updated 07:33 pm EDT, Wed August 6, 2014
About 76,000 email addresses, 4,000 encrypted passwords were publicly accessible
At the beginning of the month, Mozilla issued a release on its security blog that there had been an investigation into accidental disclosure of its database for the Mozilla Developer Network (MDN). The company discovered a problem after a web developer found out that the data sanitization process it runs on the MDN database had been failing. The result was that 76,000 email addresses of account holders, as well as the "passwords of about 4,000 users" were able to be accessed publicly.
Mozilla says that as soon as the discovery was made, the dump file for the database was removed. It's possible, however, that the damage could have already been done. The issue with the database sanitation first started on June 23, but it ended up going on for 30 days. While Mozilla couldn't find any proof of malicious activity on the server in question, it cannot say with certainty that nefarious parties didn't access the data.
"We are known for our commitment to privacy and security, and we are deeply sorry for any inconvenience or concern this incident may cause you," said Director of Developer Relations Stormy Peters, and Operations Security Manager Joe Stevensen, in the joint statement.
According to Mozilla, the encrypted passwords that any party could find were salted hashes that could no longer be used to access the MDN website. However, the company realizes that some parties could have reused their MDN passwords in other locations. Mozilla said it reached out to the people affected to recommend they change passwords, especially those that had emails and passwords exposed, in the chance that the encryption was cracked.
It took Mozilla a total of 10 days to conclude its investigation. The company said it would be looking into "the processes and principles" that it has in place, with the aim of reducing the chance that such a problem could arise in the future.