Mozilla Exposes 97,000 Bugzilla User Passwords


Mark Cote, assistant project lead for Mozilla's Bugzilla software, recently announced that, starting on or about May 4, 2014, database dump files containing the email addresses and encrypted passwords of about 97,000 users of Bugzilla software test builds were posted on a publicly accessible server.

The files were available for approximately three months.

"As soon we became aware, the database dump files were removed from the server immediately, and we've modified the testing process to not require database dumps," Cote wrote in a blog post announcing the breach.

"Generally, developers who use our test builds have told us they understand that these builds are insecure and may break, so they do not use passwords they would reuse elsewhere," Cote wrote. "However, because it is possible that some users could have reused their passwords on other websites or authentication systems, we've sent notices to the users who were affected by this disclosure and recommended that they change any similar passwords they may be using."

That's a reasonable concern -- a recent YouGov survey found that even though 47 percent of Americans say they're more worried about online security than they were last year, only 53 percent changed their online banking passwords in the past year, and just 38 percent changed their work email passwords in the past year.

Sophos recommends using long, non-dictionary passwords with a combination of upper and lower case letters, numbers and symbols -- and considering making use of a password manager such as LastPass or KeePass.

eSecurity Planet recently examined several tools for enforcing password policies, including password policy tools, cloud-based single sign-on tools and enterprise password management solutions. And in an earlier article, eSecurity Planet looked at the five best password managers available at the time.

This is the second breach announcement for Mozilla in the past month -- on August 1, 2014, Mozilla announced that the email addresses of approximately 76,000 Mozilla Developer Network (MDN) users, along with about 4,000 users' encrypted passwords, had been mistakenly exposed for a period of about 30 days.