On December 17, Mozilla was notified by a security researcher that a partial database of addons.mozilla.org user accounts was mistakenly left on a Mozilla public server.
“The database included 44,000 inactive accounts using older, md5-based password hashes,” Mozilla’s Director of Infrastructure Security Chris Lyon said. “We erased all the md5-passwords, rendering the accounts disabled.”
All current accounts use a SHA-512 password hash with per-user salts. Lyon said, “Current addons.mozilla.org users and accounts are not at risk.”
InternetNews.com’s Sean Michael Kerner said that what this proves is how critical it is for organizations to properly manage user data, which Mozilla didn’t do here, but also how important it is for organizations to encrypt passwords, which Mozilla has been doing since April 9, 2009 by using SHA-512 with proper salts.
