Chris Lyon, the Mozilla director of infrastructure security, says (via CW) 44,000 inactive inactive user accounts "for the addons.mozilla.org site were inadvertently placed on a public-facing Web server."
While noting that the "exposure posed minimal risk to users," Lyon says the company has erased all the passwords, which were encrypted anyways, and accounted for all downloads of the database.
All current users of addons.mozilla.org needn't worry as Mozilla upgraded its database and procedure for encrypting passwords in April of last year.
Security officials for the organization were notified of the leak on December 17th, through the bounty program which pays out up to $3000 to volunteers who submit security-related vulnerabilities, bugs and exploits.
All account holders in the leaked database were notified on December 27th.
Written by: Andre Yoskowitz @ 29 Dec 2010 23:24