Was https://bugzilla.mozilla.org/ hacked?

Hello, I use a unique mail address for each site, forum … etc … exactly for the purpose of identifying when I receive SPAM where it comes from, or more exactly who was possibly hacked, and so leaked my mail address.

Well, I am sorry to report that this morning, I received the following mail on my Mozilla bugzilla address, which is only known by it, and which to my knowledge is hidden from non members. Although, as I can observe, members can see the email of other members, and this is probably a security / confidentiality problem that should be addressed at some moment.

Can you have somebody from bugzilla.mozilla.org check whether all is safe, and whether this is primarily an ill-intentioned member who scanned addresses he/she could gather and who is misusing the system, or if there is a more severe leakage ? (note: my account was created in 2018, so well after the hacking problem recognized by Mozilla on bugzilla in 2015, cf. https://www.eweek.com/security/mozilla-s-bugzilla-hacked-exposing-firefox-zero-days/#:~:text=Mozilla%20admitted%20today%20that%20its%20Bugzilla%20bug%20tracking,have%20happened%20as%20far%20back%20as%20September%202013.)

Here is the received SPAM:

Subject : 	*** SPAM *** Re: Our telephone conversation refers!
Date : 	Tue, 5 Oct 2021 07:10:40 +0000
From: 	kalahari containers - aneeshaueiu7duo1@outlook.com 

Good day! Hope you and your family are fine!

As a matter of introduction, I am Gabriel Mhundwa originally from Zimbabwe and please, permit me to add that I happen to be an adopted Son to late Mrs. Susan Tsvangirai, the wife to the late Mr. Morgan Tsvangirai who was the Leader of the Movement for Democratic Change, {the opposition Party to the Ruling ZanuPF of Zimbabwe}. For more about my mother please click on this link:


No doubt, my mail and how and why I decided to contact you might be ringing bell in your mind as you and I have not met in person or even know each other.Please do not despair because I got your email address from a business advertising website on the Internet. But however strange or surprising this contact might seem to you, I humbly ask that you take due consideration of its importance and the immense benefit it will be to both of us.

As I indicated earlier, as an adopted son, the biological children of Mrs Susan for the late Mr Morgan rejected me from the beginning even while Mrs Susan & Mr. Morgan Tsvangirai were alive.It was at this point in time that Mrs Susan 9My adopted mother) decided to embark on what I call ' a comfortable way forward for me' should she passes on. In line with the steps taken by her led her to secretlyleaving a fortune for me in South Africa which is the nearest neighbouring Country to Zimbabwe; a fortune involving an amount of USD4.9M (Four Million Nine Hundred Thousand United States Dollars) only, deposited in a secured financial firm in South Africa with My name as the sole beneficiary.

It was however on the day her WILL testament was red out to the family that I discovered this as well as other members of the family. To be honest all hell were let loose among the family members but unfortunately there was little or much anybody could do about it other than creating more room for series of plots and threats upon threats to eliminate me, and at this point in time I was forced to relocate to South Africa to seek Asylum since this fortune and what I call my only hope/consolation is already there for me.

To this effect, I am basically contacting you for your kind and Mutual Corporation with me in moving this money to your Country where I have decided to relocate to from here for the purposes of my settling down and as well invest this fortune probably under your care or partnership in your Country.

I am also glad to let you know that all relevant documents of the funds/deposit are intact and under the custody of a renowned lawyer. Where you find my proposal interesting, I am willing to compensate you with 30% of this amount while the rest should be mine with which I start a new life in your Country. All you are needed to do is to possibly and urgently responding via my email for more details. Please *strictly* reply to this email address as follows: *gabrielmhkk@outlook.com*

I thank you in anticipation of your positive reply to this effect. Once again, thank you and God bless!

Gabriel Mhundwa

Private Email:gabrielmhkk@outlook.com

Same here. I used a special email just for this website and for my firefox sync account and as of today receive SPAM on exactly this email address.

So that would confirm, thank you … and of course nobody would really say it on public I guess :slight_smile:

That reminds me of my Adobe account some years ago, where I got the same symptom 1 year before Adobe eventually confessed they were hacked, under image pressure … Since then, I would have thought that organizations have learnt that it’s better to say it quickly to the public than to try to keep it hidden. It always surfaces later, and hits harder then !

Email addresses on bugzilla are accessible to any registered member, there is no need to hack anything.

Correct, this is what I observed and said in the first post.

This is still a security / confidentiality problem that should be addressed at some moment, all the more if there are ways for a member to gather them in an automated way to build lists …

1 Like

I just realized that the email I’ve used for https://bugzilla.mozilla.org/ is different than the one I now receive SPAM on. The one I receive SPAM on was only used for mozilla-sync