addons.mozilla.org compromised, with anecdotes

Internet

And here be the reason why I use my disposable Gmail instead of my regular mail account to register for websites!

I, along with a ton of other people, got sent this email a couple of days ago.

Dear addons.mozilla.org user,

The purpose of this email is to notify you about a possible disclosure of your information which occurred on December 17th. On this date, we were informed by a 3rd party who discovered a file with individual user records on a public portion of one of our servers.

OUCH!

We immediately took the file off the server and investigated all downloads. We have identified all the downloads and with the exception of the 3rd party, who reported this issue, the file has been download by only Mozilla staff. This file was placed on this server by mistake and was a partial representation of the users database from addons.mozilla.org. The file included email addresses, first and last names, and an md5 hash representation of your password.

Scary stuff. I'd be interested to know who comprises "Mozilla staff" in this case, and for how long it was public.

The reason we are disclosing this event is because we have removed your existing password from the addons site and are asking you to reset it by going back to the addons site and clicking forgot password. We are also asking you to change your password on other sites in which you use the same password. Since we have effectively erased your password, you don’t need to do anything if you do not want to use your account. It is disabled until you perform the password recovery.

Done and done. Yikes.

We have identified the process which allowed this file to be posted publicly and have taken steps to prevent this in the future. We are also evaluating other processes to ensure your information is safe and secure.

We apologize for any inconvenience this has caused.

Chris Lyon
Director of Infrastructure Security

To their credit, at least they disclosed this issue to their users instead of sweeping it under the rug. I hope lessons have been learned, and this doesn't happen again.

Amusing anecdotes

This whole thing reminds me of a time I was doing a week's work for a relatively large IT firm that will remain anonymous, and their ticket system were validating users with plain text versions of their passwords. My first thought was "didn't people stop doing this in the 80s?" and secondly, that I was glad I didn't have an account with them.

Then there are time times I've forgotten my passwords for sites, but instead of sending me an email with a reset token or the like, they send me my password, indicating they have it stored in a database. Last time that happened it was something trivial like a creaky old forum, but suffice to say I left there quicker than that strip club I was tricked into going to for my 19th birthday by my room mates at the time. Hey shaddup, I was scared.

You don't need a degree in cryptography to know you never store people's passwords! Kudos to Mozilla for not doing this too ;).

Author bio and support

Me!

Ruben Schade is a technical writer and infrastructure architect in Sydney, Australia who refers to himself in the third person. Hi!

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite bespoke cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or send a comment. Thanks ☺️.