In a post on its blog — titled "Improving security for Bugzilla" — the project said that it had reason to believe that the stolen information was being used to attack Firefox users.
The attacker gained access to the bug tracker by utilising the credentials of an existing account belonging to a privileged user. That account has since been shut down. The attacker may have had access to the bug tracker for as long as two years.
The project said the attacker had gained access to information about 185 non-public bugs of which 110 were protected because they were proprietary information, 22 minor bugs and 53 severe vulnerabilities.
But in the case of the remaining three, there were big time intervals between the attacker gaining information about them and fixes being issued: 131 days in one case, 157 in a second, and 335 in a third.
The largest known impact so far has been through a vulnerability that was fixed on August 6. This vulnerability was exploited to collect private data from users visiting a news site in Russia.
Users have been advised to update to the version of Firefox released on August 27 which fixed all the vulnerabilities which the attacked had learned about and could have used to harm Firefox users.
From now on, all those who had access to security-sensitive information within the bug tracker would be required to use two-factor authentication, the project said.