Slashdot Mirror

← Back to Stories (view on slashdot.org)

Thousands of Mega Logins Dumped Online, Exposing User Files (zdnet.com)

Posted by msmash on from the security-woes dept.

Thousands of credentials for accounts associated with New Zealand-based file storage service Mega have been published online, ZDNet reports. From the report: The text file contains over 15,500 usernames, passwords, and files names, indicating that each account had been improperly accessed and file names scraped. Patrick Wardle, chief research officer and co-founder at Digita Security, found the text file in June after it had been uploaded to malware analysis site VirusTotal some months earlier by a user purportedly in Vietnam. Wardle passed the data to ZDNet. We verified that the data belonged to Mega, the file-sharing site formerly owned by internet entrepreneur Kim Dotcom by contacting several users, who confirmed that the email address, password, and some of the files we showed them were used on Mega.

30 comments

  1. Dude google by Anonymous Coward · · Score: 0

    You know how you guys are all oh no google botnet
    don't use chrome
    Who do you think owns virus total

    1. Re: Dude google by Anonymous Coward · · Score: 0

      oh no virustotal

  2. And 15,400 of those will be full of porn by Anonymous Coward · · Score: 0

    and about 15,000 of those full of illegal stuff.

    1. Re:And 15,400 of those will be full of porn by Anonymous Coward · · Score: 0

      pics or it didn't happen

    2. Re:And 15,400 of those will be full of porn by DontBeAMoran · · Score: 1

      http://1.media.collegehumor.cv...

      --
      #DeleteFacebook
  3. Joke's on them. I only use throwaways. by Anonymous Coward · · Score: 0

    BugMeNot and Mailinator might be popping up a lot in that list.
    Yeah, here's the password: 12345mega. You found the freely shared files. Oh noes!

    1. Re:Joke's on them. I only use throwaways. by DontBeAMoran · · Score: 1

      I wonder how many accounts, in all systems on the planet, have "luggage12345" as their password.

      --
      #DeleteFacebook
  4. USGov attacking their "enemy" by Anonymous Coward · · Score: 0

    nuff said

  5. Is this about the confiscated servers? by Vlad_the_Inhaler · · Score: 1

    The way I remember Mega's demise is that their servers were confiscated semi-legally by the NZ authorities acting on behalf of the US authorities. Has a Mega backup found its way to the big wide world or have the authorities outed themselves as corrupt?
    My guess is the second option.
    Where did those servers (ok, their discs) end up?

    --
    Mielipiteet omiani - Opinions personal, facts suspect.
    1. Re:Is this about the confiscated servers? by squiggleslash · · Score: 2

      No, you're thinking of MegaUpload. Mega is the company Kim Dotcom founded after MegaUpload was shut down. Kim Dotcom and Mega have since parted ways (I think he even wrote some less than complementary comments about the service recently but I'd have to look it up), so it's independent and unlikely to be shut down as a result of Dotcom's involvement.

      --
      You are not alone. This is not normal. None of this is normal.
    2. Re:Is this about the confiscated servers? by Anonymous Coward · · Score: 0

      That was Megaupload. After it was destroyed but the raids, he started from scratch with a similar service called just Mega. Its current owner is dubious, KD claimed that it was taken over by a shady chinese invetor.

    3. Re:Is this about the confiscated servers? by butzwonker · · Score: 1

      His wife is involved in the company and for obvious reasons Dotcom has done the best he can to make sure he cannot be associated legally in any way with her company. Mega is about the only company that - again, for obvious reasons - takes end-user encryption seriously, which might make it a natural target for all kinds of entities that do not like the idea of having companies that do not store encryption keys or implement fuse key escrow. There is a vested interest in shattering Mega's reputation, which is not easy, since their implementation and service are outstanding. Those "thousands of Mega logins" represent a ridiculously small fraction of all Mega users and have probably been obtained by compromising their end-user machines (e.g. by some generic malware).

      Mega's free service gives you 50GB storage with automated syncing and a very functional web interface. I use it for non-important backups and syncing.

  6. Where's the text file? by jez9999 · · Score: 1

    I have a Mega login. Wouldn't mind knowing whether it's been exposed.

    --
    == Jez ==
    Do you miss Firefox? Try Pale Moon.
    1. Re:Where's the text file? by Anonymous Coward · · Score: 0

      Here's a hint: it has. Not that that's why you wanted the text file...

