Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Mozilla Privacy Security

Mozilla Dumps Info of 76,000 Developers To Public Web Server 80

wiredmikey writes Mozilla warned on Friday that it had mistakenly exposed information on almost 80,000 members of its Mozilla Developer Network (MDN) as a result of a botched data sanitization process. The discovery was made around June 22 by one of Mozilla's Web developers, Stormy Peters, Director of Developer Relations at Mozilla, said in a security advisory posted to the Mozilla Security Blog on Friday. "Starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server," Peters wrote. According to Peters, the encrypted passwords were salted hashes and they by themselves cannot currently be used to authenticate with the MDN. However, Peters warned that MDN users may be at risk if they reused their original MDN passwords on other non-Mozilla websites or authentication systems.
This discussion has been archived. No new comments can be posted.

Mozilla Dumps Info of 76,000 Developers To Public Web Server

Comments Filter:
  • by viperidaenz ( 2515578 ) on Sunday August 03, 2014 @06:57PM (#47595833)

    By personal data, they mean 76,000 email addressed and 4000 salted password hashes.

    As for how many times it was accessed, RTFA

    "We traced back as much as we could. Access logs, netflow data, etc.," the user wrote. "We found that the tar.gz containing the DB dump had been downloaded only a small number of times. Mostly by known contributors. But we can't rule out that someone with malicious intentions got access to it."

    Or... you could throw your toys out of your cot and post a rant condemning Mozilla.

    You're obviously not effected by this either or you would already know the answers to your questions because they emailed everyone effected about it already.

  • by raymorris ( 2726007 ) on Sunday August 03, 2014 @08:51PM (#47596161) Journal

    DES is the encryption standard which is the basis of what for many years was the most common type of hash.
    For DES-based hashing, as used in .htpasswd files, the least significant bits of the first eight characters are used as a 56-bit key. This key (the users password) is used to encrypt a null bytes, 25 times. crypt(3) accepts a two-character salt, but uses only the lowest six bits of each character, so it's a 12 bit salt and a 56 bit password (maximum).

    crypt(3) can also support better hash algorthims by passing salt values such as $1$xxxxxxxx$ or $5$xxxxxxxxxxxx$

Stinginess with privileges is kindness in disguise. -- Guide to VAX/VMS Security, Sep. 1984