Mozilla inadvertently publishes thousands of user IDs

News
By published

Full details on Firefox data leak

Mozilla accidentally publishes details on 44,000 user accounts
Mozilla accidentally publishes details on 44,000 user accounts

Firefox developer Mozilla has revealed this week that a database containing usernames and password hashes belonging to thousands of users of addons.mozilla.org had been posted publicly by accident.

44,000 user IDs and password hashes were revealed in the accidental disclosure. Mozilla's security team has already contacted all those potentially affected via email.

The weakness of the MD5 hash

Sophos explains how Mozilla stored passwords set before April 9th, 2009 as MD5 hashes – which has cryptographic weaknesses that could allow security experts to still determine your password and access your account.

Since April 9, 2009, Mozilla has used the far more secure SHA-512 with per-user salts to store password hashes.

In the spirit of open-ness, Mozilla has disclosed all the details about the potential privacy breach.

Take care with passwords

Mozilla's Chris Lyon, director of infrastructure security, writes on the Mozilla Security blog:

"On December 17th, Mozilla was notified by a security researcher that a partial database of addons.mozilla.org user accounts was mistakenly left on a Mozilla public server. The security researcher reported the issue to us via our web bounty program.

"We were able to account for every download of the database. This issue posed minimal risk to users, however as a precaution we felt we should disclose this issue to people affected and err on the side of disclosure.

"The database included 44,000 inactive accounts using older, md5-based password hashes. We erased all the md5-passwords, rendering the accounts disabled. All current addons.mozilla.org accounts use a more secure SHA-512 password hash with per-user salts. SHA-512 and per user salts has been the standard storage method of password hashes for all active users since April 9th, 2009."

Mozilla is confident that no one other than the person who reported the incident had access to the file. However, it is would still be wise to change your password if you are one of the 44,000 recipients of the latest email from Mozilla Security.

Better to be safe than sorry, after all!.

Via Nakedsecurity.sophos.com and the Mozilla Security Blog

See more Computing News
Adam Hartley
Adam Hartley
Latest in Computing
Opera AI Tabs
Opera's new AI feature brings order to your browser tab chaos
Microsoft Surface laptop 7 on the left side versus Apple MacBook Pro M4 14-inch on the right side, TechRadar vs background
Microsoft Surface Laptop 7 vs. Apple MacBook Pro M4 14-inch: Mac and Windows go head to head once again
Apple WWDC 2025 announced
3 things Apple needs to do at WWDC 2025 to save Apple Intelligence, and why I'm convinced it will
Chat GPT-generated images along with source material
ChatGPT 4o image generation is so good we will never be able to trust iPhone renders (and photos) again
Discord Clyde
Discord's game overlay has seen a complete revamp - I've tried it, and it's one of the best updates ever
A young woman is working on a laptop in a relaxed office space.
I’ll admit, Microsoft’s new Windows 11 update surprised me with its usefulness, providing accessibility fixes, a gamepad keyboard layout, and PC spec cards
Latest in News
Buzz Lightyear Space Ranger Spin Rennovations
Disney’s giving a classic Buzz Lightyear ride a tech overhaul – here's everything you need to know
Hisense U8 series TV on wall in living room
Hisense announces 2025 mini-LED TV lineup, with screen sizes up to 100 inches – and a surprising smart TV switch
Nintendo Music teaser art
Nintendo Music expands its library with songs from Kirby and the Forgotten Land and Tetris
Opera AI Tabs
Opera's new AI feature brings order to your browser tab chaos
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day
The iPhone 16 Pro on a grey background
iPhone 17 Pro tipped to get 8K video recording – but I want these 3 video features instead
More about computing
Opera AI Tabs

Opera's new AI feature brings order to your browser tab chaos
An Nvidia RTX 5070 vs RTX 4070 Super against a two-tone background

Nvidia RTX 5070 vs RTX 4070 Super: Blackwell against Ada refresh in 2025
Buzz Lightyear Space Ranger Spin Rennovations

Disney’s giving a classic Buzz Lightyear ride a tech overhaul – here's everything you need to know
See more latest
Most Popular
Buzz Lightyear Space Ranger Spin Rennovations
Disney’s giving a classic Buzz Lightyear ride a tech overhaul – here's everything you need to know
Samsung Magician 8.3.0
Samsung reveals a new version of its popular SSD software, and yes, you should absolutely download it if you own a Samsung SSD
NVIDIA RTX PRO 6000 Blackwell Server Edition
Nvidia's most expensive Blackwell card gets massive price cut but it is not the RTX 5090
Opera AI Tabs
Opera's new AI feature brings order to your browser tab chaos
An AI face in profile against a digital background.
The race to trillion-parameter model training in AI is on, and this company thinks it can manage it for less than $100,000
Hisense U8 series TV on wall in living room
Hisense announces 2025 mini-LED TV lineup, with screen sizes up to 100 inches – and a surprising smart TV switch
Ninkear MBOX 8 Pro
This mini PC has a detachable docking station that hides a hard drive, and I am not convinced whether it's a good idea
Nintendo Music teaser art
Nintendo Music expands its library with songs from Kirby and the Forgotten Land and Tetris
The iPhone 16 Pro on a grey background
iPhone 17 Pro tipped to get 8K video recording – but I want these 3 video features instead
CoreWeave
Is CoreWeave another WeWork? Blogger who caused Nvidia market capitalization to drop by $600 billion in a day thinks so