Mozilla Developer Network site leaks 76,000 user email addresses
The latest organization to suffer an embarrassing security failure is open source developer Mozilla. The company whose mission is "to promote openness, innovation and opportunity on the web" has, it seems, been a bit more open than usual.
It has admitted to leaking the email addresses of 76,000 developers. This began happening on June 23rd when what Mozilla calls a "data sanitization process" on the Mozilla Developer Network site began failing and carried on for a month unnoticed.
The flaw was eventually spotted 11 days ago and the company has been investigating before making an announcement. In addition to the email addresses it seems that the encrypted passwords of around 4,000 users were also available on a public server.
The database dump file has now been removed and the leaky process halted. The passwords were securely stored as salted hashes but even so it's recommended that they be changed as well as those for other sites where the same one has been used.
Mozilla says that although it can't detect any malicious activity on the affected server it can't be sure that it hasn't been accessed. Notices have been sent out to those affected and Mozilla is looking at its processes to reduce the risk of a similar occurrence happening again.
This will be somewhat embarrassing for Mozilla which last year kicked up a fuss about Gamma International using its browser to hide data collection activity.
Writing on the Mozilla Security Blog director of developer relations Stormy Peters says, "We are known for our commitment to privacy and security, and we are deeply sorry for any inconvenience or concern this incident may cause you".