A database of 44,000 users' registration information from the Add-Ons server belonging to Mozilla was found to have been exposed for download. Mozilla says that it was informed by a security researcher, through Mozilla's Web Bounty Program, that the database was visible in mid-December.
All downloads were accounted for by Mozilla, with the only external access being that by the security researcher. According to Mozilla, the "issue posed minimal risk to users". Yesterday, Mozilla also contacted all affected users by email to explain the situation. According to the email, the file in question was placed on the server by mistake and contained the email address and first/last names of users along with an MD5 hash of the user's password.

Users who were listed in the file have had their passwords deleted and will need to go to the addons site and click "Forgot Password" to generate a new password. The database only contained data for inactive users of the addons.mozilla.org site; active users of the site were unaffected.

The link for this article located at H Security is no longer available.