Thousands of email addresses and encrypted passwords were exposed for nearly a month – leaving 78,000 Mozilla app developers vulnerable to hackers. It’s not yet clear whether the vulnerability has been exploited, or whether this is a data breach, Mozilla sad.
The email addresses, plus 4,000 encrypted passwords were left on a publicly available server for 30 days from June 23, leading to the concerns over a potential data breach, according to Ars Technica’s report.
In an official blog post, Stormy Peters, Mozilla’s director of developer relations said, “While we have not been able to detect malicious activity on that server, we cannot be sure there wasn’t any such access.The encrypted passwords were salted hashes and they by themselves cannot be used to authenticate with the MDN website today.”
“Still, it is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems. We’ve sent notices to the users who were affected,” Peters said.
VPN Creative said the breach had potentially exposed, “the email addresses and passwords of many of the top add-on programmers who have helped Firefox and its associated programs become one of the most customizable and sought after browsers available on the market today.”
Firefox is the third-most popular browser in the world after Chrome and Internet Explorer. The customizable nature of the browser – allowing add-ons to change the appearance and function of the software was revolutionary 10 years ago.
Writing on Mozilla’s add-ons blog, Amy Tsay says, “Anyone with coding skills could create an add-on and submit it to addons.mozilla.org (AMO) for others to use. The idea that you could experience the web on your own terms was a powerful one, and today, add-ons have been downloaded close to 4 billion times.”
Popular Firefox add-ons such as Lightbeam have offered the general public a visual way to understand privacy – a graphic shows companies connecting to a machine as it browses, from third-party ad trackers to e-commerce companies.
ESET Researcher Stephen Cobb writes, “Last year’s ESET Threat Report demonstrated that online privacy had become something the world was worried about, in the wake of Edward Snowden’s revelations. I predicted an unprecedented level of interest in encryption products due to continuing revelations about state-sponsored surveillance of companies and consumers.”
Peters also invites developers who are concerned they may have fallen victim to contact Mozilla directly. Mozilla also created a forum for developers to voice concerns, and asked for advice from the wider security community.
The potential breach was caused by an automated process of “data sanitization” which left the information on an accessible server.
Author Rob Waugh, We Live Security