Landfill.bugzilla.org Disclosure

UPDATE: We have reset all passwords on all Landfill test Bugzilla systems. All users will be required to set a new password the next time they access the test Bugzilla systems.

One of our developers discovered that, starting on about May 4th, 2014, for a period of around 3 months, during the migration of our testing server for test builds of the Bugzilla software, database dump files containing email addresses and encrypted passwords of roughly 97,000 users of the test build were posted on a publicly accessible server.  As soon as we became aware, the database dump files were removed from the server immediately, and we’ve modified the testing process to not require database dumps.

Generally, developers who use our test builds have told us they understand that these builds are insecure and may break, so they do not use passwords they would reuse elsewhere.  However, because it is possible that some users could have reused their passwords on other websites or authentication systems, we’ve sent notices to the users who were affected by this disclosure and recommended that they change any similar passwords they may be using. It’s important to note that, unless users reused the password they used on landfill.bugzilla.org, this does not affect bugzilla.mozilla.org email addresses or passwords.

We are deeply sorry for any inconvenience or concern this incident may cause you.

Thanks,

Mark Côté

Assistant Project Lead, Bugzilla

About these ads

34 Responses to “Landfill.bugzilla.org Disclosure”


  1. 1 Frédéric Buclin August 30, 2014 at 8:07 am

    You should specify that since Bugzilla 3.4, released in 2009, Bugzilla uses SHA-256 + salt to hash passwords. This would answer a question which appeared pretty often in various blogs.


  1. 1 Mozilla reports user data leak from Bugzilla project | Hitech journal Trackback on August 28, 2014 at 6:41 am
  2. 2 Falha expõe dados de 97 mil usuários de sistema de testes da Mozilla - Boa Informação Trackback on August 28, 2014 at 8:16 am
  3. 3 Falha expõe dados de 97 mil usuários de sistema de testes da Mozilla | Tecnologia Trackback on August 28, 2014 at 8:46 am
  4. 4 Mozilla lekt persoonlijke gegevens 97.000 testers | Computer kennis en informatie Trackback on August 28, 2014 at 9:03 am
  5. 5 Falha expõe dados de 97 mil usuários de sistema de testes da Mozilla - Notícia da CidadeNotícia da Cidade Trackback on August 28, 2014 at 9:11 am
  6. 6 Mozilla Discloses Another Security Breach Exposing User Data | PHP World Trackback on August 28, 2014 at 10:07 am
  7. 7 Oops! Mozilla left thousands of email addresses and passwords lying around (again) | HOTforSecurity Trackback on August 28, 2014 at 1:44 pm
  8. 8 Mozilla reports user data leak from Bugzilla project | Protect Your PC | Tips, Advice, and support. Protect Your PC | Tips, Advice, and support. Trackback on August 28, 2014 at 6:00 pm
  9. 9 Mozilla left thousands of email addresses and passwords on a publicly accessible server - SECURITY INFORM Trackback on August 29, 2014 at 1:51 am
  10. 10 Mozilla lekt per ongeluk gegevens van 97.000 testers | Techmania.nl Trackback on August 29, 2014 at 2:08 am
  11. 11 97,000 Bugzilla email addresses and passwords exposed in another Mozilla leak | Naked Security Trackback on August 29, 2014 at 7:29 am
  12. 12 Nearly 100k Bugzilla Users Affected by Data DisclosureDigital Era | Digital Era Trackback on August 29, 2014 at 7:31 am
  13. 13 97K Bugzilla users affected by data disclosure | Security Affairs Trackback on August 29, 2014 at 8:00 am
  14. 14 Nearly 100k Bugzilla Users Affected by Data Disclosure | Threatpost | The first stop for security news Trackback on August 29, 2014 at 8:15 am
  15. 15 97.000 direcciones de email y contraseñas expuestas por un fallo de seguridad del proyecto Bugzilla - Nerdilandia Trackback on August 29, 2014 at 10:01 am
  16. 16 ste williams – 97,000 Bugzilla email addresses and passwords exposed in another Mozilla leak Trackback on August 29, 2014 at 10:43 am
  17. 17 Проект Mozilla объявил о возможной утечке 97 тысяч аккаунтов в Bugzilla | AllUNIX.ru — Всероссийский портал о UNIX-системах Trackback on August 29, 2014 at 2:29 pm
  18. 18 Mozilla loses more user info, this time data of 97,000 customers goes out through Bugzilla - 196ys Trackback on August 29, 2014 at 9:09 pm
  19. 19 Another 97,000 Accounts Leaked from Mozilla Dev | VPN Creative Trackback on August 30, 2014 at 1:38 am
  20. 20 2014/08/30 Weekly Tech Headlines | 404 Tech Support Trackback on August 30, 2014 at 6:56 am
  21. 21 Mozilla Improving Security Processes After Exposing Developer Data | Technology news everyday Trackback on August 30, 2014 at 10:18 am
  22. 22 Mozilla annuncia una fuga di dati, di nuovo | Technologic Solutions Trackback on August 30, 2014 at 7:22 pm
  23. 23 Siti Internet Aziendali » Mozilla annuncia una fuga di dati, di nuovo Trackback on August 31, 2014 at 12:40 am
  24. 24 SecurEncrypt - Encrypt files, emails and SMS | Bugzilla bug tracking software early testers’ credentials, exposed! | SecurEncrypt - Encrypt files, emails and SMS Trackback on August 31, 2014 at 12:42 am
  25. 25 Проект Mozilla объявил о возможной утечке 97 тысяч аккаунтов тестового сервера Bugzilla | AllUNIX.ru — Всероссийский портал о UNIX-системах Trackback on August 31, 2014 at 2:39 pm
  26. 26 Internet Crime Fighters Organization Bugzilla Users Breach - Internet Crime Fighters Organization Trackback on August 31, 2014 at 6:04 pm
  27. 27 Are you on of the 97,000 users whose data Mozilla left open to criminals? - ITProPortalITProPortal.com Trackback on September 1, 2014 at 1:01 am
  28. 28 Mozilla legt unfreiwillig 97.000 Nutzerdaten offen | virtualfiles.net Trackback on September 1, 2014 at 4:12 am
  29. 29 Mozilla kompromittiert versehentlich Daten von 100.000 Nutzern | webwork-magazin.net Trackback on September 1, 2014 at 4:48 am
  30. 30 Mozilla legt tausende E-Mail-Adressen und Passwörter offen | WorldNews Trackback on September 1, 2014 at 4:51 pm
  31. 31 Mozilla accidentally leaked developer’s person info for about 3 months, so if you use Bugzilla, you need to change your password. – The Category5.TV Newsroom Trackback on September 2, 2014 at 6:15 pm
  32. 32 Mozilla migliora la sicurezza per i propri developers | Mia mamma usa Linux! Trackback on September 3, 2014 at 10:55 am
  33. 33 Bug Bugzilla - CNIS mag Trackback on September 9, 2014 at 10:26 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s





Follow

Get every new post delivered to your Inbox.

Join 556 other followers

%d bloggers like this: