Mozilla users' data was open to access
A database of 44,000 users' registration information from the Add-Ons server belonging to Mozilla was found to have been exposed for download. Mozilla says that it was informed by a security researcher, through Mozilla's Web Bounty Program, that the database was visible in mid-December.
All downloads were accounted for by Mozilla, with the only external access being that by the security researcher. According to Mozilla, the "issue posed minimal risk to users". Yesterday, Mozilla also contacted all affected users by email to explain the situation. According to the email, the file in question was placed on the server by mistake and contained the email address and first/last names of users along with an MD5 hash of the user's password.
Users who were listed in the file have had their passwords deleted and will need to go to the addons site and click "Forgot Password" to generate a new password. The database only contained data for inactive users of the addons.mozilla.org site; active users of the site were unaffected.
Mozilla had stopped using the obsolete MD5 cryptography in April 2009; since then it has used the SHA-512 method, salted with an additional random number. The Web Bounty Program was launched earlier in December and rewards researchers for finding vulnerabilities in the Foundation's various websites and services.