Ex-Yahoo Employee: Government Spy Program Could Have Given a Hacker Access to All Email

Contrary to a denial by Yahoo and a report by the New York Times, the company’s scanning program, revealed earlier this week by Reuters, provided the government with a custom-built back door into the company’s mail service — and it was so sloppily installed that it posed a privacy hazard for hundreds of millions of users, according to a former Yahoo employee with knowledge of the company’s security practices.

Fuente: Ex-Yahoo Employee: Government Spy Program Could Have Given a Hacker Access to All Email


Mozilla confirms leak of 76,000 developer email addresses | Technology | theguardian.com

Mozilla confirms leak of 76,000 developer email addresses | Technology | theguardian.com.

The not-for-profit foundation behind the Firefox browser has admitted a serious data leak, exposing developers’ contacts and encrypted passwords

Mozilla Love.
Mozilla’s developer community has been alerted about an accidental leak of email addresses and encrypted passwords. Photograph: Othree/flickr CC-BY

Members of Mozilla’s developer community have been alerted about an accidental leak of email addresses and encrypted passwords, after the failure of a “data sanitisation” process the organisation was carrying out.

Mozilla, which is most famous for its Firefox web browser, co-ordinates the development of a number of open-source software projects through the Mozilla Developer Network.

“Starting on about 23 June, for a period of 30 days,” the organisation warned developers, “a data sanitisation process … had been failing, resulting in the accidental disclosure of MDN email addresses of about 76,000 users and encrypted passwords of about 4,000 users on a publicly accessible server.”

The passwords were stored as salted hashes, an encryption process which renders it computationally impossible to retrieve the original password in a readable format, and Mozilla says that, by themselves, they “cannot be used to authenticate with the MDN website today”.

But it adds that “it is possible that some MDN users could have reused their original MDN passwords on other non-Mozilla websites or authentication systems”.

Stormy Peters, the company’s director of developer relations, says that “as soon as we learned of [the leak], the database dump file was removed from the server immediately, and the process that generates the dump was disabled to prevent further disclosure.

“While we have not been able to detect malicious activity on that server, we cannot be sure there wasn’t any such access.”