Cyber Incident Victim: Mozilla
Date:
Sep 2013
Location:
Ukraine
Summary
An attacker compromised a privileged account in Mozilla's Bugzilla bug tracking system by exploiting password reuse from a separate breach, gaining unauthorized access to security-sensitive vulnerability data. The intruder obtained details from 185 non-public Firefox flaws, including 53 critical vulnerabilities, with ten unpatched at the time; one was weaponized through a malicious advertisement on a Russian news site to steal user files. The organization addressed all exploited vulnerabilities, mandated password resets and two-factor authentication for privileged users, reduced privileged access privileges, and engaged third-party forensic investigators while enhancing Bugzilla's security protocols to prevent recurrence.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In September 2015, Mozilla disclosed that an attacker had stolen security-sensitive vulnerability information from its Bugzilla bug tracking system, which was subsequently used to target Firefox users. The breach originated from a compromised account belonging to a privileged Bugzilla user who had reused their password on another website that suffered a data breach. This allowed the attacker to access and download non-public details about flaws in Firefox and other Mozilla products. Forensic analysis revealed the attacker accessed 185 non-public Firefox bugs, including 53 classified as severe vulnerabilities. Ten of these vulnerabilities were unpatched at the time of access, with one confirmed to have been exploited in attacks against Firefox users in early August 2015. Mozilla had previously documented this exploited vulnerability on August 6, 2015, noting it was leveraged via a malicious advertisement on a Russian news site that uploaded sensitive files to a server in Ukraine. While the company confirmed no evidence of other exploits beyond this single case, it acknowledged the attacker could have accessed Bugzilla as early as September 2013, with confirmed unauthorized activity dating to September 2014.
Mozilla responded by patching all vulnerabilities the attacker accessed, including those addressed in Firefox updates released on August 6 and August 27, 2015. The organization immediately disabled the compromised account upon discovering the breach and engaged a third-party security firm for forensic investigation. To prevent recurrence, Mozilla mandated password resets and two-factor authentication for all users with access to security-sensitive Bugzilla data. It also reduced both the number of privileged accounts and the scope of permissions granted to such users. The incident exposed sensitive information about Firefox’s security flaws for nearly two years before detection, though Mozilla confirmed no evidence of additional exploits beyond the August 2015 attack. All patched vulnerabilities were resolved in Firefox versions current at the time of disclosure.