Zero Day

Ryan Naraine and Dancho Danchev

Mozilla shuts online store after security breach

By Ryan Naraine | August 5, 2009, 11:53am PDT

Summary

The Mozilla Foundation has shuttered its e-commerce store after confirming a security breach at GatewayCDI, the third-party vendor that handles the store’s backend operations.
The open-source groups said it has asked Gateway CDI to quickly notify individuals who had their sensitive data compromised. Mozilla did not elaborate on the extent of compromised customer data.

Mozilla said it [...]

Topics

Online Store, Mozilla Corp., Mozilla Store, GatewayCDI, Security, Ryan Naraine

Blogger Info

Dancho Danchev

Bio
Contact

Vendor HotSpot

Here to help you with your Document Management Needs

Read the DocuMentor blog now

Learn More »

The Mozilla Foundation has shuttered its e-commerce store after confirming a security breach at GatewayCDI, the third-party vendor that handles the store’s backend operations.

The open-source groups said it has asked Gateway CDI to quickly notify individuals who had their sensitive data compromised. Mozilla did not elaborate on the extent of compromised customer data.

Mozilla said it found out about the breach on Monday (August 4, 2009) and took the immediate preventative step of shutting down the Mozilla Store to ensure that no additional users could be compromised.

Mozilla immediately reached out to GatewayCDI and encouraged them to quickly inform individuals whose data had been compromised. GatewayCDI is currently investigating their systems and determining the cause and extent of the breach. Mozilla Store customers who are affected will be contacted directly by GatewayCDI.

Mozilla is committed to user privacy and the store will only be reinstated once we have a satisfactory assurance of ongoing login security and data privacy.

The Mozilla Store is currently displaying a “closed for maintenance” notice.

Mozilla said its international store, which is managed by a separate partner company, has also temporarily been shut down as a precautionary measure.

The Mozilla Community Store, which is separate, was not impacted.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Full Bio
Disclosure
Contact

More from “Zero Day”

Plugins compromised in SquirrelMail's web server hack

Apple warns of Mac attack risk via image files

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

Ask a Question Start a Discussion

Talkback Most Recent of 33 Talkback(s)

Follow via:: RSS; Email Alert

Mozilla shuts online store after security breach

They must have been running linux.
Loverock Davidson

08/05/2009 12:45 PM
- Reply to
- Flag
A small clue...

http://www.gatewaycdi.com/site/careers.asp#joblink_2

Looks like the only database experience you need to work for them is MS SQL. Unless they have a special Linux version of SQL that nobody else is allowed to buy, you're wrong again..

Why am I not surprised?
daftkey

08/05/2009 01:04 PM
- Reply to
- Flag
Well.....

There is more to it than just a database. You can have other app processes running on anything. Not saying it wasn't SQL that got compromised but there is also other things that could be the source of the compromise.
OhTheHumanity

08/05/2009 01:34 PM
- Flag
That's why it's only a "clue"..

and with any clue, a little deduction is required..

Granted, I agree an RDBMS isn't the end-all and be-all of a webstore, but it's a pretty major-league part. I would have my doubts that a company that wouldn't trust their front-end to Windows would trust their back-end to it.

I would expect a Linux-based web store to require a Database Administrator to have some working knowledge of MySQL, PostgreSQL, Oracle, Apache, or Linux itself.

Oh yeah, and the .asp on the end of that last link is also a small clue that Windows is running the website as well.
daftkey

08/05/2009 01:58 PM
- Flag
Ok, so...

Why is Mozilla even doing business with a third party that is using closed
source software? Sort of funny and ironic!
rkuhn040172@...

08/05/2009 04:25 PM
- Flag
Only ironic if Mozilla are rabid open source zealots..

..which they very well could be, but they might turn a blind eye if the price is right and the store agrees not to impede on their core business..

Mozilla may be a little more practical-minded than that, though.. You have to remember that they were originally born out of a wholly commercial, closed-source development, and only went open source when Microsoft stole their lunch and kicked them off the "cool kids" table.
daftkey

08/06/2009 08:06 AM
- Flag
Obviously you've missed the thousands of posts by...

...Dietrich Schmidt. Though it is understandable as the mods keep deleting them.
ye

08/06/2009 08:19 AM
- Flag
HA HA OWNED!!!

As usual you draw the conclusion without looking at the big picture.

Got served a steaming pile that time.

Hope your boyfriend mgp comes to bail you out.
itanalyst2@...

08/05/2009 08:03 PM
- Flag
A single job posting is pretty weak.

Hardly indicative of what the Mozilla site is being hosted on.
ye

(Edited: 08/06/2009 05:46 AM)
- Flag
Are you serious?

Using a job posting to determine what a site is hosted on? How lame. How about Netcraft:

Linux Apache/1.3.39 Unix PHP/5.2.5 mod_ssl/2.8.30 OpenSSL/0.9.8g

http://toolbar.netcraft.com/site_report?url=http://store.mozilla.org
ye

08/06/2009 05:48 AM
- Flag
Touche!

..can't argue with that one.. Don't like what it means, though..
daftkey

08/06/2009 07:15 AM
- Flag
It means Linux and its related technology is no better...

...than Windows. That it suffers the same types of problems as Windows.
ye

08/06/2009 07:22 AM
- Flag
We all knew that.. except for a few zealots..

..and I can live with that "revelation".. it only means that we have to be diligent no matter who we are and what we're running.. no big surprise there.

No.. the part that I don't like is that Humpstone's guess, regardless of being a baseless shot-in-the-dark troll grumble, is nonetheless correct.
daftkey

08/06/2009 08:01 AM
- Flag
Hardly baseless.

It seems reasonable to assume the OSS community would use OSS technology for the distribution of their software. What was baseless is the assumption that a job posting for MS-SQL implies use of Microsoft technology for the site.
ye

08/06/2009 08:17 AM
- Flag
@ye - are you sure about that..

"It seems reasonable to assume the OSS community would use OSS technology for the distribution of their software. "

I would agree with that, had Mozilla been hosting their own webstore, but they weren't. They weren't really "using" anything. They were hiring someone else to "use" the software to run the web store. Most reasonable people couldn't give a rats ass what tool a third-party business is using so long as they can guarantee a certain level of service and protection. I don't see why an OSS developer should be any different, unless they were more interested in politics than business.

"What was baseless is the assumption that a job posting for MS-SQL implies use of Microsoft technology for the site."

It was a job posting for a DBA and it listed *ONLY* MS SQL server as a requirement. It doesn't take much to put two-and-two together here. In this case I was wrong and I admit it, but it doesn't mean that it was baseless - it certainly gives more of a view of what is important to this particular company than an assumption of the motives of one of its customers would.
daftkey

08/06/2009 09:49 AM
- Flag