August 05, 2009

Dear Valued Mozilla Customer:

It has been brought to our attention that the Mozilla Store www.store.mozilla.org has had a security breach. We take all security breaches very seriously, and are working hard to determine the extent of the violation. In the meantime, the site has been taken down as a protective measure.

At this time we do not believe any credit card information has been compromised. However, some Mozilla Store customers’ user names and passwords have been exposed. It is our strong recommendation that all Mozilla Store customers proactively change their user name and passwords for their Mozilla Store account and all other accounts that use the same information. We will not bring the site back up until we are confident that we have addressed all security issues. A notification will be sent to you when the site goes back up.

GatewayCDI apologizes for any inconvenience this may cause. We value our customers and their online security is a top priority to our organization.

Sincerely,

Conrad Franey
Chief Marketing Officer
GatewayCDI

There are 3 major things I’d like to discuss about this. The first is the obvious, if they had used safe storage techniques; the probability of their password list being compromised would have been practically eliminated. I cannot stress that enough, if a password is in the database as plain text, it will be compromised, I know that means you can’t just send a user their password when they forget, but that’s ok… it’s not a huge hassle to change a password. The second topic is users that “use the same information”. Granted, most of us are guilty of this at some point or another. We all have favorite passwords that we like to use. I personally try to make classifications of passwords for different types of sites, but sometimes I find myself using a “default” password out of habit. Please, people, one of the best ways you can protect yourself on the internet is to use different passwords. If not for everything, don’t use the same password for sites like facebook, myspace, or twitter that you would use for your bank or email account. The third MAJOR topic that I feel needs to be discussed is in regard to that first sentence that’s highlighted in red. “At this time we do not believe any credit card information has been compromised.” This should not even be a fear. Under no circumstances should you store your credit card on any sites database, and under no circumstance should any site store it without your asking. After a transaction is completed, the only thing that should remain is the authorization number, order number, and the last 4 digits of the card. That is all the bank and the company should EVER need to look up a transaction. Verifying identity using a credit card number is a terrible thing, and any company that does so should be avoided. I am hoping that the reason they do not believe any credit card #s were stolen is because they don’t store them… but only time will tell.

Ok, enough ranting and raving from me. I have spoken my mind on this topic, now I will shut up and let you all get back to your days. Just remember, sites do not always practice safe storage procedures, so the best protection from identity theft is still your common sense, so use it!