Mozilla Improving Security Processes After Exposing Developer Data
Users of the Mozilla Developer Network and Bugzilla testing system are advised to update their passwords after a pair of data disclosures were reported in August.Mozilla is doubling down on its security procedures after reporting two separate incidents in which developer information was unintentionally publicly disclosed. The most recent incident was first reported by Mozilla on Aug. 27 and involves information disclosure on 97,000 developers. The landfill.bugzilla.org development system for the Bugzilla bug tracking platform left developer information, including email information and encrypted passwords, exposed publicly for approximately three months. Mozilla estimates that the disclosure first occurred on May 4 during a migration of a testing server with a database dump containing the user information. Mozilla is now changing its testing process to not include database dumps. Users of the landfill.bugzilla.org system have been advised to change their passwords as a result of the issue. On Aug. 1, Mozilla publicly revealed an information disclosure on its Mozilla Developer Network (MDN) platform, exposing information on approximately 76,000 users. That issue also had to deal with an unintentional database dump that included user information.
Denelle Dixon-Thayer, senior vice president of business and legal affairs at Mozilla, told eWEEK that the recent incidents have confirmed to Mozilla the importance of a review effort that got started last year. That effort encompasses a full review of Mozilla's practices around data, including the various non-Mozilla projects that Mozilla supports.