Mozilla has sent emails to few AMO account holders about a critical issue. According to this email, on 17th December, Mozilla was informed by a third party about a possible disclosure of users’ email addresses, first and last names, and an md5 hash representation of their password.
Mozilla says in this email, "we were informed by a 3rd party who discovered a file with individual user records on a public portion of one of our servers. We immediately took the file off the server and investigated all downloads. We have identified all the downloads and with the exception of the 3rd party, who reported this issue, the file has been download by only Mozilla staff. This file was placed on this server by mistake and was a partial representation of the users database. [...]
We are also asking you to change your password on other sites in which you use the same password. We have identified the process which allowed this file to be posted publicly and have taken steps to prevent this in the future.".
Thankfully, this situation is not as panic as the recent password leaks on Gawker media sites and others.
Update: See comment by Prateek.
Read More Articles:
here is the link to that email
https://support.mozilla.com/en-US/questions/772973
More from Mozilla Security blog
“The database included 44,000 inactive accounts using older, md5-based password hashes. We erased all the md5-passwords, rendering the accounts disabled. All current addons.mozilla.org accounts use a more secure SHA-512 password hash with per-user salts. SHA-512 and per user salts has been the standard storage method of password hashes for all active users since April 9th, 2009.
It is important to note that current addons.mozilla.org users and accounts are not at risk.”
Link: http://blog.mozilla.com/security/2010/12/27/addons-mozilla-org-disclosure/
@Prateek: thanks for the update.