Mozilla Store shuttered after vendor security breach

No schwag for you


The Mozilla Foundation closed its online stores on Tuesday after a third-party company it uses to run one of the sites' back-end operations suffered a security breach.

The security lapse hit GatewayCDI, a 100-employee outfit with offices in San Francisco, Chicago and Portland, Oregon, which runs the Mozilla Store, the foundation said. It remained unclear if any customers of the website selling coffee cups, tee-shirts, and other schwag promoting Mozilla were compromised.

"Once notified, we took the immediate preventative step of shutting down the Mozilla Store to ensure that no additional users could be compromised," Mozilla representatives wrote. "Mozilla immediately reached out to GatewayCDI and encouraged them to quickly inform individuals whose data had been compromised."

GatewayCDI representatives weren't available for comment, but Mozilla went on to say the company is in the process of analyzing their systems to determine the cause and extent of the breach. Any Mozilla Store customers who may have been affected will be contacted directly by GatewayCDI.

The maker of the popular, open-source Firefox browser also shuttered its International Mozilla Store, though that site's backend isn't run by GatewayCDI. Both stores displayed a message saying "closed for maintenance."

Mozilla's advisory didn't detail the extent of the breach, how long it lasted or how many shoppers were affected, and so far, GatewayCDI has posted no information about the compromise. Mozilla said it didn't plan to reopen the store until foundation employees "have a satisfactory assurance of ongoing login security and data privacy." ®


Keep Reading

US govt warns foreign hackers 'will likely try to exploit' critical firewall bypass bug in Palo Alto gear – patch now

Bogus signatures may fool your corp network's gatekeeper

Good: US boasts it collared two in Chinese hacking bust. Bad: They aren't the actual hackers, rest are safe in China

Ugly: And it's all about video game robberies at this stage

Nothing fills you with confidence in an IT contractor more than hearing its staff personal records were stolen by ransomware hackers. Right, Cognizant?

Employees bag commiseration prize of free ID protection

The seven deadly sins letting hackers hijack America's govt networks: These unpatched bugs leave systems open

'Unauthorized access to elections support systems' detected tho 'no evidence to date that integrity of elections data has been compromised'

Notpetya, Olympics hacking, Novichok probe meddling... America throws the book at six alleged Kremlin hackers

While the UK says Russia probed 2020 Games systems, too

Let's authenticate: Beyond Identity pitches app-wrapped certificate authority

Enclave-bound service aims to be another nail in the password coffin

One year after server hackers left NordVPN red-faced, firm's first colocated setup is online

In brief Plus: Bunch of Cisco fixes for Patch Tuesday week, Fitbit kit hit, RAT malware written in Golang, and more

Hack computers to steal someone's identity in China? Why? You can just buy one from a bumpkin for, like, $3k

Black Hat Exploit an 3l33t zero-day and reverse-shell that backend DB proxy server... or simply pay this farmer off

Biting the hand that feeds IT © 1998–2020