How to: Post a Data Breach Disclosure

Mozilla recently disclosed a leak in their system.

... email addresses of about 76,000 users and encrypted passwords of about 4,000 users [were visible] on a publicly accessible server ... The encrypted passwords were salted hashes and they by themselves cannot be used to authenticate with the MDN website today ... We’ve sent notices to the users who were affected.

Their prompt response and the fact that they adhere to best practices makes it almost acceptable that the breach happened in the first place. In addition, the email notices Mozilla sent out included an indication of whether the user's password was leaked.

Your email address (but not password) was posted on that server for that 30 day time period.

I applaud Mozilla for making such a prompt and responsible disclosure, especially when the implications of such a breach are orders of magnitude less severe than breaches such as the PlayStation network outage, in which Sony fumbled their response and created massive confusion regarding their data integrity and security practices.

Mozilla arguably could have done nothing in light of this breach. There is no reason to believe that the data breach resulted in their users' privacy being compromised. Mozilla most likely has access logs on that public server, and if they are empty it is likely that nobody found the data.

Mozilla, you get a security disclosure gold star. Thank you for doing the right thing when nobody was looking.