Stolen Firefox Bug Exploited
Mozilla has reported that at least a year ago, a hacker was able to breach their repository of unpatched bugs. That information has been used to attack the Firefox web browser, which is estimated to be used by about 22% of web surfers.
The vulnerability was stolen through Mozilla's instance of Bugzilla, which is software that is used to track bugs and changes in code and lets developers work together in researching, fixing and reviewing these changes and updates. The hacker in this case was able to use their Bugzilla password on a different site to find Mozilla's password through a data breach on the other site. That may sound a little confusing, but basically if Mozilla had used a little extra security, like two-factor authentication, the whole mess could probably have been avoided.
The vulnerability that was exploited is tied into Firefox's PDF viewer. An ad on a Russian news website delivers the exploit that then looks for certain files and sends them to a server in Ukraine.
Mozilla has since removed the compromised user account and reset all their Bugzilla user passwords. They've reduced the number of users, and the ones remaining are able to implement two-factor authentication, which they will make mandatory soon.