Mozilla Addresses The Leak Of User Information
(The Hosting News) – On December 17th, Mozilla received an email from a third party notifying the company of a file that contained user records was posted to a public web server. The information in this file listed user’s email addresses, first and last names, and MD5 password hashes.
The Company replied through an email stating “We immediately took the file off the server and investigated all downloads. We have identified all the downloads and with the exception of the third party who reported the issue, the file has been downloaded only by Mozilla staff.”
Since then, the company has removed the passwords from their site and are asking users to reset their passwords for all content used through Mozilla. “We have identified the process which allowed this file to be posted publicly and have taken steps to prevent this in the future. We are also evaluating other processes to ensure your information is safe and secure” the email declared.
Chris Lyon, Director of Infrastructure Security at Mozilla, said on December 27th through a blog post, that the file included 44,000 inactive accounts using older, MD5 password hashes. The company erased the MD5 passwords, leaving the accounts inactive. Lyon also stressed that current users employ a more secure SHA-512 password hash and therefore are “not at risk.”
Chester Wisniewski, Senior Security Advisor at Sophos Canada, commented “the problems with MD5 password hashes” “MD5 has cryptographic weaknesses that permit creation of the same hash from multiple strings. This permits security experts to compute all the possible hashes and determine either your password or another string that will work even if it is not your password.” Chester commended Mozilla’s response to the incident but questions how the company accidentally published this information to begin with and why MD5 password hashes were still in the system.
“If you are a web site administrator or developer, are you still storing passwords using methods like Gawkwer(DES) or Mozilla(MD5)? We know they are broken, and it is important to migrate away from these algorithms in case you have a database accidentally make its way outside of your organization,” Wisniewski summarized.
|Caronet Managed Hosting Services - Engineered for YOUR business|
* Your True Managed Services Provider - Cloud, Colo, Dedicated Solutions
* Multiple Levels of Support to Ensure You Pay for Only What You Need
* Focus More on Revenue Generating Activities and Applications
* Technical Engineers are on call and available for 24 x 7 x 365 Support
* Named to 2015 Managed Service Provider 500 List by CRN