Around 97,000 early testers of the Bugzilla bug tracking software have been warned that their email addresses and encrypted passwords were exposed for three months.
The accidental exposure is the second disclosed by the Mozilla Foundation this month – on 1 August, the organisation revealed that around 76,000 Mozilla Developer Network email addresses and 4,000 hashed and salted passwords had been left on a public-facing server for 30 days.
The new breach started during a server migration, Mark Cote, assistant project lead for Bugzilla, explained.
One of our developers discovered that, starting on about May 4th, 2014, for a period of around 3 months, during the migration of our testing server for test builds of the Bugzilla software, database dump files containing email addresses and encrypted passwords of roughly 97,000 users of the test build were posted on a publicly accessible server. As soon as we became aware, the database dump files were removed from the server immediately, and we’ve modified the testing process to not require database dumps.
We do not know whether or not the leaked database dumps have been picked up by anyone with ill-intent, or whether the passwords were hashed and salted, but Mozilla said it would like to think that developers who use test builds are aware of their insecure nature.
That said, passwords do still get reused. For that reason Mozilla has contacted everyone who is affected by the leak, urging them to change their passwords if they have used them for other additional sites or accounts.
So, if you use the Bugzilla tracking software, you need to change your password right now. And even if you don’t, you can still learn from this incident by ensuring that you don’t use the same password more than once.
We suggest using long non-dictionary passwords made up from a combination of upper and lower case letters, numbers and symbols.
If you have a tough time remembering all your complex passwords you may want to consider using a password manager such as LastPass or KeePass.
Meanwhile Mozilla, which is no stranger to leaking passwords, said it is “deeply sorry for any inconvenience or concern this incident may cause” and is undertaking a review of its data practices in the hope that it will minimize the likelihood of such incidents happening again in the future.