    2. Re:Where's the text file? by godel_56 · · Score: 1

      I have a Mega login. Wouldn't mind knowing whether it's been exposed.

      Did you read TFA? If you didn't reuse your user name and password from another service than it hasn't. Mega itself hasn't been breached, it's just the old password reuse problem.

  7. Aren't Mega Files Encrypted? by mdm-adph · · Score: 1

    I'll admit it's been a few years since I even used the Mega account I signed up for, but if IIRC, during the setup process there was a part where I had to download my key that would be used for encryption, with the UI notifying me in bold font that "WITHOUT THIS KEY YOU CANNOT DECRYPT YOUR FILES -- WE DO NOT HAVE ACCESS TO YOUR KEY AND CANNOT ACCESS YOUR FILES".

    If this is so, what is the danger to an attacker getting access to Mega's servers?

    Did 1) something change with the way Mega was run, or 2) The attackers were somehow grabbing these keys, or 3) I didn't understand how the encryption was working?

    --
    It is by my will alone my thoughts acquire motion; it is by the juice of the coffee bean that the thoughts acquire speed
    1. Re:Aren't Mega Files Encrypted? by Anonymous Coward · · Score: 0

      IIRC, that key still exists in the Mega servers, but encrypted in some way with your login password (which they strongly recommend to be a passphrase).
      That means that if you lose the password, Mega cannot issue a new one if you cannot reupload your copy of the original key file. If you also lost this file, you will have lost access to your account

    2. Re:Aren't Mega Files Encrypted? by thegarbz · · Score: 1

      Did 1) something change with the way Mega was run, or 2) The attackers were somehow grabbing these keys, or 3) I didn't understand how the encryption was working?

      Are you able to access you files when you login? Mega's encryption works by using the user credentials to generate the key. TFA talks about this potentially being the result of credential stuffing (automating usernames and passwords from other leaks to attempt login on a different service), and given the small number of credentials leaked it would make sense.

      Don't reuse passwords on multiple websites.

    3. Re:Aren't Mega Files Encrypted? by Anonymous Coward · · Score: 0

      3)

  8. Not a hack. Not a Mega hack, anyway by Vreejack · · Score: 1

    It appears to be a case of credential stuffing. Credentials stolen from other sites were run against Mega looking for hits. Since many people have multiple accounts at Mega full of stuff they don't care to protect it is not surprising they found so many hits. I switched to unique passwords on everything after someone got into my paid Spotify account--what an incredible nuisance that was--but until you get burned it's easy to be complacent, especially about a throwaway download account.

    --
    "Will future ages believe that such stupid bigotry ever existed!" -- Ivanhoe
  9. boohoo by viperidaenz · · Score: 0

    Someone else will be able to access the copyrighted files you illegally distributed.

    1. Re:boohoo by Anonymous Coward · · Score: 0

      ...

      Not everyone uses mega to distribute illegal files, idiot.

    2. Re: boohoo by Anonymous Coward · · Score: 0

      There's no other reason to use it. If you have legit files there are plenty of free, legit services you can use instead.

    3. Re: boohoo by Anonymous Coward · · Score: 0

      Could you link me to a bunch of these 'free, legit services'? Thanks.

      I use megaupload because I don't (usually) have to fight it to get my files.

    4. Re: boohoo by Anonymous Coward · · Score: 0

      Mega is one of those free and legit services, and it's better than all others I've tried. Certainly better than Dropbox, at least, which I sued previously for syncing.

    5. Re:boohoo by Anonymous Coward · · Score: 0

      I feel sorry for users who actually used mega to store legal files. For both of them.

  10. Virustotal by Anonymous Coward · · Score: 0

    "found the text file in June after it had been uploaded to malware analysis site VirusTotal some months earlier by a user purportedly in Vietnam"

    VirusTotal was the source of the leak? I didn't know you can view other people's actual file contents on VirusTotal.
    If not, why was this part of the article necessary?

    1. Re:Virustotal by nazsco · · Score: 1

      a google company, respecting privacy? HAHAHAH

      educate yourself https://en.wikipedia.org/wiki/...

  11. Awesome!! by karolgajewski · · Score: 1

    Finally! I forgot my password, and this is much easier than trying to recover it.

    --
    - .k. -