Security information in security related emails
Why in God's name would you not include all the security related details in emails like "New sign-in to Firefox"? You include what browser that they used to log into the account, but you don't include the IP address or anything else related to identifying the user.
I had no idea that my browser was syncing my passwords on your server when I was nagged by your system to "sign in". The passwords themselves should be secured by default with a master password when syncing is even offered. Now it appears some asshat hacker has logged into my Firefox account that I never use and retrieved a shitload of my accounts and passwords that were stored on your server. Don't know how they got into my account in the first place, were your servers compromised?
This really pisses me off, and the worst part is there is nothing I can do about it but hope that they were not able to download the passwords off the account, which leads me to my other concern. I changed my password, and left the account logged into the firefox browser (logged in under the old one), changed the password again, and lo and behold I could still access the account.
In addition, I cannot even see what devices are logged into my account and disconnect them, I have do to that from the device. So in essence I have to find the computer/device that logged into my account and disconnect it from there?? WTF
Všechny odpovědi (2)
Sorry for the late response! The only security breach that was ever known to Mozilla was when a pattern of suspicious logins to Firefox Accounts was detected back in April. A blog post was made about it and affected users were alerted by email: https://blog.mozilla.org/services/2016/04/09/stolen-passwords-used-to-break-into-firefox-accounts/
The story was attackers used passwords they stole from data breaches at other websites to try to login to Firefox Accounts. This would only work if the user reused their Firefox Accounts password on one of these sites where passwords were stolen. MySpace is a recent example of where passwords were stolen from.
Firefox Accounts that were deemed to have suspicious login activity automatically had their passwords reset & were emailed with instructions on how to regain access to their accounts and further protect themselves going forward.
Now you seem to be very security conscious and tech savvy. As I am. Due to what I know and my paranoia about computer/web security (especially passwords), I don't EVER use any services that sync, gather or store passwords. This includes LastPass, 1Password, Dashlane and any other such idiotic site which claims to protect your passwords. All these sites are ticking time bombs to a major hack. Not to mention confusing in regards to the situation you described with a old password working after you changed it twice. I'm not sure if Firefox is supposed to prompt you to enter your password again after it detects a password reset. I'll see if I can find out.
You made some good points about "New sign-in to Firefox" needing to report IPs from devices who sign in to Firefox Accounts & securing synced passwords with a master password. I believe the latter is already possible but only if you have a master password set within Firefox already. I'll see if it really is supported. As for the IPs not being reported in the sign-in emails, I see that devs are working on including this feature. Hopefully that gets finished soon as it would provide a huge peace of mind to those who think they're being hacked when they're really not.
TL;DR
To wrap-up: Since you didn't get a email telling you your Firefox Account was breached, I don't think you were. But if you're paranoid like me and don't like taking chances, you would reset all your important passwords. You could then monitor your less important passwords on the sites where you don't have anything to lose.
Regarding not being able to find out what devices logged into your account, you could delete your account if you're really worried about it and then create a new one.
And lastly, regardless of whatever "high-security" measures any password cloud service offers, don't trust it, don't use it and keep your passwords to yourself. That's the safest bet. You also need to make sure your password is strong so it can't be guessed/brute-forced. I realize you synced your passwords by accident but this is general advice to everyone. These cloud password managers are massive honeypots.
Save yourself a headache and keep your passwords diverse among very important sites like email, banking & shopping ones. Pretty much any site that stores your credit card info or SSN.
Hi Jowiko, Firefox Accounts developer here. Thanks for reaching out, and for your frank feedback. You're right that this information should be included directly in the notification email, and in fact we are already working on adding basic IP and geolocation data to those emails as we speak.
> Don't know how they got into my account in the first place,
We have recently had reports of unauthorized access due to passwords leaked from other websites, that happened to be re-used for the Firefox Accounts password; see for example [1]. Could this be the explanation in your case? It may be worth checking in an online database of breached login credentials (such as the excellent haveibeenpwned.com [2]).
> there is nothing I can do about it but hope that they were > not able to download the passwords off the account
I'm sorry to say, but if you do not recognize the login attempt, we should assume that this was a purposeful attack and any passwords stored in your Firefox Sync data have also been compromised. I recommend changing them (and FWIW, I sympathize with that a gigantic pain that's likely to be).
> left the account logged into the firefox browser, changed the password > again, and lo and behold I could still access the account.
Changing the password does disconnect other devices from the account.
Due to some technical details of the way that the authentication works, the other devices may not immediately *notice* that they've been disconnected, and may even continue syncing among themselves for a short while. But they're definitely kicked out and unable to sync with devices that have the new password.
> In addition, I cannot even see what devices are logged into my account > and disconnect them, I have do to that from the device.
This is another feature that's being actively developed; in fact you can see the experimental "device list" feature by visiting accounts.firefox.com with a special URL parameter:
https://accounts.firefox.com/settings?forceDeviceList=true
Unfortunately it's not quite ready for general release at this stage.
Until that ships, the best way to disconnect other devices is to do as you've done, and change or reset the account password.
[1] https://blog.mozilla.org/services/2016/04/09/stolen-passwords-used-to-break-into-firefox-accounts/ [2] https://haveibeenpwned.com/