The 97,000 users involved in testing early builds of bug-tracking software Bugzilla have had their email addresses and encrypted passwords leaked.
The leak came following a server migration, making it the second accidental data disclosure incident this month for the Mozilla-supported project.
Announced on Wednesday by Bugzilla, the leak resulted from files being left in an unprotected location on a server for roughly three months.
“As soon as we became aware, the database dump files were removed from the server immediately, and we’ve modified the testing process to not require database dumps,” Mark Côté, the Bugzilla project’s assistant lead, said on Wednesday in a blog post.
Bugzilla has notified all affected users and advised them to change any passwords that are the same as or similar to those lost.
If you’re a user of Bugzilla.mozilla.org, you’re not affected unless you also had an account on the testing server and used the same password.
Following the information disclosure on the Mozilla Developer Network, Mozilla security ‘ began several remediation measures, including a review of data practices surrounding user data’, according to a separate blog post by Joe Stevensen, operations security manager at Mozilla.
“We have kicked off a larger project to better our practices around data, including with respect to the various non-Mozilla projects we support,” he said. “We are implementing immediate fixes for any discovered issues across the organization, and are requiring each business unit to perform a review of their data practices and, if necessary, to implement additional protections based on that review.”