As a regular user of the open source Mozilla Firefox addons.mozilla.org site for browser extensions, I was somewhat alarmed to see a report that user password and registration information may have been publicly leaked.
As it turns out, the risk is minimal, but it could have worse — a lot worse.
Chris Lyon, director of infrastructure security at Mozilla blogged that a database containing 44,000 addons.mozilla.org user accounts was mistakenly left on a public server. Apparently the users accounts were all inactive according to Lyon and were using md-5 based password hashes.
“We erased all the md5-passwords, rendering the
accounts disabled,” Lyon wrote. “All current addons.mozilla.org accounts use a more
secure SHA-512 password hash with per-user salts.”
Lyon goes on to note that currently active addons.mozilla.org users (like me) are not at risk (phew!).