Mozilla has disabled 44,000 older user accounts for its Firefox add-ons site after a security researcher found part of a database of the account information on a publicly available server.
The file had passwords obscured with the now-obsolete MD5 hashing algorithm, which has been rendered cryptographically weak and which Mozilla scrapped for the more robust SHA-512 algorithm as of April 9, 2009. The older database didn't end up anywhere dangerous, Mozilla believes.
"We were able to account for every download of the database. This issue posed minimal risk to users, however, as a precaution we felt we should disclose this issue to people affected and err on the side of disclosure," said Chris Lyon, Mozilla's director of infrastructure security, in a blog post about the database exposure yesterday.
Mozilla notified affected users of the problem by e-mail yesterday, it said. "Current addons.mozilla.org users and accounts are not at risk," Lyon said.
Password security has become a more prominent concern after a hack of Gawker blog sites earlier this month. Even with passwords obscured by strong hash algorithms, user names can be valuable in further hack attempts, especially when people reuse the same password on multiple sites.
"Unique passwords are a requirement, not a luxury," said Chester Wisniewski of security firm Sophos in a blog post about the event.