Mozilla’s website for developers leaked email addresses and encrypted passwords of registered users for about a month due to a database error, the organization said Friday.
Email addresses for 76,000 Mozilla Development Network (MDN) users were exposed, along with around 4,000 encrypted passwords, wrote Stormy Peters, director of development relations, and Joe Stevensen, operations security manager in a blog post. Mozilla is notifying those affected.
No malicious activity on the affected server was detected, but that does not mean the data wasn’t accessed, they wrote.
A Web developer discovered around 10 days ago that a data sanitization process on the database running the MDN wasn’t working. The leak started around June 23 and continued for a month.
“As soon as we learned of it, the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure,” they wrote.
The exposed passwords were encrypted and “salted,” a security measure that makes it difficult to revert them to their original form. Even if the passwords were decrypted, “they by themselves cannot be used to authenticate with the MDN website today,” according to the post.
Since some people may used the same MDN password on other websites, it’s recommended the password be changed.
Mozilla said it was “deeply sorry” for the error.
“In addition to notifying users and recommending short term fixes, we’re also taking a look at the processes and principles that are in place that may be made better to reduce the likelihood of something like this happening again,” according to the post.