Some members of the Mozilla Developer Network are being advised to change their passwords after email addresses and encrypted credentials were disclosed on a public server.

Mozilla director of developer relations Stormy Peters said the organization has been investigating the disclosure for 10 days. She said a web developer discovered that a data sanitization process on the MDN had failed several times and that email addresses for 76,000 users and encrypted passwords for 4,000 users were available on a publicly accessible server. She called it an “accidental disclosure.”

“As soon as we learned of it, the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure,” Peters wrote on the Mozilla blog.

Peters said Mozilla has not found any traces of malicious activity, but would not guarantee the credentials were not accessed.

“We are known for our commitment to privacy and security, and we are deeply sorry for any inconvenience or concern this incident may cause you,” Peters said.

Mozilla MDN members are being urged to change their passwords, especially if a user’s MDN password was re-used anywhere else.

“The encrypted passwords were salted hashes and they by themselves cannot be used to authenticate with the MDN website today,” Peters wrote, adding that affected users were being notified.

Salting a password is the addition of random characters to a password before it’s hashed, and adds to the complexity of cracking a password hash and reduces the effectiveness of dictionary attacks, for example. Several infamous password breaches have been linked to a lack of salting, most notably the LinkedIn hack in 2012 when 6.5 million passwords were leaked. A file was found on a Russian hacker forum in June 2012 that contained millions of unsalted SHA-1-hashed LinkedIn passwords.

Earlier this year, a massive password dump containing 145 million passwords claiming to be the credentials of eBay users was found on Pastebin, but quickly refuted as phony by the auction giants.

Categories: Hacks, Vulnerabilities, Web Security

Leave A Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>