Forgot your password?
typodupeerror
Privacy Security Mozilla Your Rights Online

Mozilla Posts File Containing Registered User Data 154

Posted by Soulskill
from the heads-up dept.
wiredmikey writes "Mozilla yesterday sent an email to registered users of its addons.mozilla.org site, letting them know that it had mistakenly posted a file to a publicly available Web server which contained data from its user database including email addresses, first and last names, and an md5 hash representation of user passwords."
This discussion has been archived. No new comments can be posted.

Mozilla Posts File Containing Registered User Data

Comments Filter:
  • by ferongr (1929434) on Tuesday December 28, 2010 @06:22AM (#34684502)
    TFA says that it was the user database of the AMO (addons.mozilla.com) website, nothing to so with the Sync server.
  • by Giorgio Maone (913745) on Tuesday December 28, 2010 @06:24AM (#34684514) Homepage
    http://blog.mozilla.com/security/2010/12/27/addons-mozilla-org-disclosure/ [mozilla.com]
    Active accounts have their password SHA-512 hashed with per-user salt, so they're safe (for a while). However those 44,000 holders of older (and now disabled) MD5 hashed accounts should rush changing their passwords elsewhere, if they have the bad habit of using the same password everywhere...
  • by cheater512 (783349) <nick@nickstallman.net> on Tuesday December 28, 2010 @06:43AM (#34684602) Homepage

    Nope no exploit. They just accidentally made a backup publicly accessible.

    They went through the logs and no one actually downloaded it except the person who notified them of the problem.

  • Re:atleast (Score:4, Informative)

    by JackieBrown (987087) <dbroome@gmail.com> on Tuesday December 28, 2010 @08:10AM (#34684936)

    I got one last night.

    Mozilla Add-ons to davidbroome
    show details 6:52 PM (11 hours ago)
    Dear addons.mozilla.org user,

    The purpose of this email is to notify you about a possible disclosure
    of your information which occurred on December 17th. On this date, we
    were informed by a 3rd party who discovered a file with individual user
    records on a public portion of one of our servers. We immediately took
    the file off the server and investigated all downloads. We have
    identified all the downloads and with the exception of the 3rd party,
    who reported this issue, the file has been download by only Mozilla
    staff. This file was placed on this server by mistake and was a partial
    representation of the users database from addons.mozilla.org. The file
    included email addresses, first and last names, and an md5 hash
    representation of your password. The reason we are disclosing this event
    is because we have removed your existing password from the addons site
    and are asking you to reset it by going back to the addons site and
    clicking forgot password. We are also asking you to change your password
    on other sites in which you use the same password. Since we have
    effectively erased your password, you don't need to do anything if you
    do not want to use your account. It is disabled until you perform the
    password recovery.

    We have identified the process which allowed this file to be posted
    publicly and have taken steps to prevent this in the future. We are also
    evaluating other processes to ensure your information is safe and secure.

    Should you have any questions, please feel free to contact the
    infrastructure security team directly at infrasec@mozilla.com. If you
    are having issues resetting your account, please contact
    amo-admins@mozilla.org.

    We apologize for any inconvenience this has caused.

    Chris Lyon
    Director of Infrastructure Security

  • by kbg (241421) on Tuesday December 28, 2010 @08:31AM (#34685036)

    The day before this was noticed my Gmail account was hacked by Chinese spammers and I know I used the same password there. So I am skeptical about the claims that no one had downloaded this file. The email only says when they noticed the problem, but doesn't specify how long the file was available before that. It could have been available for a long time.

  • by mysidia (191772) on Tuesday December 28, 2010 @09:37AM (#34685392)

    Please, don't encrypt passwords. Encryption implies that you can retrieve them if you have the keys, which could have made this much worse.

    Only if the keys are compromised.

    The correct thing to do is to encrypt each password and protect the key by storing it in a different place; for example, by storing it in a different database, and having a separate application that performs authentications, so no single application has access to both databases.

    That way, if the user file / user database is leaked someone cannot simply use a MD5 brute force attempt with some rainbow tables and a dictionary to get everyone's password.

    This is most useful when the plaintext version of the password is required for authentication processes such as CHAP or CRAM-MD5 authentication.

    When it is not required, you are best off taking a secure crypto hash of the password with a secret salt, and then encrypt the list of SHA1/SHA256 hashes.

    If the password file is leaked with the list of SHA256 hashes, they will be useless without the ability to find or guess the salt that was used to compute each password.

  • by carlhaagen (1021273) on Tuesday December 28, 2010 @09:42AM (#34685438)
    No, you're actually wrong - in the context of password protection, encrypting passwords means using a one-way encryption scheme. The method is in some ways similar to hashing, but the common process used is actually that of a modified version of the Blowfish crypto cipher resulting in a non-reversible output. The process is very time-consuming compared to generic hashing such as MD5, SHAx etc., and is practically impossible to create rainbow tables for, practically impossible to bruteforce. You can educate yourself further on the topic here: http://codahale.com/how-to-safely-store-a-password/ [codahale.com]

Premature optimization is the root of all evil. -- D.E. Knuth

Working...