May 17, 2020

Security Breach at Mozilla.Org

A database of user accounts was available to public. Chris Lyon, the director of infrastructure security at Mozilla has disclosed a security breach that revealed the user accounts.

According to a post at Mozilla Security Blog, “On December 17th, Mozilla was notified by a security researcher that a partial database of user accounts was mistakenly left on a Mozilla public server. The security researcher reported the issue to us via our web bounty program. We were able to account for every download of the database. This issue posed minimal risk to users, however as a precaution we felt we should disclose this issue to people affected and err on the side of disclosure.”.

Apparently, the database included 44,000 inactive accounts using older, md5-based password hashes. Mozilla has erased all the md5-passwords, rendering the accounts disabled. All current accounts use a more secure SHA-512 password hash with per-user salts.

“It is important to note that current users and accounts are not at risk. Additionally, this incident did not impact any of Mozilla’s infrastructure.”, said Mr. Lyon, Mozilla’s Director of Infrastructure Security.

NASA Security Breach: NASA sells PC with restricted Space Shuttle data

NASA did not wipe sensitive agency data from computers before selling them to the public.

Kennedy Space Center in Florida – one of four NASA sites with reported weaknesses in the disposition process – cleared the release of 14 computers to the public that had failed tests to verify data had been destroyed, the report found. Of the four that remained in NASA’s possession, one contained Space Shuttle related data that was subject to export control by the International Traffic in Arms Regulations. The audit, prepared by NASA’s Inspector General, covered a 12-month period starting in June 2009.”, stated in the report published by The Register.