Mozilla Improving Security Processes After Exposing Developer Data

Users of the Mozilla Developer Network and Bugzilla testing system are advised to update their passwords after a pair of data disclosures were reported in August.


Mozilla is doubling down on its security procedures after reporting two separate incidents in which developer information was unintentionally publicly disclosed.

The most recent incident was first reported by Mozilla on Aug. 27 and involves information disclosure on 97,000 developers. The development system for the Bugzilla bug tracking platform left developer information, including email information and encrypted passwords, exposed publicly for approximately three months.

Mozilla estimates that the disclosure first occurred on May 4 during a migration of a testing server with a database dump containing the user information. Mozilla is now changing its testing process to not include database dumps. Users of the system have been advised to change their passwords as a result of the issue.

On Aug. 1, Mozilla publicly revealed an information disclosure on its Mozilla Developer Network (MDN) platform, exposing information on approximately 76,000 users. That issue also had to deal with an unintentional database dump that included user information.

Denelle Dixon-Thayer, senior vice president of business and legal affairs at Mozilla, told eWEEK that the recent incidents have confirmed to Mozilla the importance of a review effort that got started last year. That effort encompasses a full review of Mozilla's practices around data, including the various non-Mozilla projects that Mozilla supports.

"We are implementing immediate fixes for any discovered issues across the organization, and are requiring each business unit to perform a review of their data practices and, if necessary, to implement additional protections based on that review," Dixon-Thayer said. "We will update users as we progress through this review."

In the case of the information disclosures on the MDN and site, user passwords were all encrypted, which is a key best practice to minimize data breach risk.

Another best practice that is increasingly being adopted by software development communities is the use of two-factor authentication for access. In a two-factor system, a second password (or factor) is required for a user to gain access. The Linux Foundation recently announced that it is deploying two-factor authentication for the development of the Linux kernel.

"We are committed to multilayered security controls and practices, many of which will be publicly verifiable by our global community, Dixon-Thayer said. "We are focused on continuing to improve our data practices to minimize the likelihood of these and other types of incidents."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.