Mozilla Exposes 4,000 Passwords by Mistake
A data sanitization process failed for 30 days, exposing 76,000 email addresses and 4,000 encrypted passwords.
Mozilla director of developer relations Stormy Peters and operations security manager Joe Stevensen recently announced that the email addresses of approximately 76,000 Mozilla Developer Network (MDN) users, along with about 4,000 users' encrypted passwords, had been mistakenly exposed.
According to Peters and Stevensen, the issue was discovered two weeks ago when a Mozilla Web developer found that, starting on about June 23, 2014 and for a period of about 30 days, a data sanitization process for the MDN site database had been failing, resulting in the data exposure.
"As soon as we learned of it, the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure," Peters and Stevensen wrote in a blog post announcing the breach. "While we have not been able to detect malicious activity on that server, we cannot be sure there wasn't any such access."
In a separate post, Mozilla security engineer Julien Vehent explained that MDN has been using Persona for a while now, as a result of which the majority of accounts don't have passwords listed in the database. "But older accounts still had the SHA256 salted hash that Django creates," he noted.
All affected users have been notified, and all those whose encrypted passwords were exposed are being advised to change their passwords on any other sites where they used the same or similar login credentials.
Mistakes are a common cause of data breaches, though the vast majority are the result of far more simple email errors -- Goldman Sachs recently asked Google to delete an email after a third-party contractor emailed confidential client data to the wrong Gmail account on June 23, 2014.
The contractor had been testing changes to the bank's internal processes and intended to email her report to a gs.com email address, but sent it instead to a gmail.com address. Reuters reports that Google complied with Goldman Sachs' request to delete the email in question, and confirmed that it had not been accessed.
"No client information has been breached," Goldman Sachs spokesperson Andrea Raphael said at the time.
A similar breach occured on May 30, 2014, when 35,212 Riverside Community College District (RCCD) students' names, addresses, phone numbers, email addresses, birthdates, student identification numbers, enrolled classes and Social Security numbers were sent to the wrong email address by mistake.
It cost RCCD $290,000 to response to the breach.
To avoid mistakes like this, Marshall University assistant professor Bill Gardner says security training should be an ongoing process, and should be customized to meet different employees' needs. "You want to build a culture around awareness," Gardner told eSecurity Planet.
Photo courtesy of Shutterstock.