tar.gz containing the DB dump had been downloaded only a small number of times. Mostly by known contributors. But we can't rule out that someone with malicious intentions got access to it."

      Or... you could throw your toys out of your cot and post a rant condemning Mozilla.

      You're obviously not effected by this either or you would already know the answers to your questions because they emailed everyone effected about it already.

  • by Anonymous Coward

    At least they had enough sense to salt the hashes. It's gotta be annoying to have your email address floating around out there though.

  • I find it rather laughable that mostly everyone in the comments has taken a "forgive and forget" attitude in regards to this post. I love Mozilla...as a developer who uses their mdn site actively, I applaud their active involvement in creating awareness of their mistake so people like me can take measures in protecting their accounts, however, if it was another company, most of these comments would be lambasting this breach of security and protocol on their part. That being said, I'm confident that Mozilla
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      I think people in here believe that Mozilla made an honest mistake here. A mistake that wasn't a result of cost cutting or malice.

      In those instances, a little understanding is called for.

      • by uncqual (836337)

        Are ignorance, negligence, or arrogance better reasons not to behavior professionally and follow accepted best practices?

        Sure, maybe I could have reviewed the code personally since, I assume, it's open source (as are, I assume all the administration scripts they use? Yeh, right). But, I probably use, directly or indirectly, nearly a billion lines of code every year - I really don't have time to review each change any more than I have the resources or interest to test each gallon of gasoline I put in my car

  • by ohnocitizen (1951674) on Sunday August 03, 2014 @06:31PM (#47595963)

    The discovery was made around June 22 by one of Mozilla's Web developers, Stormy Peters, Director of Developer Relations at Mozilla, said

    Makes it sound like Stormy Peters is both the Director of Developer Relations and the developer who discovered the error.

  • Neither of the two links in TFS mentioned what kind of hash was being used. Does anyone happen to know? If it was the old fashioned DES hash as commonly used in .htpasswd, it may well be plaintext. If it was crypt('$5$xxxxxxxxxxxx' SHA, it's only a concern for people who chose very bad passwords.

    • DES isnt a hash, its a Data Encryption Standard.

      • by raymorris (2726007) on Sunday August 03, 2014 @07:51PM (#47596161)

        DES is the encryption standard which is the basis of what for many years was the most common type of hash.
        For DES-based hashing, as used in .htpasswd files, the least significant bits of the first eight characters are used as a 56-bit key. This key (the users password) is used to encrypt a null bytes, 25 times. crypt(3) accepts a two-character salt, but uses only the lowest six bits of each character, so it's a 12 bit salt and a 56 bit password (maximum).

        crypt(3) can also support better hash algorthims by passing salt values such as $1$xxxxxxxx$ or $5$xxxxxxxxxxxx$

        • The more you know...

          Not clear why you would use an encryption scheme to do hashing, though-- my understanding is that while both should have good hash characteristics (small changes in plaintext should cascade into large changes in the secured form), purpose-designed hash algorithms will generally be more resistant to attack than encryption schemes, and often faster.

          Why wouldnt they have used MD5 back when DES Hash was used?

          • A good encryption algorithm cannot be reversed without knowing the key, and a hash shouldn't be reversible, so a good encryption is a good basis for a hash. For PASSWORD hashing you don't use just the primitive, whether that primitive is DES or MD5. You do many rounds, with salt.

            If you're not kidding about MD5, DES was in use twelve years before Rivest proposed MD2. Maybe 20 years before MD5, I don't remember the exact year for MD5.

            Purpose-built hash algorithms have not been better, historically.

            • I said:

              > A DES-based hash would still be fine, just by allowing more bits.

              I should clarify that DES itself specifies a key length of 56 bits. To get more bits, you do DES three times*, which is called Triple DES or 3DES. If you use three different 56-bit keys, that's effectively a 112 bit key due to meet-in-the-middle, and that's strong for an another fifteen years.

              * encrypt(key1,decrypt(key2,encrypt(key3,plaintext)))

  • Probably backlash from the 80% disapproval rate for that shitty new interface they dreamed up. I'm using Palemoon now.

  • Obviously at Mozilla, the effort to be 100% Politically Correct means security takes a back-seat in terms of effort.

  • ...that would think it was okay to screw over users with a new UI and not continue to provide security and stability updates for a few years to those who didn't want a new broken UI (something few successful commercial enterprise companies have managed to do). Or, thought it was okay to, a few days ago, push an update which either broke the UI further or broke a popular add-on that many of us were using to work around their earlier mistake.

    If you can't get UIs right or understand that UI stability is import

  • Back in the day you'd count yourself lucky be be dumped onto a server to play a serious of deadly games on an electric matrix in the hopes of finally having a face off with the Overseer of Games, who looks just like your dick-head suspender wearing boss who always asking you to "ummmm yeah, come in on Saturday mmmm'kay?" like a question, as if you could actually say no, in heated one on one combat, only to ultimately prevail when you send a blazing disk straight through his face and watch in rapt glee as h
  • Maybe I'm missing something here, but if the data is a salted hash, they cannot recover it in any reasonable time, especially if they don't know the hashing algorithm used. Even if they do know the hashing scheme it is likely that any password that isn't a dictionary word won't be recovered in this decade, so why would it matter if they used the same password on another website?
  • why they feel the need to public data requiring sanitation in the first place?

    If the failure a result of a code change, why was there no unit test to catch it?

    And if there was no code change, why would you set up such a publish process to silently continue if such a critical step failed?

"No job too big; no fee too big!" -- Dr. Peter Venkman, "Ghost-busters"

Working...