A database containing old and inactive 44,000 user accounts recorded at addons.mozilla.org was partially published on one of the public Mozilla server accidentally.

The addons.mozilla.org is a Firefox add-ons Website allowing users to download the add-ons for Mozilla Firefox browser. The users register at this Website to submit reviews, and keep track of their favorite add-ons. In addition, the developers register for hosting their add-ons crafted for Firefox.

Mozilla recently extended their Web bounty program to find out the security breaches and issues in their Web applications. A computer security researcher reported to the foundation on December 17, 2010 that a file containing database of inactive 44,000 users is partially published on a publicly available Mozilla server. The database contained the inactive user accounts along with old MD5-based passwords.

Chris Lyon, Director of Infrastructure Security, Mozilla says on its official blog, “We were able to account for every download of the database. We have deleted all the 44,000 MD5 passwords and disabled these user accounts until the relevant users reset their password. All new user accounts are not at risk as they use more secure SHA-512 password hashes since April 9, 2009. We believe that this issue poses minimal risks to the users and this incident does not impact any of the Mozilla’s infrastructures.”

However, this mistake clearly exhibits the weakness in the system adopted by the Mozilla foundation. Mozilla has sent the emails to the affected users with relevant information on December 27, 2010.