Mozilla, the developer which is most famous for its Firefox web browser, has inadvertently leaked the identities of tens of thousands of users, in an accidental data loss incident which could do damage to the reputation of this well-liked firm.
A database containing more than 44,000 usernames and passwords was distributed and made freely available online. Since the incident, Mozilla has emailed those affected in order to alert them to the leak and explain the steps which are being taken to neutralise the problem.
Security experts from Sophos identified that the leak was able to take place since Mozilla employed a policy of storing password data as MD5 hashes, prior to April of last year. This is seen as a security flaw as any determined hacker could extract these passwords with relative ease and although Mozilla since started using a more secure alternative, these older stored IDs were at risk.
Mozilla has been transparent about the events that led to the data loss and the problems which it now faces in securing user trust after this breach of privacy.
Mozilla’s Chris Lyon published an explanatory blog post, in which he told of how the firm had been made aware of the data loss on the 17th of December. It learned of the fact that an incomplete database of user details was left exposed on a public server.
Since it controlled the server, Mozilla was able to identify those who had downloaded the database and believes as a result that users are unlikely to be in any immediate danger following the leak. However, Mr Lyon said that Mozilla wanted to come clean and notify all customers in order to avoid creating any animosity.
Mr Lyon said that all of the 44,000 user IDs were no longer active and it was quick to delete the passwords so that any access to the accounts would be impossible, as they are effectively disabled.
Experts believe that a precautionary password change by affected users would be sensible, even if Mozilla is confident that the threat has been neutralised.