Open source company Mozilla, better known for its Firefox browser, accidentally exposed 44,000 inactive user accounts belonging to addons.mozilla.org on its public server.
The company was notified about the error by a security researcher under its web bounty program and has disabled those inactive accounts for good measure.
Mozilla informed that they were able to account for every download of the password database and that it posed no security risks to users as the passwords belonged to inactive accounts.
In a blog post, Chris Lyon, the director of infrastructure security at Mozilla, explained that “The database included 44,000 inactive accounts using older, md5-based password hashes. We erased all the md5-passwords, rendering the accounts disabled.”
“All current addons.mozilla.org accounts use a more secure SHA-512 password hash with per-user salts,” he added; Mozilla also notified that users whose user accounts had been exposed have been notified via email.
The company also informed that current add-on account holders were not at risk from the password leak and the incident has not impacted Mozilla in any way.