Security breach of addons.mozilla.org


Thanks to Mozilla for this pro-active reporting of the security breach.  If any of you reading this blog have an account on addons.mozilla.org and have not received this note, please take action.


Mozilla Add-ons
 
date Tue, Dec 28, 2010 at 8:34 AM
subject Important notice about your addons.mozilla.org account

Dear addons.mozilla.org user,

The purpose of this email is to notify you about a possible disclosure
of your information which occurred on December 17th. On this date, we
were informed by a 3rd party who discovered a file with individual user
records on a public portion of one of our servers. We immediately took
the file off the server and investigated all downloads. We have
identified all the downloads and with the exception of the 3rd party,
who reported this issue, the file has been download by only Mozilla
staff.  This file was placed on this server by mistake and was a partial
representation of the users database from addons.mozilla.org. The file
included email addresses, first and last names, and an md5 hash
representation of your password. The reason we are disclosing this event
is because we have removed your existing password from the addons site
and are asking you to reset it by going back to the addons site and
clicking forgot password. We are also asking you to change your password
on other sites in which you use the same password. Since we have
effectively erased your password, you don’t need to do anything if you
do not want to use your account.  It is disabled until you perform the
password recovery.

We have identified the process which allowed this file to be posted
publicly and have taken steps to prevent this in the future. We are also
evaluating other processes to ensure your information is safe and secure.

Should you have any questions, please feel free to contact the
infrastructure security team directly at infrasec@mozilla.com. If you
are having issues resetting your account, please contact
amo-admins@mozilla.org.

We apologize for any inconvenience this has caused.

Chris Lyon
Director of Infrastructure Security

One thought on “Security breach of addons.mozilla.org

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s