The unknown attacker accessed its Bugzilla bug-and-change tracking database, stole information about 53 critical security vulnerabilities. Later it used at least one of those flaws to attack Firefox users.
Bugzilla is the open-source tracker that Mozilla's developers use to log issues about the browser. Normally, bugs are open to the public, but some, especially ongoing security fixes, are accessible only to privileged account holders.
Entries on critical bugs are blocked to all but privileged accounts long after a fix has been released to ensure that the bulk of Firefox users have installed the patch.
A spokesMozilla Richard Barnes said that an attacker broke into a privileged user's account and download security-sensitive information about flaws in Firefox and other Mozilla products," Mozilla said Friday in an FAQ about the breach (download PDF).
"Information uncovered in our investigation suggests that the user re¬used their Bugzilla password with another website, and the password was revealed through a data breach at that site. That information was used to attack Firefox users."
A Russian news site was serving a Firefox exploit that searched for sensitive files and uploaded them to a server in Ukraine. The attacker had focused on nicking files related to a number of developer tools.
Not all 53 critical security vulnerabilities the attacker scouted were useful. More than 40 had been patched by the time the hacker gained access to Bugzilla. Three of the remaining 10, however, were being worked on, for between 131 and 335 days.
The Bugzilla entry on the single vulnerability definitely used by the thief was open for 36 days, Mozilla said.