Data stays on publicly accessible server for three months
Mozilla disclosed on Wednesday that email addresses and passwords of 97,000 users of a Bugzilla test build were publicly accessible for a period of three months.The database dump containing the private information reached the public space on May 4, during the migration of the testing server for Bugzilla test builds. Bugzilla is one of the community projects supported by the Mozilla Foundation.
“As soon as we became aware, the database dump files were removed from the server immediately, and we’ve modified the testing process to not require database dumps,” says Mark Cote, assistant project lead at Bugzilla.
Only the email addresses risked exposure because the passwords had been stored securely, in an encrypted form.
The developers using the test versions of the bug tracking software used by Mozilla were aware of possible security issues, and it is very likely that they did not recycle the passwords; but even if this assumption is true, notifications have been sent to the affected individuals with the recommendation to change similar countersigns, if the case.
Users of bugzilla.mozilla.org have not been affected by the incident.
At the beginning of the month, Mozilla announced a similar incident, where email addresses and passwords of 76,000 members of the Development Network reached a publicly available location.
The information persisted on the server for a period of 30 days and the passwords were protected through encryption.
As a security measure, at the moment, all passwords on Landfill test Bugzilla systems have been reset, and users have to set new ones when they access the systems.