Mozilla Dumps Info of 76,000 Developers To Public Web Server 80
wiredmikey writes Mozilla warned on Friday that it had mistakenly exposed information on almost 80,000 members of its Mozilla Developer Network (MDN) as a result of a botched data sanitization process. The discovery was made around June 22 by one of Mozilla's Web developers, Stormy Peters, Director of Developer Relations at Mozilla, said in a security advisory posted to the Mozilla Security Blog on Friday. "Starting on about June 23, for a period of 30 days, a data sanitization process of the Mozilla Developer Network (MDN) site database had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server," Peters wrote. According to Peters, the encrypted passwords were salted hashes and they by themselves cannot currently be used to authenticate with the MDN. However, Peters warned that MDN users may be at risk if they reused their original MDN passwords on other non-Mozilla websites or authentication systems.
Re: Mozilla... (Score:5, Insightful)
Re:Stop Storing Personal Data (Score:5, Insightful)
All this personal data? It's your email address... that's it. Because your email is used to log you in.
They also leaked a hashed and salted password.
I keep hearing your argument, but I always ask myself... if you car that much, why did you surrender personal information in the first place??!? I've never been to any site other than facebook that actually required any personal information. Even then you can just put in bullshit.
Mozilla did everything right here... other than the breach itself of course. Mistakes happen, and with properly Hashed/Salted passwords and quick and full disclosure those mistakes don't have to be serious.
Re:They don't deserve to be commended. (Score:5, Insightful)
but meeting the bare minimum requirements doesn't earn somebody commendation from me.
How often do hear news stories about leaks with encrypted passwords that are properly salted? :)
How often does anybody admit a possible leak, when there is no evidence anybody downloaded the database dump...?
Really, how often do you hear about things like this, if discovered internally?
I agree, it's the decent thing to do, but I don't think you can expect this level of detail, openness and honesty from commercial players.
I can't imagine any organization that wouldn't sweep this under the rug, after all it was discovered internally.
It makes me wonder why the hell they aren't doing any better.
Avoiding a leak would certainly have been preferred. But mistakes happens, processes fails.
Re:They don't deserve to be commended. (Score:3, Insightful)
We shouldn't. They fucked up. We should call them out for fucking up.
What the GP said was not "we should commend them", but "in their defense".
It's a valid defense: they fucked up, they noticed, they cleaned up what they could, and they admitted their mistake and advised people appropriately. That doesn't make their mistake go away, but it changes it from Badness Level 50 (eBay) to Badness Level 30 (Target).