Mozilla’s bug tracking portal compromised, reused passwords to blame

In a blog post on Friday, Mozilla said that someone compromised an account on Bugzilla and used that access to obtain security-sensitive information and used it to attack Firefox users.

Mozilla says that the user who had their Bugzilla account compromised reused that password on other domains.

“The account that the attacker broke into was shut down shortly after Mozilla discovered that it had been compromised. We believe that the attacker used information from Bugzilla to exploit the vulnerability we patched on August 6.

“We have no indication that any other information obtained by the attacker has been used against Firefox users. The version of Firefox released on August 27 fixed all of the vulnerabilities that the attacker learned about and could have used to harm Firefox users,” Mozilla wrote.

In an FAQ on the incident, Mozilla says that information uncovered by their internal investigation suggests that the compromised Bugzilla user used their account password on multiple websites.

As it turns out, that shared password was leaked during an unrelated data breach and used to target Mozilla’s bug tracker.

The earliest confirmed instance of the attacker’s access to Bugzilla dates back to September 2014, but some indicators show September 2013, Mozilla said.

“We are updating Bugzilla’s security practices to reduce the risk of future attacks of this type. As an immediate first step, all users with access to security-sensitive information have been required to change their passwords and use two-factor authentication.

“We are reducing the number of users with privileged access and limiting what each privileged user can do. In other words, we are making it harder for an attacker to break in, providing fewer opportunities to break in, and reducing the amount of information an attacker can get by breaking in,” Mozilla’s post continued.