Home Mozilla Passwords Leaked, No Reason to Panic

Mozilla Passwords Leaked, No Reason to Panic

A database containing 44,000 usernames and password hashes associated with accounts registered on the Mozilla add-ons website was accidentally made public, the organization and makers of the Firefox Web browser said on Monday. The partial database of user accounts was mistakenly left on a Mozilla public server, which would have allowed anyone to access the account usernames and the password hashes.

The good news? Says Mozilla: no one did. Well, no one except for the one security researcher who found them.

According to a post on the Mozilla security blog, a security researcher reported the issue via Mozilla’s Web bounty program, a program that encourages external, non-employee security professionals to find and submit bugs to Mozilla. In return, Mozilla pays cash ($500 to $3,000 for valid bugs) for the submissions. Although Mozilla isn’t saying, this is probably one of those $3,000 rewards.

This news comes on the heels of another high-profile password breach – the mid-December hacker attack on Gawker Media’s servers, which ended up exposing the usernames and passwords of 1.3 million user accounts, created for commenting purposes on popular weblogs like Gawker, Gizmodo, LifeHacker, Kotaku, io9, Jezebel and others.

How Were the Passwords Protected?

Like Gawker’s passwords, which were poorly encrypted using DES encryption, an older, less secure technology, Mozilla’s passwords in this instance were protected with MD5 hashes, another older method of protection. These passwords can be cracked, explains Chester Wisniewski on the Sophos security blog. “MD5 has cryptographic weaknesses that permit creation of the same hash from multiple strings,” he says. “This permits security experts to compute all the possible hashes and determine either your password or another string that will work even if it is not your password.”

Mozilla hasn’t used MD5 since April 9, 2009 – it now uses SHA-512, a significantly stronger encryption method. The database in question, however, housed older, inactive accounts using the MD5-hashed passwords.

What’s Being Done

To address the issue, Mozilla says it erased all the MD5 passwords, effectively disabling the accounts.

Chris Lyon, Director of Infrastructure Security for Mozilla says “the issue posed minimal risk to users,” because the only person, according to Mozilla’s logs, who accessed the database was the security researcher who reported the problem. Lyon also reassured users that the incident did not impact any of Mozilla’s infrastructure.

While the risk may be minimal,? Wisniewski suggests that anyone contacted by Mozilla as having been one of the unfortunate users whose account information was exposed should make sure they are not using that same password at other websites, just in case. If so, change those passwords immediately. “If [Mozilla is] wrong or if the discloser is not trustworthy, your other accounts may be at risk,” he says.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.