Mozilla has disabled a malicious password stealing add-on known as Mozilla Sniffer, which was uploaded on 6 June and downloaded by 1,800 users.
The add-on contained code that intercepted login data submitted to any web site, and sent this data to a remote location.
Mozilla discovered the bug on 12 July, and added it to its block list prompting the add-on to be uninstalled.
"All current users should receive an uninstall notification within a day or so. The site this add-on sends data to seems to be down at the moment, so it is unknown if data is still being collected," Mozilla said in a blog post.
Mozilla Sniffer was not developed or reviewed by Mozilla. It was in an experimental state, and all users that installed it should have seen a warning indicating it is was not reviewed, Mozilla said.
A security flaw was also discovered in version 3.0.1 of the CoolPreviews add-on.
The vulnerability is triggered using a specially crafted hyperlink. If the user hovers the cursor over this link, the attacking script is given control over the host computer.
So far 177,000 users have a vulnerable version installed. This is less than 25 per cent of the install base and it will continue to decrease as more users are prompted to update to a new version, Mozilla noted.
Geoengineering on the sea floor near glaciers would form a new ice shelf to prevent melting
Alterations in capillary blood flow can be caused by body position change
Curiosity rover is in 'normal mode' but not transmitting scientific data back to base
NatWest outage comes a day after Barclays' IT systems shut out customers and staff