Close on the heels of the Gawker Media security breach, Mozilla has disclosed that it had accidentally published a partial database of addons.mozilla.org user account information. As many as 44,000 user ids and password hashes were left publicly accessible.
The affected accounts were inactive ones, which were using md5-based password hashes. MD5 is a weak encryption technique that is crackable. Security firm Sophos explained:
MD5 has cryptographic weaknesses that permit creation of the same hash from multiple strings. This permits security experts to compute all the possible hashes and determine either your password or another string that will work even if it is not your password.
Active accounts on Mozilla’s add-on repository use SHA-512 password hash with salting that offers stronger protection.
The good news is that almost no one noticed. According to Mozilla, the database was accessed by only one person outside of the company. That person is the security researcher who alerted Mozilla about the issue under the Web bounty program, which offers $500 to $3,000 in cash rewards for valid security related bug reports. Nevertheless, Mozilla has deleted the password of all the affected accounts as a precautionary measure.