“Mozilla yesterday said an unknown attacker accessed its Bugzilla bug-and-change tracking database, stole information about 53 critical security vulnerabilities, and used at least one of those flaws to attack Firefox users…Mozilla urged Firefox users to update the browser to Firefox 40, which was released Aug. 27, as that version patched all remaining vulnerabilities the attacker accessed.” – Gregg Keizer

A hacker accessed a secret log of bug and changes coming from Bugzilla and those reporting problems, to steal fifty odd critical security vulnerabilities and used at least one to attack Firefox users and steal sensitive files and info. The hacker probably did this via drive by or water hole attack through ads on a Russian News site (unnamed).

“The exploit code searched for, among other things, configuration files for the FileZilla and S3 Browser file transfer tools -- the latter used to retrieve data from Amazon's cloud-based Simple Storage Service (S3) -- and eight FTP (file transfer protocol) clients, account information files associated with the Jabber and Pidgin instant messaging clients, and configuration files for the open-source Apache Subversion, software used by developers to track code changes.” – Mozilla

This isn’t a first time security breach for Mozilla:

"A Firefox user informed us that an advertisement on a news site in Russia was serving a Firefox exploit that searched for sensitive files and uploaded them to a server that appears to be in Ukraine," Daniel Veditz, a security lead at Mozilla, wrote on a company blog.” – Mozilla

Anyway, only Firefox for Windows was targeted, not for Mac.

You probably aren’t affected if you don’t visit Russian News sites, but I’d advise getting the patched version of Firefox (version 40) if you use it.

Source:

http://www.computerworld.com/article/2980745/web-browsers/mozilla-admits-bug-tracker-breach-led-to-attacks-against-firefox-users.html