For the second time this month, Mozilla has announced the accidental exposure of email addresses and encrypted passwords of project developers. This time, the incident affected about 97,000 users testing an early version of Bugzilla – a bug tracking software supported by the Mozilla Foundation.
According to a blog post, the organization became aware of the exposure when a security bug was filed by a contributor. The developer’s credentials were posted on a publicly accessible server during the migration of its testing server, starting on May 4 and lasting for about three months.
“As soon as we became aware, the database dump files were removed from the server immediately, and we’ve modified the testing process to not require database dumps,” said Bugzilla’s assistant project lead Mark Côté.
Less than a month ago, Mozilla announced a similar incident that revealed email addresses of 76,000 developers along with 4,000 encrypted passwords also due to a database dump file.
Côté explained developers testing early builds are well aware that the builds are often insecure, so it’s unlikely they reused their passwords elsewhere. Nonetheless, Mozilla has notified users who have been affected by the exposure and recommend changing their login credentials on other sites.
“It’s important to note that, unless users reused the password they used on landfill.bugzilla.org, this does not affect bugzilla.mozilla.org email addresses or passwords,” added Côté.
Following the announcement, Mozilla’s operations security manager Joe Stevensen stated, “We have kicked off a larger project to better our practices around data, including with respect to the various non-Mozilla projects we support.”
“We are implementing immediate fixes for any discovered issues across the organization, and are requiring each business unit to perform a review of their data practices and, if necessary, to implement additional protections based on that review.”
Read More Here…