14 DAY TRIAL // Mozilla has alerted 44,000 addons.mozilla.org (AMO) users that their account information might have been exposed after a sensitive file was left in a publicly accessible location on one of its servers.
In its notification letter, Mozilla explained that the file in question was a partial representation of the AMO user database and said that it learned of its presence from a third-party individual.
The data contained in the file included email addresses, full names and MD5 password hashes, which are considered insecure.
Because of this, all affected passwords have been removed and users will have to use the password recovery function on the website to regain access to their accounts.
More details were revealed on the Mozilla Security Blog by Chris Lyon, the organization's director of infrastructure security, who noted that the issue was reported through the new Web bug bounty program.
He also said that the total number of affected accounts was 44,000 and that all of them have been inactive for a long time, hence the presence of the MD5 hashes.
"SHA-512 and per user salts has been the standard storage method of password hashes for all active users since April 9th, 2009," Mr. Lyon explained.
The impact of this incident is further restricted by the fact that only the third-party reporter and Mozilla staff ever accessed the file, which was uploaded to the server accidentally.
The organization said it has taken steps to ensure that such inadvertent leaks don't happen again and is analyzing methods to better secure information.
Users who don't use or plan to use their AMO accounts don't have to set a new password, however, they will remain disabled.
Nevertheless, people are advised to change the password on all other websites where they also used it, just to be on the safe side.
"It is important to note that current addons.mozilla.org users and accounts are not at risk. Additionally, this incident did not impact any of Mozilla’s infrastructure," Mr. Lyon concluded.