Email addresses and encrypted passwords of around 97,000 users who tested early builds of the Bugzilla bug tracking software were left exposed for three months following a server migration.
The new data security breach resulted from database dump files being left in an unprotected location on a server for around three months beginning May 4th. The files had been generated during the migration of a testing server for early builds of the bug tracking software, according to Mark Côté, the Bugzilla project’s assistant lead.
Users of bugzilla.mozilla.org, the official Mozilla bug tracker website that’s based on the Bugzilla platform, are not affected by this incident if they didn’t also have accounts on the Bugzilla testing server and didn’t use the same password in both places.
Following the information disclosure on the Mozilla Developer Network, “we began several remediation measures, including a review of data practices surrounding user data,” said Joe Stevensen, operations security manager at Mozilla. “We have kicked off a larger project to better our practices around data, including with respect to the various non-Mozilla projects we support. We are implementing immediate fixes for any discovered issues across the organization, and are requiring each business unit to perform a review of their data practices and, if necessary, to implement additional protections based on that review.”