Mozilla says ‘minimal risk’ after leaving addons database on public server
December 29th, 2010 - 3:21 pm ICT by BNO NewsMOUNTAIN VIEW, CALIFORNIA (BNO NEWS) — Mozilla on Tuesday admitted to have accidentally left a partial database of addons.mozilla.org user accounts on its public server earlier this month.
Mozilla was notified by a security researcher about the incident on December 17, reporting the issue via its web bounty program. However, the company said the incident has a “minimal risk.”
“We were able to account for every download of the database,” Chris Lyon, Director of Infrastructure Security, said. “This issue posed minimal risk to users, however as a precaution we felt we should disclose this issue to people affected and err on the side of disclosure.”
The database included 44,000 inactive accounts using older, md5-based password hashes, Mozilla explained, saying that they erased all the md5-passwords, rendering the accounts disabled.
Lyon explained that all current addons.mozilla.org accounts use a more secure SHA-512 password hash with per-user salts. SHA-512 and per user salts has been the standard storage method of password hashes for all active users since April 9th, 2009.
“It is important to note that current addons.mozilla.org users and accounts are not at risk. Additionally, this incident did not impact any of Mozilla’s infrastructure,” Lyon added. “This information was also sent to impacted users by email on December 27th.”
- Now internet users can watch who is spying on them - Mar 02, 2012
- Upper-casing password can foolproof your e-mail account - Feb 11, 2011
- Hackers again target Sony, compromise more than 93,000 accounts - Oct 13, 2011
- Ten most commonly used internet passwords - Jan 21, 2010
- Hacking can now be made useless - May 18, 2011
- Google Chrome is third most popular browser - Aug 01, 2011
- Google Chrome is giving Firefox a tough compition. - Sep 23, 2010
- Attack on Gawker enables spammers to take over Twitter accounts - Dec 14, 2010
- Facebook stops 600,000 hacking attempts daily - Oct 29, 2011
- Optimum Online Users Face Technical Issues With Webmail - Jul 16, 2010
- Free web-based ordering of home test kits for STIs proves effective with youth - Feb 13, 2011
- The Most Commonly Used Passwords Revealed - Dec 21, 2010
- Top US officials' gmail hit by Chinese phishing - Jun 02, 2011
- Firms warn staff of iPhone, iPad hacking - Feb 11, 2011
- Operate multiple accounts with single password - Mar 02, 2010
Tags: bno, bounty program, chris lyon, december 17, email, hash, inactive accounts, infrastructure security, md5, minimal risk, mountain view california, mozilla, partial database, precaution, public server, researcher, salts, sha, storage method, user accounts