Mozilla (News - Alert) announced over the past weekend that it recently concluded an investigation of a data sanitization process that exposed email addresses and login credentials of users in the Mozilla Developer Network (MDN). According to a blog post by Stormy Peters, director of developer relations at Mozilla, no malicious activity has been detected since the breach.
A Mozilla developer discovered on June 23 that a data sanitization process had failed, dumping the email addresses of about 76,000 users and the encrypted passwords of 4,000 users on a publicly accessible server. Although no malicious activity has been detected by Mozilla, it could not rule out the possibility that anyone retrieved the sensitive information.
MDN users login to the site using accounts set up in Persona, a mechanism Mozilla refers to as ‘a sign-in system for the Web’. In the same way that Microsoft’s (News - Alert) online users can create a password from live.com to login to its sites like OneDrive or Bing, Mozilla users can use their Persona account to access Mozilla sites like MDN. Persona can also be extended to login to non-Mozilla sites like Yahoo or Gmail.
That’s part of what makes this breach so troubling: it’s conceivable that under the right circumstances, a compromised Persona account could not only give an unauthorized user to something relatively innocuous as an MDN account, but also to more sensitive sites like the aforementioned web email providers.
Since the passwords themselves were encrypted, it’s improbable that anyone’s MDN account could be taken over by another person. The more likely problem is that the exposed email addresses could be collected and used to send spam. Mozilla has notified affected users of the breach, recommending that they change passwords.
Mozilla deserves credit for responding to the problem as quickly as it did, investigating what happened, and then announcing the problem publicly. However, that’s no consolation to a user whose email address was compromised and is suddenly getting spammed 500 times a day on the latest get rich quick schemes.
To conclude what Mozilla should have done differently is pure speculation; it would require intimate knowledge of what their servers are running and how they are configured. Perhaps Mozilla did not configure a setting correctly. Maybe the database vendor did not clearly document data sanitization processes. Regardless of what should be done, the environment needs to be structured in such a way that it is as close to impossible as you can get for something like this to happen again.