Archive by date | author | class Send us a suggestion | Subscribe by RSS | Electronic mail Above thirty,000 people are part in the Sophos local community on Facebook. Why not join us on Facebook to discover with regards to the most recent web and Facebook security threats. X Hello there fellow Twitter consumer! Stick to our crew of protection pros on Twitter for that newest news about web security threats. X Don't forget it is possible to subscribe on the SophosLabs YouTube channel to look for all our hottest videos. X Hello there there! If you are new right here, you might prefer to subscribe for the RSS feed for updates. X Filed Beneath: Info reduction, Privacy Notice: I have designed some edits for accuracy based upon input from my colleagues and commenters.
To start with the unhealthy new. On Monday, Mozilla, the developer of well-known open resource applications like Firefox and Thunderbird, announced that a database that contains usernames and password hashes belonging to people of addons.mozilla.org had been posted publicly by accident. For those who registered for an account on addons.mozilla.org and you also are among the many 44,000 customers who may well happen to be affected by this accidental disclosure,
Microsoft Office 2007 Professional, you already will want to have received an email notification through the Mozilla safety staff.
Is this basically some other tale of info leakage inside of a sea of lost usernames and passwords? Not just. Mozilla stored passwords set just before April 9th, 2009 as MD5 hashes. Though MD5 can be used to securely retailer passwords, its unclear how MD5 was utilized the Mozilla infrastracture. The good news is, Mozilla did not retail outlet passwords in plain text.
The great news? Mozilla audited their logs and decided the only individual exterior of Mozilla who accessed the articles was the man or woman who disclosed the accidental publication to them via their website bounty method. Mozilla has deleted the passwords of all 44,
Office 2007 License,000 accounts that were stored in MD5 format from your addons web site irrespective of no matter if they had been uncovered or not.
Freshly made passwords will never be as susceptible to a equivalent disclosure. Seeing as April 9, 2009,
Office 2010 Home And Student Key, Mozilla has put to use SHA-512 with per-user salts to save password hashes. This hashing algorithm presents a substantial development in safety for addons.mozilla.org account holders.
In case you were among the unlucky recipients of one of these emails, be sure to were not working with the identical password at Mozilla while you are at other online sites. Although Mozilla is quite confident no one apart from the particular person who reported the incident had access on the file, if they're incorrect or the discloser is simply not reliable, your other accounts may perhaps be at chance. Don't forget,
Office Professional 2007, completely unique passwords really are a requirement, not a luxurious.
I commend Mozilla for their response to this incident, however it does depart several problems we have to give consideration to. How did they accidentally publish files containing usernames and password hashes? I asked the protection staff and was referred to your blog page publish explaining their response.
Mozilla produced the perfect selection in 2009 to begin implementing a extra safe strategy (SHA-512 with per-user salts) moving forward,
Office Home And Student 2010 Key, but in hindsight may perhaps have prompted all of their users to migrate to your further secure hash previous to this incident.
This is certainly exciting, and in all likelihood even crucial, however it nevertheless isn't going to excuse or clarify how the account facts have been compromised during the very first position. Account databases, even all those containing strongly salted and hashed passwords, are not meant to be world readable.
Oh, and if you do receive an e mail warning you that your password may have already been compromised, if from Mozilla or people else, will not click on any back links while in the email to go and update your password. Which is a scammer's trick. Continually recall to produce your own personal way for you to the applicable password-change page.
Inventive Commons image of Jacob Appelbaum's (<-- It's safe to bypass this warning, promise!) t-shirt from 25C3 courtesy of Security4All's Flickr photostream.