The email addresses and encrypted passwords of nearly 100,000 users of Mozilla’s Bugzilla system were left on a publicly accessible server for several months earlier this year, the company said. The disclosure comes just a few weeks after Mozilla advised members of its Mozilla Developer Network to change their passwords because of a similar incident.
On Wednesday, officials at Bugzilla, a bug-tracking system that Mozilla supports, said that the email addresses and encrypted passwords belonging to 97,000 of its users had been discovered sitting on a publicly accessible server. The data had been on the server since early May and was discovered several months later, officials said.
“One of our developers discovered that, starting on about May 4th, 2014, for a period of around 3 months, during the migration of our testing server for test builds of the Bugzilla software, database dump files containing email addresses and encrypted passwords of roughly 97,000 users of the test build were posted on a publicly accessible server. As soon as we became aware, the database dump files were removed from the server immediately, and we’ve modified the testing process to not require database dumps,” Mark Côté, an assistant project lead at Bugzilla, said in a blog post.
Bugzilla is a bug-tracking software system that’s used by developers in thousands of organizations. Landfill is the test server implementation of Bugzilla. Officials said that this latest incident didn’t affect any users of bugzilla.mozilla.org. Mozilla officials in the wake of the MDN incident in early August said that the organization was starting a new initiative that is designed to improve the way data is handled.
“We have kicked off a larger project to better our practices around data, including with respect to the various non-Mozilla projects we support. We are implementing immediate fixes for any discovered issues across the organization, and are requiring each business unit to perform a review of their data practices and, if necessary, to implement additional protections based on that review,” Joe Stevensen, operations security manager at Mozilla, wrote in a post.
“While it is important to note that the disclosure of this development database does not affect bugzilla.mozilla.org, we continue to believe that the broader community would benefit from our increased focus on data practices and therefore will continue with our plan of including the Bugzilla project as well as other community projects in the data practices initiatives we’ve described above.”
The Bugzilla team has reset all of the passwords associated with the Landfill accounts involved in the disclosure.