Re: Important notice about your addons.mozilla.org account

[Larry Seltzer <larry () larryseltzer com>]

Thanks, and next time please post the blog entry before sending out the
e-mail

-----Original Message-----
From: Reed Loden [mailto:reed () reedloden com]
Sent: Tuesday, December 28, 2010 3:07 AM
To: Larry Seltzer
Cc: FunSec
Subject: Re: [funsec] Important notice about your addons.mozilla.org
account

On Mon, 27 Dec 2010 21:46:09 -0500
Larry Seltzer <larry () larryseltzer com> wrote:

> Does this look right to you? The only links in it are e-mail addresses
> on Mozilla.org, but there's nothing about this on the add-ons site or
> their discussion forum.

It's legit.
http://blog.mozilla.com/security/2010/12/27/addons-mozilla-org-disclosure/

> I think it must be legit, but it's clumsy. In fact I can't log in to
> my addons.mozilla.org account with the password I think I used, but
> I've forgotten these things in the past.

Only users who had not changed their passwords since the transition to
SHA-512 hashes were sent the e-mail (those who still had MD5 hashes in the
DB). Since you received the e-mail, you'll need to go through the normal
"forgotten password" process to get a new password, as the MD5 hashes were
all removed.

~reed
Mozilla Security Group

--
Reed Loden
reed () reedloden com
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.