Another day, another set of usernames published “by accident.”
This time, it’s by Mozilla, the developer of popular open source software including Firefox and Thunderbird. A database containing usernames and password hashes were posted publicly on Dec. 22, Mozilla said.
About 44,000 users who had registered for an account on addons.mozilla.org were affected by this data disclosure. Mozilla said its security team has already contacted all affected users.
This is not another Gawker-style breach, as the leaked usernames and passwords are older than April 9, 2009. Until then, Mozilla stored passwords as MD5 hashes, which while better than storing as plain text, has its own weakness. The MD5 can potentially create the same hash for more than one string, which means someone can compute possible hashes and hit upon your password, or another string that still works because it generates the same hash, said Chester Wisniewski, a Senior Security Advisor at Sophos Canada.
Mozilla switched over to a more secure system, SHA-512 with per-user salts, in 2009, but hadn’t prompted their older users to migrate to the new mechanism. After this incident, Mozilla erased the older hashes, effectively disabling the accounts, according to the Mozilla security blog .
Mozilla audited their logs and determined the only person outside of Mozilla who accessed the data on the public server was the person who informed them of the breach via its Web bounty program.
While Mozilla is quite confident only one person saw the information, it’s best to ensure the same Mozilla password is not being used on any other site. As was clearly proven at Gawker, many people reuse passwords on multiple sites, which makes their accounts insecure so it’s worth taking a second to check..