An attacker compromised a privileged Mozilla account to break into the company's Bugzilla bug tracker tool and steal “security-sensitive information,” the company disclosed in a Friday blog post.
This information was later used against Mozilla Firefox users through the exploitation of a critical vulnerability. This bug was patched in early August and Firefox version 40.0.3, released August 27, “fixed all of the vulnerabilities that the attacker learned about and could have used to harm Firefox users.”
The company also immediately shut down the compromised account after the breach was detected. Since that point, all users with access to security-sensitive information were required to change their passwords and opt into two-factor authentication.
The company said it is “making it harder for an attacker to break in, providing fewer opportunities to break in, and reducing the amount of information an attacker can get by breaking in" following this incident.