Mozilla exposes older user-account database

Security researcher finds partial database of user-account information on a public server. There was "minimal risk" to users, Mozilla believes.

Mozilla has disabled 44,000 older user accounts for its Firefox add-ons site after a security researcher found part of a database of the account information on a publicly available server.

The file had passwords obscured with the now-obsolete MD5 hashing algorithm, which has been rendered cryptographically weak and which Mozilla scrapped for the more robust SHA-512 algorithm as of April 9, 2009. The older database didn't end up anywhere dangerous, Mozilla believes.

"We were able to account for every download of the database. This issue posed minimal risk to users, however, as a precaution we felt we should disclose this issue to people affected and err on the side of disclosure," said Chris Lyon, Mozilla's director of infrastructure security, in a blog post about the database exposure yesterday.

Mozilla notified affected users of the problem by e-mail yesterday, it said. "Current addons.mozilla.org users and accounts are not at risk," Lyon said.

Password security has become a more prominent concern after a hack of Gawker blog sites earlier this month. Even with passwords obscured by strong hash algorithms, user names can be valuable in further hack attempts, especially when people reuse the same password on multiple sites.

"Unique passwords are a requirement, not a luxury," said Chester Wisniewski of security firm Sophos in a blog post about the event.

About the author

Stephen Shankland has been a reporter at CNET since 1998 and covers browsers, Web development, digital photography and new technology. In the past he has been CNET's beat reporter for Google, Yahoo, Linux, open-source software, servers and supercomputers. He has a soft spot in his heart for standards groups and I/O interfaces.

 

Join the discussion

Conversation powered by Livefyre

Show Comments Hide Comments
Latest Galleries from CNET
15 crazy old phones from a Korean museum (pictures)
10 gloriously geeky highlights from 2014 (pictures)
2015.5 Volvo XC60: updated tech, understated design
Busted! CNET readers show us their broken devices (pictures)
Take a closer look at the BlackBerry Classic (pictures)