MEGA Chrome extension was hijacked to steal personal information

Share this…

If you use this extension for the Chrome browser, it is recommended to uninstall it immediately

Ethical hacking experts report that the official Chrome extension for the MEGA cloud storage service would have been compromised and replaced by a malicious version that can steal users’ credentials for popular websites like Amazon, Microsoft, Github and Google, as well as private keys for online cryptocurrency wallets.

On the afternoon of September 4, an unknown attacker managed to hack into MEGA’s Google Chrome Web Store account and upload a malicious version of an extension to this platform, according to the first reports of the event.

Malicious extension could steal passwords

After automatic installation or updating, malicious extension requested elevated permissions to access personal information, allowing it to steal credentials from sites such as Amazon, Github, and Google, as well as online wallets such as MyEtherWallet and MyMonero, and Idex.Market, a cryptocurrency trading platform.

The infected extension subsequently sends all stolen information to an attacker’s server located at megaopac[.]host in Ukraine, which is then used by attackers to log on to victims’ accounts and extract private keys from wallets to steal users’ digital currencies, as reported by ethical hacking specialists.

MEGA mentioned that Google does not allow publishers to sign their Chrome extensions and it is only Google who automatically signs them after the extension is uploaded, which makes it easier for hackers to send updates as if they were the legitimate developers.

Monero official Twitter account also issued a warning about the incident, mentioning that the MEGA malicious extension also includes functionality to steal this cryptocurrency, advising Monero holders to keep away from the extension.

Although the company has not revealed the number of users affected by this security incident, it is believed that the malicious version of the MEGA Chrome extension may have been installed on tens of millions of devices. The Firefox version of Mega has not been affected or manipulated, and users who access MEGA through its official website ( without the Chrome extension, also appear to be unaffected.

A few hours after the security breach, the company learned of the incident and updated the extension with an uncompromised MEGA version (3.39.5), with which all the affected facilities were automatically updated.

Google also eliminated the MEGA extension of Chrome Web Store five hours after the incident.

Still, ethical hacking specialists from the International Institute of Cyber Security mention that users should be aware that their credentials could be compromised on the websites and applications they visited as long as the infected MEGA Chrome extension was active.