Email accounts, passwords and name lists were exposed.
Thousands of credentials for access Mega, the file storage service established in New Zealand, have been published in an online file, as reported by ZDNet and have resumed experts in enterprise data protection services experts.
A text file contains more than 15.5K usernames, passwords, and filenames, indicating that each account has been accessed by an attack and the filenames have been scrapped.
Information security and enterprise data protection services experts found the text file in June after a user, allegedly in Vietnam, uploaded it to the VirusTotal malware analysis site just a few months earlier.
After contacting several users it was verified that the data belonged to Mega, the file sharing site owned by Internet entrepreneur Kim Dotcom; the users confirmed that the email address, password and some of the files were used in Mega.
The listings go back to the start of Mega functions in the cloud in 2013, and reach dates as recent as January 2018.
The notice about this leak was sent to the admins of the website Have I Been Pwned to analyze the situation. It was revealed that the performed attack was credential stuffing (usernames and passwords are stolen from other sites) instead of a direct breach on Mega systems. Specialists in enterprise data protection services estimate that 98% of the email addresses found in the file had already been used in a previous data breach. Out of contacted users, at least five reported using their Mega password for other websites as well.
Mega chairman, Stephen Hall, backed the specialists’ version on the nature of the attack, pointing out that it was a credential stuffing. Hall also mentions that the list represents “only 0.0001% of the 115 million users registered in Mega”.
It’s still unknown who compiled the list or how the data was stored, although the site claims to offer end-to-end encryption, the site doesn’t allow for two-factor authentication, which makes it much easier to access accounts when a user suffers information leaks. An attacker would only need to use the credentials to log in to each account to confirm that they work and to remove the filenames.
Hall said the company plans to introduce two-factor authentication in the future, without mentioning exactly when.
Mega stores a record of the IP address for each user who logs on to an account. Three users said they saw suspicious logins accessing their account from countries in Eastern Europe, Russia and South America in recent months since the relevant file was loaded.
Given the nature of the content of some of the accounts whose data were compromised, specialists in enterprise data protection services gave notice of such content to the authorities in the matter.
In response to this situation, Hall said it was unclear whether the allegedly illegal content was uploaded by the original account owner or if someone else uploaded it to Mega using the account as an anonymous drop box. However, the illegal content was uploaded years earlier, according to the loading dates in the file list, which makes the recent participation of third parties unlikely.
In their notice, the site managers mention that “Mega has zero tolerance for any illegal material. Any report of illicit activity results in the immediate link shut down, closing of the account, and report to the authorities”.
“Mega cannot examine the content as it is encrypted on the user’s device before being uploaded. In addition to being technically impossible, it is also unviable for Mega and other major cloud storage vendors, with hundreds of files being loaded per second”.
This is not the first time that Mega faces security issues. In 2016, hackers claimed to have access to Mega’s internal documents. Site administrators commented that no user data was compromised in the attack.