In an email to the site’s users, Mozilla said that a third party notified the company Dec. 17 that a file containing user records was posted to a public web server. Mozilla said the file contained user email addresses, first and last names, and MD5 password hashes.
“We immediately took the file off the server and investigated all downloads. We have identified all the downloads and with the exception of the 3rd party, who reported this issue, the file has been download by only Mozilla staff”, the company said in its email.
Mozilla removed the passwords from the site and asked users to reset their passwords for that site as well as other Mozilla sites. “We have identified the process which allowed this file to be posted publicly and have taken steps to prevent this in the future. We are also evaluating other processes to ensure your information is safe and secure”, the email said.
In a Dec. 27 blog post, Chris Lyon, director of infrastructure security at Mozilla, said that the file included 44,000 inactive accounts using older, MD5 password hashes. The company erased the MD5 passwords, rendering the accounts inactive. Lyon stressed that current users employ the more secure SHA-512 password hash with per-user salts and therefore are “not at risk”.
In a blog post, Chester Wisniewski, senior security advisor at Sophos Canada, explained the problem with the MD5 password hashes: “MD5 has cryptographic weaknesses that permit creation of the same hash from multiple strings. This permits security experts to compute all the possible hashes and determine either your password or another string that will work even if it is not your password”.
Wisniewski commended Mozilla for its rapid response to the incident but wondered how the company accidentally published the files in first place and why it still had MD5 password hashes in its system.
“If you are a web site administrator/developer, are you still storing passwords using methods like Gawker (DES) or Mozilla (MD5)? We know they are broken, and it is important to migrate away from these algorithms in case you have a database accidentally make its way outside of your organization”, he wrote.