[jeffbryner]

https://bugzilla.mozilla.org/show_bug.cgi?id=932869 was the request for a sanitized DB for folks wanting to develop MDN itself. We could identify most of the handful of IPs that downloaded the file during the time period where it was unsanitized to individuals (i.e. IPs inside Mozilla offices, etc.). However because some IPs were unknown, or public, or potential NAT addresses Mozilla decided it was best to disclose the issue.

[Pacabel]

If some of the accesses were by people or systems within Mozilla, can you please address why a month went by before the problem was noticed?

If there was enough need to justify putting forth the effort required to export a sanitized version of these data for developers to use, then why didn't these users notice that something was wrong much sooner? And if they did notice, why weren't the appropriate parties within Mozilla notified sooner?

Could you please provide more specific details about these IP addresses that couldn't be accounted for, too? Perhaps a list of them, for instance? At least then affected users will be able to make their own call regarding their level of risk due to this incident.

[jeffbryner]

Sorry, I can't provide a list.

[Pacabel]

Why not?

[ygjb]

Because our privacy policies state that we won't disclose personally identifiable information about users, and IP addresses can be personally identifiable.

Unfortunately security incidents happen, but we won't violate the commitments we have made to our users; in this case, if we revealed the IP addresses we would have another, deliberate information leak on our hands.