Mozilla Firefox users were subjected to cyber-attacks after hackers stole security-sensitive information from the Bugzilla database.
Firefox Security Lead Richard Barnes admitted on the company’s security blog that an attacker accessed information about several vulnerabilities in the browser. The attacker first accessed Bugzilla in either September 2013 or September 2014.
According to Mozilla, most of the bugs that the hacker accessed information about were fixed before the hack. However, there was period of time where 10 bugs were exploitable.
Mozilla shared information of one specific attack, where visitors to a Russian news website were attacked before the applicable bug was patched. This led to "private data" from the users being collected.
To access the information, the hacker acquired the password of a privileged user of Bugzilla, the tool used to track bugs when they are discovered in order to share information between contributors to the project.
Mozilla detailed three steps it would be taking: adding two-factor authentication for privileged users, reducing the amount of information accessible to each user and increasing auditing on the actions of privileged users.
"Mozilla has conducted an investigation of this unauthorized access, and we have taken several actions to address the immediate threat," Barnes wrote. "We are also making improvements to Bugzilla to ensure the security of our products, our developer community, and our users."