Thousands of Mega Users’ Data Exposed Online
In June 2018, cybersecurity expert and Digita Security co-founder Patrick Wardle discovered that the login credentials of 15,500 Mega users were publicly accessible online. According to a report by ZDNet, the leaked data included usernames, passwords, email addresses, and even the names of files uploaded by users.
How the Leak Was Discovered
Wardle found a text file containing the user data on VirusTotal, uploaded by someone believed to be in Vietnam. He shared his findings with ZDNet journalists, who verified the authenticity of the leak by contacting several users from the list. They confirmed the legitimacy of the email addresses, passwords, and file names, establishing that the information indeed belonged to users of the well-known file-sharing service Mega, previously owned by Kim Dotcom.
Impact on Users
At least five people contacted by ZDNet admitted to using the same passwords across multiple sites and services. Three others reported noticing suspicious activity in their account logs, originating from IP addresses in Eastern Europe, Russia, and South America. In some cases, attackers not only checked if the credentials worked but also deliberately damaged file names.
Credential Stuffing Identified as the Cause
After confirming the leak’s authenticity, journalists passed the information to Troy Hunt, a well-known cybersecurity expert and founder of the data breach aggregator Have I Been Pwned. Hunt’s analysis revealed that the incident was a result of credential stuffing—a technique where usernames and passwords stolen from one site are used to access accounts on other sites. He found that 98% of the email addresses in the dump had already appeared in previous data breaches, and 87% of the accounts were present in the Have I Been Pwned database.
Mega’s Response
Mega representatives confirmed to ZDNet that the issue was due to credential stuffing and that the service itself had not been compromised. They emphasized that the leak affected only 0.0001% of their user base, which exceeds 115 million registered users.
Ongoing Security Concerns
Experts and journalists were unable to determine the exact origin of the data dump affecting 15,500 users. However, they highlighted that Mega still does not offer two-factor authentication for its users, making it easier for attackers to exploit compromised credentials. The company claims that two-factor authentication will be available “soon.”
Serious Content Discovered
ZDNet journalists also noted that among the files from compromised accounts, there was disturbing content that could be classified as child abuse. The publication reported this finding to law enforcement authorities. It remains unclear whether this content was uploaded by the legitimate account owners or if criminals used the compromised accounts as anonymous storage for illegal files.