Oops! Mozilla left thousands of email addresses and passwords lying around (again)

[RainfallWithin]

Original article by Graham Cluley on hotforsecurity.com: http://www.hotforsecurity.com/blog/oops-mozilla-left-thousands-of-email-addresses-and-passwords-lying-around-again-10013.html

 

For second time in a month, Mozilla – famous for the Firefox web browser – has had to warn that thousands of email addresses and passwords were left lying around on a server that the public could easily access.
 
At the beginning of August members of the Mozilla developer community were warned that approximately 76,000 email addresses and 4,000 encrypted passwords had been left on a publicly accessible server for 30 days.
 
<EDIT: Text has been cut to shorten the article>
 
Because Mozilla announced this week a second accidental disclosure of email addresses and encrypted passwords – this time affecting roughly 97,000 users.
 
Not only is that more people than were affected by the previous incident, but also the data was exposed for a longer period of time – three months.
 
In this case, the 97,000 users affected were testers of early builds of the Bugzilla bug tracking software, and information became exposed during a server migration.
 
"One of our developers discovered that, starting on about May 4th, 2014, for a period of around 3 months, during the migration of our testing server for test builds of the Bugzilla software, database dump files containing email addresses and encrypted passwords of roughly 97,000 users of the test build were posted on a publicly accessible server. As soon as we became aware, the database dump files were removed from the server immediately, and we’ve modified the testing process to not require database dumps."

It’s not known, of course, that anyone with malicious intent has accessed the leaked databases. But if they had, even if they weren’t able to decrypt the (hopefully stored as salted hashes) passwords, criminals might be able to cause trouble.
 
For instance, tens of thousands of email addresses are useful for spammers and fraudsters who might use them to launch malicious campaigns, or attempt to phish information from users in carefully-crafted attacks.
 
The Mozilla Foundation is pinning its hopes on its testers not having used the same passwords as ones they might not use elsewhere on the net.
 
"Generally, developers who use our test builds have told us they understand that these builds are insecure and may break, so they do not use passwords they would reuse elsewhere."

I do hope that Mozilla is right about that. Because I think it’s human nature to be lazy and sloppy, and I can easily imagine that many people (even the technical dudes who have accounts on the Bugzilla testing server) might easily make the mistake of reusing passwords.
 
Mozilla says it is “deeply sorry for any inconvenience” and has informed users who are affected by the disclosure, advising them to change “any similar passwords that they might be using.”
 

<EDIT: Text has been cut to shorten the article>

 

Personal Thoughts

It appears that Mozilla have found this issue after searching for more security problems after discovering a mistake early in August 2014. To clarify, this only affected testers of early builds of the Bugzilla bug tracking software.

 

This topic was well explained by Luke on 5th September 2014 WAN Show: http://youtu.be/it5bE6cPz6U?t=29m23s

[Bloodyvalley]

WHAT?!?!?!?!?!

 

 

 

I'M SWITCHING TO CHROME RIGHT FUCKING NOW

 

 

edit: chrome is garbage heeeeeeeeeeeeelp

 

 

 

 

ps: was waterfox affected? because I'd like to use that instead of this POS called chrome

 

 

edit: and the problems start...

[BonBon Scott]

At least they didn't leave the stove on...or did they? DUN DUN DUN

[ThyFeared]

WHAT?!?!?!?!?!

 

 

 

I'M SWITCHING TO CHROME RIGHT FUCKING NOW

 

 

edit: chrome is garbage heeeeeeeeeeeeelp

 

 

 

 

ps: was waterfox affected? because I'd like to use that instead of this POS called chrome

Opera is pretty good.

[Bloodyvalley]

Opera is pretty good.

Oh yeah! I used to use Opera back in 2009. Now it's full of shit.

[Anthrax]

Opera is pretty good.

Slick keeps ranting about how bad it is though?

[ThyFeared]

Slick keeps ranting about how bad it is though?

I like how speedy it is.

[techswede]

I give firefox one chance to win me back over.. One chance.. And this happens

[Enderman]

edit: chrome is garbage heeeeeeeeeeeeelp

No its not. You just don't know how to use it.

[LarsReviews]

As a chrome user I must say...

 

[Bloodyvalley]

No its not. You just don't know how to use it.

updated my post

[Builder]

ps: was waterfox affected? because I'd like to use that instead of this POS called chrome

I give firefox one chance to win me back over.. One chance.. And this happens

I'm sorry, who here actually READ THE POST? These were users of their beta bug tracking software, not people using their browser.

 

No its not. You just don't know how to use it.

 

You edited your post. Before it was this: "No its not. It's your PC that is garbage."

Christ, you're arrogant. Did you look at his profile? The dude has a 3570K with 16GB of RAM and an HD 7970. You'll edit that now and switch to a different attack.

 

Chrome is nothing special. They introduced literally nothing special with it, they just forked WebKit and added a simple UI. 

[Enderman]

 

Enjoy your safari

[Builder]

Enjoy your safari

Uses the exact same rendering engine as Chrome. THE EXACT SAME!

[Enderman]

updated my post

I see. It seems like an issue with your graphics card...

I would try deactivating hardware acceleration in your chrome settings. That should fix it.

[techswede]

I'm sorry, who here actually READ THE POST? These were users of their beta bug tracking software, not people using their browser.

 

I read the post. It's just that i did not hear anything about any major mistakes on their end.. Until i installed it and started using it.. And now this popped up  

[Enderman]

Uses the exact same rendering engine as Chrome. THE EXACT SAME!

Then why do the benchmarks look different?

[Techhog]

Uses the exact same rendering engine as Chrome. THE EXACT SAME!

My god, you get defensive quickly when it comes to Apple.

[kuddlesworth9419]

Lets face it all the browsers are really shit. All I want is a browser that is simple and does everything I need it to which isn't much other than HTML5 support and thats it. I really hate using Chrome but I am so integrated into it.

[Homicidium]

Slick keeps ranting about how bad it is though?

 

It's actually a very good browser!

[Builder]

Then why do the benchmarks look different?

That benchmark is ancient. That's Safari 4 and Chrome 10. What kind of scheme are you trying to pull?

 

My god, you get defensive quickly when it comes to Apple.

No, I get defensive when people are wrong. Enderman is very often wrong so I get very defensive around him.

[StingBull]

"In this case, the 97,000 users affected were testers of early builds of the Bugzilla bug tracking software"

 

nobody ever fucking reads...

 

Uses the exact same rendering engine as Chrome. THE EXACT SAME!

 

No it does not. Safari uses WebKit, Chrome uses Blink which  while derived from WebKit is different.

 

 

[Enderman]

No, I get defensive when people are wrong. Enderman is very often wrong so I get very defensive around him.

Holy crap you seriously need to grow up. We don't need people like you on this forum saying "i'm always right and you're always wrong"

You always start arguments when there is no need to. Please just stop derailing threads for no reason.

 

@Builder PS maybe you need glasses... that's safari 5 and chrome 12... lol fail

[Jerakl]

My god, you get defensive quickly when it comes to Apple.

He's like that. He told me (huge summary here) to go buy a console if I only use my PC for gaming.

[APrettyCoolWalrus]

That benchmark is ancient. That's Safari 4 and Chrome 10. What kind of scheme are you trying to pull?

 

No, I get defensive when people are wrong. Enderman is very often wrong so I get very defensive around him.

 

 

Holy crap you seriously need to grow up. We don't need people like you on this forum saying "i'm always right and you're always wrong"

You always start arguments when there is no need to. Please just stop derailing threads for no reason.

Everyone calm your tits please